Add a warning to the Ricochet description #474
Labels
No Label
🔍🤖 Search Engines
approved
dependencies
duplicate
feedback wanted
high priority
I2P
iOS
low priority
OS
Self-contained networks
Social media
stale
streaming
todo
Tor
WIP
wontfix
XMPP
[m]
₿ cryptocurrency
ℹ️ help wanted
↔️ file sharing
⚙️ web extensions
✨ enhancement
❌ software removal
💬 discussion
🤖 Android
🐛 bug
💢 conflicting
📝 correction
🆘 critical
📧 email
🔒 file encryption
📁 file storage
🦊 Firefox
💻 hardware
🌐 hosting
🏠 housekeeping
🔐 password managers
🧰 productivity tools
🔎 research required
🌐 Social News Aggregators
🆕 software suggestion
👥 team chat
🔒 VPN
🌐 website issue
🚫 Windows
👁️ browsers
🖊️ digital notebooks
🗄️ DNS
🗨️ instant messaging (im)
🇦🇶 translations
No Milestone
No Assignees
1 Participants
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: privacyguides/privacytools.io#474
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
https://github.com/ricochet-im/ricochet/issues/579
It's already dead.
It's not dead. As I answered to you in the issue you referenced and in https://github.com/ricochet-im/ricochet/issues/578, Ricochet is sicure and development is still going on. There are no reasons to remove it from "Encrypted Instant Messanger".
@ilovelinux Are you blind? You are not a ricochet developer anyway. Read.
Related website, prism-break.org, removed Ricochet. What about you?
https://github.com/nylira/prism-break/issues/1975
I don't think this should be removed as there's nothing to cause reason that it does not work. The security of this mostly uses Tor Hidden Services. Perhaps a warning about making sure that you're using the latest version of Tor and not the bundled binary would be helpful.
The program did undergo an audit in 2016.
It is inevitable that more complex clients such as the proprietary options are going to be able to support other features at the cost of security. It's probably the best choice for avoiding metadata collection at this point in time. Not everyone needs A/V, server side logs, multi-device etc.
Perhaps we could keep an eye on https://redmine.tails.boum.org/code/issues/8173
I second that we should add a notice regarding using a new version of Tor. I think the only publicly known vulns in the main ricochet client right now are just in the Tor version it uses.
👍 Can anyone create a PR adding what @beardog108 mentioned?
How does this look:
Looks good! The only change I'd make is:
[icon]See below
->See below: [icon] Updating the Tor binary included with Ricochet
.So:
[Danger]
Always keep Tor up to date. See below: [icon] Updating the Tor binary included with RicochetAnd maybe add a command to copy it on Linux and OS X? Hm, maybe a symlink would be better, because updating Tor browser would update the binary for Ricochet as well? And can't the tor binary location be changed in Ricochet's settings? It feels kinda hacky to copy the binary.
The symlink command would look like this:
Easy done.
It would be better to delete the Tor binary included with Ricochet as there's absolutely no reason to use an old vulnerable version of Tor. It would be better for Ricochet to not open than to risk it using a vulnerable version of Tor.
For MacOSX and Linux it should be sufficient to just "delete" the bundled Tor binary as long as Tor is in the
$PATH
. Ricochet then will fallback to the binary in the$PATH
.I would do this by using the
rm
command and usingsed
to append the path from the Tor Browser's Tor binary to the user's profile$PATH
. From the README included in the Linux release:There doesn't seem to be a way within the configuration file or within the user interface to change the location of where the Tor binary is located. On Windows it seems that it's hard coded. I think copying it will be the only solution for Windows without making changes to the Ricochet source.
See: https://github.com/ricochet-im/ricochet/blob/master/src/tor/TorManager.cpp#L274
Does this seem like an acceptable solution to you?
Great. Since it has a fallback to PATH, there's no need to create symlinks.
Though whichit should be noted that updating Tor Browser won't update the other tor (likely).tor
is part of PATH? The one from the browser? The one installed usingapt(-get)
for example? If the latter thenOn my OS, there's:
a)
/home/ubuntu/tor-browser_en-US/Browser/TorBrowser/Tor/tor
b)
/usr/sbin/tor
->/usr/bin/tor
For me,
tor
is the one in sbin.Maybe
mv foo foo.old
is better since if the following commands don't work / break something, there will still be a recoverable (though potentially insecure) backup without having to reinstall Ricochet.When referring to using
rm
on the Linux platform I meant to deletericochet/tor
assuming they installed it fromricochet-1.1.4-linux-x86_64.tar.bz2
.If you installed Ricochet through apt-get you're going to find that it doesn't include Tor and will depend on it instead. The maintainer will keep that up to date.
Unless 'a' i in your path it's never going to be found. 'b' would be used. As
/usr/bin
and/usr/sbin
are in your path whatever is first in your$PATH
would get used. You'd have to put~/tor-browser_en-US/Browser/TorBrowser/Tor/tor
first.I suppose it would just be safer to make a symlink ie
ln -s ~/tor-browser_en-US/Browser/TorBrowser/Tor/tor ~/ricochet/tor
then we don't have to worry about if they've installed Tor through apt-get.It's fairly safe to assume on MacOSX that the Tor binary will be in
Applications
assuming the user dragged the .app into their/Applications
directory ie./Applications/Ricochet.app/Contents/MacOS/tor
/Applications/Tor Browser.app/Contents/Resources/TorBrowser/Tor/tor
I meant to keep a copy of the tor version that ricochet uses. Just a small detail, not important.
better removing ricochet is outdated as hell and there are many bugs inside it and Tor new versions not supported by it. Wonder why the hell its still hanging there.
It still works, does it not? It also has been audited by NCC.
Such as? All software has bugs, this is not sufficient reason to remove it. If we did that we would have nothing left. Unless they are directly related to security and are not fixed, as in do X de-anonymise user Y. Considering anonymity is one of Ricochet's selling points vs other messengers.
My understanding was it still worked with Hidden Services v2 does it not? Documentation was being improved to instruct how to replace the binary with a newer version.
Is there something better that uses HiddenServices? On a side note, I am curious about https://cwtch.im however it is still firmly experimental at the moment.
working with dying soul. i dunno what kind of a joke of audition is this.
yeah but bugs in this case wont fix inside ricochet stuff from 2011 ... example im facing chat deletion,contact removal issue, tor not updated and 2.x has alot of horrible hidden services issues... no way to be considered reliable. Good replacement is Tox Chat.
yes hidden services v2 still working with Tor 3.x, but the issue when you are using Tor 2.x and using onion v2 = thats fucked.
nope. and cwtch im sure wont be much.
You're welcome to check out the code and make some of the improvements you desire. I'm sure your PRs will be appreciated. Also Ricochet Security Assessment February 15, 2016 – Version 1.2.
The bug poster hasn't provided enough information, see my reply https://github.com/ricochet-im/ricochet/issues/593#issuecomment-457061221.
Maybe you could do that instead of running around purporting to be a Whonix developer when you're not and have made no commits to the project.
You could pay for a bug bounty. That would certainly encourage someone to move a bit faster in completing https://github.com/ricochet-im/ricochet/issues/575
Considering the authors of Tox clearly state it is experimental it cannot in good faith be recommended anything more than as experimental at this point. In particular:
What it sets out to do is significantly more complex than Ricochet which mostly leaves the heavy lifting crypto to Tor. I doubt an audit will occur before the documentation (TokTok) is completed. Audits cost a lot of money and are usually done in the final stage of development after protocol design has been stabilized and frozen.
Additionally as I commented in https://github.com/privacytoolsIO/privacytools.io/issues/736#issuecomment-456901644 it has already been added to the website. Looking at your history it seems you have a problem with using the search function (many of your opened issues have been closed as DUPLICATE).
Are you a fortune teller?
not reliable. since the project havent been active since more than 3 years, plus the one who involved there is the same maintainer of Ricochet itself who left it and run away.. (are you kidding me..) .
Anyone whos running ricochet know how sucks its performance and stability (unless the user too blind to see that) , no need logs to prove it. and im just a user of whonix not a developer.
I wont pay a dollar for a dead project which there are no known maintainers to it anymore.
Well maybe you missed that as well in Ricochet main page:
So your argument of experimental or not has no value.
And many others wont fix , and many others still open ... so you are not making any sense at all.
Yes
Well unless you can point to some new 0days out there, I think the report from NCC is still valid enough. As far as I am aware the only vulnerabilities relate to the old Tor binary distributed (which can be replaced) and not Ricochet itself.
That issue you cited had nothing to do with performance. It was a null pointer exception.
You didn't make any effort to correct people when they assumed you were. Using the name "whonix_anonymous_os" , "Whonix" and their project logo would give off that vibe. When you then suggest things like collaboration, people would assume you had something to do with the project as that would be something for the actual project members to decide. 1, 2, 3, 4
Why don't you become it's maintainer? If there was a bug bounty I'm sure someone would make some improvements. The code isn't all that mystical, it just needs someone's time.
That being said it looks like cwtch.im is getting quite a few commits so this might very well be a healthy fork with some new features. I hope it works out well for them.
Yes but it's far less drastic than what Tox proposes (own crypto) vs using HiddenServices. I wish them good fortune as well and have used qTox a number of times for video conferencing.
And if you'd actually used the search option you'd see that Tox is already on the privacytools.io website like I told you in https://github.com/privacytoolsIO/privacytools.io/issues/736#issuecomment-456901644
Anyway I've wasted enough time on you.
Clearly as there's been a lack of understanding here, I suggest https://github.com/privacytoolsIO/privacytools.io/issues/746
I tried to look into Ricochet for a moment and I think I agree with adding a warning or even removing it entirely.
Other issues getting my attention that may be interesting, but irrelevant to this issue:
I agree on removing it @Shifterovich.
I'm too busy rn to look into it enough but there's so many good IM tools that removing the less-than-ideal ones does more good than harm. Feel free @Vincevrp
Yes these are the major issues here, now particularly if HSv3 is default. I can see a time sometime in the future where HSv2 may be deprecated entirely from newer Tor releases. I think at this point it's only a matter of when.
Removing it would also solve https://github.com/privacytoolsIO/privacytools.io/pull/618 meaning that would no longer be needed.
It does seem there's not going to be any new development. If you look at this ticket https://github.com/ricochet-im/ricochet/issues/574 @s-rah seems to be busy developing cwtch which is the next iteration of Ricochet.
Which kind of links to the last point.
A lot of things aren't reproducible unfortunately.
This one would require a complete redesign, as it would no longer be peer-to-peer you'd need some sort of decentralized net or server infrastructure to store messages. It may very well be that cwtch.im is able to succeed here. Too early to be added however. Work does seem to be occurring though https://git.openprivacy.ca/cwtch.im/cwtch/commits/master
On a side note Ricochet is still included in Debian https://packages.debian.org/sid/ricochet-im but that's only because nobody has investigated it enough to find an exploit, get a CVE and then have it's unmaintained nature brought into the spotlight.
It does appear that it's not going to be added to Tails any time soon https://redmine.tails.boum.org/code/issues/8173
This one is kind of lol, what's the point of an anonymous messenger over Tor if your voice can be identified.
I see the argument for removing it and agree with most points, however it is sad to see it unmaintained and removed since it is currently one of the only decent (in design) Tor-default, p2p chat applications.
I say we put it in worth mentioning with the warning to update the tor binary. However i think i'm a little outnumbered, so i'll just remove it if no one else makes a pr soon.
I do like the way that Ricochet works. Nothing really quite comes close to it in regard to metadata resistance.
I think it's a less of a case of it being unmaintained, and more of a case of the current maintainers are active on the successor project, cwtch which aims to "fix" some of the issues with Ricochet (which was basically TorChat with a nicer UI). One of those things being updating the Tor binary, multi device support and offline messaging. Unfortunately it is still very 'alpha' at this state. Using something that is that experimental may very well be detrimental.
I do think we need to reorganize the instant messenger section. How we do that is a topic of discussion. https://github.com/privacytoolsIO/privacytools.io/issues/746 https://github.com/privacytoolsIO/privacytools.io/issues/729 because all things simply are not equal.
I really suggest all of you to read THIS POST regarding Ricochet by @s-rah.
➡️ Cwtch.
and hosted at:
This is the most relevant part IMO. Good reason to keep/put it in worth mentioning
Is having up-to-date Tor enough if the software itself doesn't support hidden service version 3? Has anyone tested that it still works with Tor versions that default to HSv3 (or it uses HSv2 explicitly and isn't affected by the default changing)?
If the answer is yes to both, then I think it would be OK to keep as worth mentioning on Debian, but will most of Windows users start updating the Tor binary? (More relevant question might be whether they would install Ricochet at all though.)
I opened an issue to ask if Ricochet should instead be replaced by Cwtch (https://github.com/privacytoolsIO/privacytools.io/issues/781).
Ah yes, that more a less repeats what was said in https://github.com/ricochet-im/ricochet/issues/574#issuecomment-385548780 that I linked in my comment https://github.com/privacytoolsIO/privacytools.io/issues/474#issuecomment-471776595
I decided to test this between two hosts. Host 1 from the Debian repositories and Host 2 a Windows machine. Here's what I started with:
Everything seemed to work. However Host 2 is vulnerable as it is using the shipped copy of Tor. Note to see the version number one needs to add
Log notice file C:\Users\user\Desktop\tor.log
to your torrc to enable logging.Now updating the Windows version using the binaries from
torbrowser-install-win64-8.0.6_en-US.exe
Things were not so great. The first error I got was
So I copied the binaries
zlib1.dll
,libevent-2-1-6.dll
,libevent_core-2-1-6.dll
,libevent_extra-2-1-6.dll
also into Ricochet directory ieC:\Users\user\AppData\Local\Ricochet
.Unfortunately then I got:
So it seems its not as simple as it was back then https://github.com/privacytoolsIO/privacytools.io/pull/618 to just update
tor.exe
.Well I guess that depends on whether we can solve the above issue.
as ricochet has been demoted to worth mentioning and now also has several warnings, i think it is right to close this issue
See below.
No, it is not enough, because Ricochet uses
RSA1024
[1] instead ofED25519-V3
[2] asKeyType
.[1] https://github.com/ricochet-im/ricochet/blob/master/src/tor/AddOnionCommand.cpp#L56
[2] https://github.com/torproject/torspec/blob/master/control-spec.txt#L1608