🆕 Software Suggestion | Replace Ricochet with Cwtch? #781

New Issue

2019-03-16T11:51:43Z

Mikaela commented

2019-03-16 11:51:43 +00:00

(Migrated from github.com)

Basic Information

Name: Cwtch
Category: Encrypted Instant Messenger
URL: https://cwtch.im/ (source: https://git.openprivacy.ca/cwtch.im/cwtch)

Description

I get the impression that it's the continuation of Ricochet of which there is a lot of discussion in closed pull request to remove it in https://github.com/privacytoolsIO/privacytools.io/pull/476 and especially in open issue to add a warning to update the shipped Tor binary onto it https://github.com/privacytoolsIO/privacytools.io/issues/474.

## Basic Information **Name:** Cwtch **Category:** Encrypted Instant Messenger **URL:** https://cwtch.im/ (source: https://git.openprivacy.ca/cwtch.im/cwtch) ## Description I get the impression that it's the continuation of Ricochet of which there is a lot of discussion in closed pull request to remove it in https://github.com/privacytoolsIO/privacytools.io/pull/476 and especially in open issue to add a warning to update the shipped Tor binary onto it https://github.com/privacytoolsIO/privacytools.io/issues/474.

👍 3 👎 1

blacklight447 commented

2019-04-30 12:00:06 +00:00

(Migrated from github.com)

Interesting, tried it out but it still seems in early alpha and not ready for practicle use yet, what about Briar? Maybe thats a replacement

Mikaela commented

2019-04-30 12:04:03 +00:00

(Migrated from github.com)

I think Briar is Android app and currently has no way to add contacts who aren't physically in the same space, while Richochet and Cwtch are desktop apps, so it wouldn't work as a replacement in my opinion.

blacklight447 commented

2019-04-30 12:20:26 +00:00

(Migrated from github.com)

@Mikaela There is already a headless client in the works btw. But they are currently focused on the remote contacts feature, which I predict should be ready somewhere this year. after that briar will become a very interesting project to follow, as it will provide e2e encryption, will be peer to peer, so have no server to seize, and will hide almost all metadata because everything hides inside the tor network( so exit nodes are not a problem either)

👍 1

blacklight447 commented

2019-06-19 14:29:49 +00:00

(Migrated from github.com)

update: briar remote contacts are now in alpha and expected to release at the end of next month.

odiferousmint commented

2019-09-30 14:08:03 +00:00

(Migrated from github.com)

Cwtch is commonly associated with Ricochet, but I think it would be worth noting that their primary focus seems to be group chat and whatnot. I am not entirely sure that they are NOT willing to sacrifice security for these features. Additionally, it is written in Go which uses a garbage collector, and they do not seem to be using a Go library named memguard[1] to protect against accidental memory leaks among other issues. Perhaps one of their developers will read this message and consider using memguard extensively in Cwtch, but even then, developers of Go's cryptographic library have no intentions doing that anytime soon[4]. In fact, they are copying/passing sensitive data all over the place like there is no tomorrow. For anyone interested in the security details of all this, do grab Cryptography Engineering: Design Principles and Practical Applications by Niels Ferguson, Bruce Schneier, and Tadayoshi Kohno[5], and read chapter 8 Implementation Issues (I).

As far as Ricochet is concerned, at a quick glance, one of the security issues is the use of RSA1024[2] instead of ED25519-V3[3].

[1] https://github.com/awnumar/memguard
[2] https://github.com/ricochet-im/ricochet/blob/master/src/tor/AddOnionCommand.cpp#L56
[3] https://github.com/torproject/torspec/blob/master/control-spec.txt#L1608
[4] https://github.com/golang/go/issues/25355#issuecomment-527294919
[5] https://www.schneier.com/books/cryptography_engineering/

Cwtch is commonly associated with Ricochet, but I think it would be worth noting that their primary focus *seems* to be group chat and whatnot. I am not entirely sure that they are NOT willing to sacrifice security for these features. Additionally, it is written in Go which uses a garbage collector, and they do not seem to be using a Go library named `memguard`[1] to protect against accidental memory leaks among other issues. Perhaps one of their developers will read this message and consider using `memguard` extensively in Cwtch, but even then, developers of Go's cryptographic library have no intentions doing that anytime soon[4]. In fact, they are copying/passing sensitive data all over the place like there is no tomorrow. For anyone interested in the security details of all this, do grab `Cryptography Engineering: Design Principles and Practical Applications` by Niels Ferguson, Bruce Schneier, and Tadayoshi Kohno[5], and read chapter 8 `Implementation Issues (I)`. As far as Ricochet is concerned, at a quick glance, one of the security issues is the use of `RSA1024`[2] instead of `ED25519-V3`[3]. [1] https://github.com/awnumar/memguard [2] https://github.com/ricochet-im/ricochet/blob/master/src/tor/AddOnionCommand.cpp#L56 [3] https://github.com/torproject/torspec/blob/master/control-spec.txt#L1608 [4] https://github.com/golang/go/issues/25355#issuecomment-527294919 [5] https://www.schneier.com/books/cryptography_engineering/

Mikaela commented

2019-10-01 15:44:20 +00:00

(Migrated from github.com)

I am currently somewhat low energy and cannot go into your comment in great detail, but do you think Cwtch would be worth considering as a worth mentioning team chat application?

odiferousmint commented

2019-10-01 16:02:34 +00:00

(Migrated from github.com)

I am currently somewhat low energy and cannot go into your comment in great detail, but do you think Cwtch would be worth considering as a worth mentioning team chat application?

Yes, definitely! The mentioned "shortcomings" can be fixed, and I personally like their threat model. I would like to clarify that my suspicion regarding sacrificing security for group chat and whatnot is unfounded. It might not be the case at all. All I am saying is that people should exercise caution. They did note it on their website that it is still an experimental prototype and that it should not be used where security, privacy, or anonymity is critical. In any case, I believe people should know about Cwtch's existence, I would like to see more developers working on it. It absolutely has a great potential!

What I disagree with is referring to Cwtch as a replacement of Ricochet. Ricochet is still a good choice today, and unlike Cwtch, it has been audited[1]. Moreover, according to Secushare, it is "probably the best choice at this given moment in time as it protects metadata and is very easy to install"[2] for desktops.

[1] https://ricochet.im/files/ricochet-ncc-audit-2016-01.pdf
[2] https://secushare.org/comparison

> I am currently somewhat low energy and cannot go into your comment in great detail, but do you think Cwtch would be worth considering as a worth mentioning team chat application? Yes, definitely! The mentioned "shortcomings" can be fixed, and I personally like their threat model. I would like to clarify that my suspicion regarding sacrificing security for group chat and whatnot is unfounded. It might not be the case at all. All I am saying is that people should exercise caution. They did note it on their website that it is still an experimental prototype and that it should not be used where security, privacy, or anonymity is critical. In any case, I believe people should know about Cwtch's existence, I would like to see more developers working on it. It absolutely has a great potential! What I disagree with is referring to Cwtch as a replacement of Ricochet. Ricochet is still a good choice today, and unlike Cwtch, it has been audited[1]. Moreover, according to Secushare, it is "probably the best choice at this given moment in time as it protects metadata and is very easy to install"[2] for desktops. [1] https://ricochet.im/files/ricochet-ncc-audit-2016-01.pdf [2] https://secushare.org/comparison

blacklight447 commented

2019-10-01 19:17:28 +00:00

(Migrated from github.com)

cwtch is still really alpha software though.

👍 1

This repo is archived. You cannot comment on issues.