
Tor Instant Messaging Bundle - nsomaru
https://trac.torproject.org/projects/tor/wiki/org/sponsors/SponsorO/TIMB
======
zacwest
Thousands of dollars and hundreds of hours[1] have gone into security audits
and improvements of Pidgin[2] and are not one-time things; this Google
donation has recurred.

It makes little sense to me to pick up and move to another platform and
product because it's written in JavaScript. The remaining bullet points in
this wiki page appear to be fixable with a lot less directed effort than
adopting and drastically changing an unpopular application.

[1] [https://blog.wasilczyk.pl/en/2013/google-donates-pidgin-
to-i...](https://blog.wasilczyk.pl/en/2013/google-donates-pidgin-to-improve-
its-security/) [2]
[http://pidgin.im/news/security/](http://pidgin.im/news/security/)

~~~
synchronise
Were these auditing Pidgin specifically or libpurple as well?

~~~
zacwest
Pidgin specifically but they encompassed libpurple as well. They are sort of
the same codebase from Pidgin's perspective. Sort of.

------
yownie
I'd ask everyone to go back and give jitsi another try. Recently they've
implemented all three OTR authentication methods. I've switched away from
pidgin to jitsi for the past week now and noticed no major problems. Yes it
uses java but finally we have a recommendable skype alternative that is truly
cross platform. I even played with the (alpha) android port on a tablet and it
handled ZRTP voip/video fine. Let's stop fragmenting every great idea into 12
competing idealogies and develop at least one tool we could point the
layperson concerned about privacy at.

------
higherpurpose
If Mozilla would fulfill my request about building/funding a TextSecure client
for their browser, Tor could also just take that into their browser and
wouldn't need to build another one with their own money, which I think is
already pretty short:

[https://news.ycombinator.com/item?id=7318888](https://news.ycombinator.com/item?id=7318888)

~~~
natdempk
This would be preferable to me and many other users. I can see the need for
both projects. If you're going to go out of your way to communicate securely
then TextSecure seems like the way to go, but if you just want to add general
security and anonymity to your existing network maybe Tor IM is what you want.

------
rjzzleep
for anyone clicking around like me searching for the code, and more
description on the bird name(assuming it's some mozilla thing), it is[1] (and
the repo [2])

i was assuming this would be some sort of xulrunner app(for some reason a non
native chat client strikes me odd for some reason, but meh). it's actually an
old seamonkey "fork" from what i gather, but i'm not sure if that's still the
case.

can someone comment on why a browser is more desirable? i'm guessing it's,
because of random bugs appearing where dns or other things may be leaked, and
crossplatform support.[3]

i'm starting to think that the "right"(there i said it) way to deal with all
this is if we follow with the portal approach[4](someone had a debian version,
feel free to post the link). but instead of running portal on a seperate
device it'll be a container in a container(or light vm). that way the outer
container(vm) is the sandbox(portal), then you can run whatever app you want.
and yes, i really what i propose is a major pain in the ass to setup, and
won't work in windows that well, but meh i don't see why we couldn't make it
easier. the main issue in my opinion would really be the privileges it might
need.

[1]:
[https://wiki.instantbird.org/Instantbird:related_links#Thing...](https://wiki.instantbird.org/Instantbird:related_links#Things_for_developers)

[2]: [https://hg.instantbird.org/](https://hg.instantbird.org/)

[3]:
[https://trac.torproject.org/projects/tor/ticket/1676](https://trac.torproject.org/projects/tor/ticket/1676)

[4]:
[https://github.com/grugq/PORTALofPi](https://github.com/grugq/PORTALofPi)

~~~
grugq
Theres a good reason the PORTAL is a separate hardware device: security [1].
There is also a reason it isn't on Debian -- huge attack surface as there
[were?] are no minimal Debian images. If you want something similar, the
transparent Tor proxy, then possibly OnionPi [2] is for you.

The setup that you describe is actually implemented in Whonix [3], and
personally I don't like it that much. I don't believe that VMs are very
secure. I prefer the TAILS [4] system for a hardened Linux as a baseline, but
it doesn't even use a VM to segregate the Tor daemon from the main OS. A
superior hardened system (from a security POV) is Liberte Linux [5], however
development is stalled and it is more complex to setup and use than TAILS.
(Worth noting that TAILS is sponsored and has development resources,
everything else is just a side project for various people).

If you want to setup a PORTAL that runs in a vm, it is really simple to do.
QEMU will run the OpenWRT based PORTAL image, although someone would have to
figure out how to configure the network settings appropriately. You'll
probably want to use a VM for the "workstation" environment, as well as a VM
for the Tor daemon. This will give you maximum control over the networking
(this is what Whonix does).

At any rate, I suspect that JITSI is a better client than pidgin, but it gets
no love (and unfortunately, it is Java). pidgin is basically technical debt
which can never be repaid. Parsing network protocols in ad hoc parsers written
in C is just not rational in this day and age. A client should use a managed
language to minimise memory corruption bugs. I don't think using xulrunner is
a good idea either, given how terrible Firefox is at security.

Ideally, there would be work put into making Pond [6] a viable instant message
application.

I'd also be happy if the OTR spec was updated to bring it inline with the new
TextSecure v2 protocol.

[1]: [http://grugq.github.io/blog/2013/10/05/thru-a-portal-
darkly/](http://grugq.github.io/blog/2013/10/05/thru-a-portal-darkly/)

[2]: [http://learn.adafruit.com/onion-
pi/overview](http://learn.adafruit.com/onion-pi/overview)

[3]:
[https://www.whonix.org/wiki/Main_Page](https://www.whonix.org/wiki/Main_Page)

[4]: [https://tails.boum.org/](https://tails.boum.org/)

[5]: [http://dee.su/liberte](http://dee.su/liberte)

[6]: [https://pond.imperialviolet.org/](https://pond.imperialviolet.org/)

~~~
autodidakto
I got a few comments since I love your blogs and opinion. I work on Whonix and
am excited that you're commenting on it.

A minimum Debian is grml [1], 150-350MB, which Whonix uses as a base.

But by the time we're done adding packages and KDE, it's not minimal anymore.
We use a popular GNU/Linux distro (instead of, say, hardened gentoo) because
1) Lots of eyes on a bigger project is more secure than few eyes on a smaller
project, and 2) Bad or missing usability/UX hurts security: these systems are
used by journalists and dissidents, not the Unix and computer security
trained. The trick is making a system that moderately educated users can get
work done on, without letting them shoot themselves in the foot.

VMs have their problems, but VirtualBox inside an average Windows install is
harder to exploit than an average Windows install alone. Whonix can also run
on dedicated hardware or inside a dedicated/minimal/portable host OS. Running
inside QubesOS, the Xen-based (everything is isolated) security focused
desktop OS, is a mid-term goal.

Additionally, as resources (that is, volunteers) grow, builds of Whonix based
on other distros/desktops/hardware will appear. To see you post on our forum
[2] or github issues [3], lending your experience with PORTAL, would be a
dream! Let's talk stream isolation. Or just voice your concerns and we'll try
to defend our choices.

\---

Ditto on Pond, which is weird since Appelbaum is behind it, but apparently
they don't want to start from scratch (Pond was just a README last time I
checked).

I have big hopes for TIMB, BitMessage, and the new (crossplatform) TextSecure.
Hopefully redphone will receive the same treatment as TextSecure. Me and the
lead Whonix developer tried to set up a crossplatform secure voice chat over
Jitsi... an hour later we gave up.

Icebird + TorBirdy is just barely becoming a reality. A GPG capable email
client that doesn't give away your time zone is big news in this world. Don't
get me started on losing all your bookmarks when you update the tor browser
bundle! We got a long way to go.

[1]: [https://grml.org/](https://grml.org/) [2]:
[https://www.whonix.org/forum/index.php?board=5.0](https://www.whonix.org/forum/index.php?board=5.0)
[3]:
[https://github.com/Whonix/Whonix/issues](https://github.com/Whonix/Whonix/issues)

~~~
grugq
I should have been more clear, I mean a minimal Debian install for
RaspberryPi. I don't want to create a full debootstrap image and make that
available (it comes to almost 512mb after adding all the software, WTF!). I am
familiar with grml.

A hardened Gentoo is a more solid platform because of the reliability of GRsec
+ PaX for exploit mitigation. Unfortunately, configuring GRsec to work
generically for a large number of usecases would be time consuming. I would
still like to see it though.

There is an option on how to do it properly, but so far I don't believe that
anyone is working on making it available publicly. I know it has been done in
private at least twice but neither implementation is likely to become public.
I would very much like it to be public. :(

If you are interested, it is a viable business, but I personally don't have
the time to put into it.

I really don't like VirtualBox. I think Xen, KVM, VMware are all superior
options.

I have never been able to get Qubes to install on any of my computers. It just
fails. I guess I have the wrong hardware. I think it is sort of the correct
approach, but there is a much better way. Email me if you want to devote some
time to "doing it right". Would be in line with Whonix/Qubes, but different.
:)

------
matznerd
I would welcome this, as I have struggled to find a secure chat. In the
meantime I've been using bitmessage, but it takes 3-5 minutes for a message to
be processed (similar protocol to bitcoin).
[https://bitmessage.org/bitmessage.pdf](https://bitmessage.org/bitmessage.pdf)

~~~
euank
Consider trying Tox, [http://tox.im/](http://tox.im/) ... It's open source and
actively in development, but already at a usable stage. It's meant to be akin
to skype, but open and secure.

~~~
matznerd
Thank you, I will check it out.

------
MzHN
Does anyone have an idea on why Pidgin was dropped?

Apparently the decision was made at a meeting last month[1], but I can't find
much discussion on it, even on the mailing lists.

[1]:
[https://trac.torproject.org/projects/tor/wiki/org/meetings/2...](https://trac.torproject.org/projects/tor/wiki/org/meetings/2014WinterDevMeeting/notes/DRLRelaunch)

~~~
xnyhps
The assumption that JS is more secure than C.

~~~
pjmlp
Given that it doesn't allow for pointers pointing into places they should not,
null terminated strings without terminator, arrays that decay into pointers,
double free(), buffer overflows, stack corruption, ...

I would say, yes it is more secure.

~~~
Uhhrrr
Hm, and what is the runtime written in?

~~~
mschuster91
There are only two big opensource JS engines (Mozilla's whatever-monkey-it-is-
now and Google's V8).

This means that a lot more eyeball-power went into inspecting those for
security issues than into inspecting a messenger - simple reason: a bug in
V8/xMonkey would fetch far, far bigger reps and money than finding a bug in
Pidgin.

Always remember: given enough eyeballs all bugs are shallow.

------
quasque
In the meantime, TorChat
([https://github.com/prof7bit/TorChat](https://github.com/prof7bit/TorChat))
is usable.

Though it doesn't fit the specification of the linked project as it uses its
own custom protocol based around Tor hidden services, rather than implementing
XMPP, Twitter, Facebook messenger, etc. This may be more secure as it is
keeping everything within Tor rather than using exit nodes, but perhaps less
usable if everyone else you know is using more popular IM software.

~~~
middleclick
I think TorChat has nothing to do with the Tor project but I maybe wrong.

~~~
quasque
Yes it's an independent project, but a pretty neat way of co-opting the hidden
service protocol for instant messaging.

------
SmileyKeith
What am I missing here, aren't these two comments conflicting?

> Audit the Pidgin chat client, fixing security bugs

And

> we don't want to use Pidgin/libpurple

~~~
phaer
Well, you could always audit software you don't use at all, right? ;) I'd
guess that they decided to drop pidgin and use instantbird instead (or the
other way around) and would also be interested in some more information about
the reasons.

~~~
SmileyKeith
Yea. Seems like that question is a lot of the conversation going on here as
well.

------
chris_wot
What's wrong with libpurple?

------
mikemoka
What is Sponsor O? Why is the interface localized only in those particular
languages?

~~~
rjzzleep
Looks to me like a government contract[1], for whatever reason it irks me a
little that the main target seems to be Iran[2].

> It also includes outreach, especially towards Iranians.

[1]:
[https://trac.torproject.org/projects/tor/wiki/org/sponsors/O...](https://trac.torproject.org/projects/tor/wiki/org/sponsors/Otter)

[2]:
[https://trac.torproject.org/projects/tor/wiki/org/sponsors/O...](https://trac.torproject.org/projects/tor/wiki/org/sponsors/Otter/Buoyant)

~~~
matznerd
As recently as 2012, 80% of the Tor budget was funded by the US Governement...

Originally sponsored by the U.S. Naval Research Laboratory,[11] which had been
instrumental in the early development of onion routing under the aegis of
DARPA, Tor was financially supported by the Electronic Frontier Foundation
from 2004 to 2005.[13] Tor software is now developed by the Tor Project, which
has been a 501(c)(3) research-education nonprofit organization [14] based in
the United States of America [1] since December 2006. It has a diverse base of
financial support;[13] the U.S. State Department, the Broadcasting Board of
Governors, and the National Science Foundation are major contributors.[15] As
of 2012, 80% of the Tor Project's $2M annual budget comes from the United
States government, with the Swedish government and other organizations
providing the rest,[16] including NGOs and thousands of individual
sponsors.[17] One of the founders of the project, Roger Dingledine, stated
that the DoD funds are less similar to being a procurement contract and are
more simiar to a research grant. Andrew Lewman, the executive director of the
Tor project, stated that even though it accepts funds from the U.S. federal
government, the Tor service did not necessarily collaborate with the NSA to
reveal identities of users.[18]

[http://en.wikipedia.org/wiki/Tor_(anonymity_network)](http://en.wikipedia.org/wiki/Tor_\(anonymity_network\))

