/g/ - Technology

install openbsd

[Make a Post]
[X]





Secure Communications General Nanonymous No.2887 [D][U][F][S][L][A][C] >>2888 >>2893 >>2899 >>3212
File: a9b394a7cceb11af93376d4d4f241ed471d38fc207b69f992dc27416999a1418.png (dl) (10.77 KiB)

What's the most secure messaging protocol/program? Which one do you use?
Also, what do you think about pic related?

Nanonymous No.2888 [D] >>2889 >>2890

>>2887
not exactly the answer you're looking for, but email + gnupg through tor is practical and secure if you're not dealing with normalfags.

otherwise, I remain an xmpp + otr holdout (also over tor). it's a bit cumbersome and there doesn't seem to be single decent xmpp client out there (I use pidgin), but it does the job.

Nanonymous No.2889 [D]

>>2888
Email and XMPP are both old and still have a lot of issues, and if you don't selfhost it's even worse.

Here's a few more:
- Ricochet - actually looks very nice, but the last release was in 2016.
- Tox and Telegram - uses home-made encryption.
- Signal - has shady devs and requires a phone number.
- IRC + OTR - don't know how secure it is, but having to remain connected to the server to receive messages is pretty annoying.
- Matrix + Riot - looks good, but I don't know much about it, so I'm curious what /g/ thinks.

I've been using XMPP with a third-party clearnet server over Tor, because Conversations (Android client) refuses to work with a .onion server - I assume it's because it forces TLS connection, and hidden services either use self-signed certificates or none at all. You could easily fork it and remove TLS requirement but then you lose out on the convenient F-droid updates.
I only tested it with securejabber's onion service so I might be wrong about that though. Suggest other XMPP servers that have hidden services because I don't know any others.

Nanonymous No.2890 [D] >>2891

Ugly, buggy drop-in discord/slack replacement also trying to replace irc.
>>2888
It's kind of sad that the best xmpp client is on android(conversations).
Also why not omemo?
And why pidgin when there's irssi and profanity?

Nanonymous No.2891 [D] >>2892

>>2890
> And why pidgin when there's irssi and profanity?
Irssi and profanity don't support omemo yet (https://omemo.top)
To my knowledge, the only tui client that does support it is finch, but it's the shittiest fucking program I've ever used

Nanonymous No.2892 [D] >>2896 >>2901

>>2891
https://github.com/ReneVolution/profanity-omemo-plugin
irssi doesn't, true
And if you use pidgin, why use otr? https://github.com/gkdr/lurch

Nanonymous No.2893 [D]

>>2887
Matrix cryptography details

For one-on-one communication:
https://git.matrix.org/git/olm/about/docs/olm.rst

For group chat:
https://git.matrix.org/git/olm/about/docs/megolm.rst

For both:
https://matrix.org/speculator/spec/HEAD/client_server/unstable.html#end-to-end-encryption
https://matrix.org/docs/guides/e2e_implementation.html

Nanonymous No.2894 [D] >>2935

I've been reading more about Matrix/Riot, and unfortunately they look like a letdown.
Riot is the only good client because all the other actively maintained ones don't (fully) support end-to-end encryption, plus it's the only Android client.
Riot uses Cloudflare MITM on their main domain.
Selfhosting your own Matrix homeserver is the best option, but you can't use Tor hidden services (clearnet domain used over Tor is still possible though.)

Nanonymous No.2895 [D][U][F]
File: a632238db28e7b5110a16eddd7a5ed59e22a3644512e4bd68179907c8c3bb025.png (dl) (311.32 KiB)

>tfw too much of a recluse so I don't have any use for overly secure messaging apps

Nanonymous No.2896 [D]

>>2892
That profanity plugin was more of a proof of concept from a rando on github, iirc
Good news though, next version will have official omemo support: https://github.com/boothj5/profanity/pull/1039

Nanonymous No.2899 [D] >>2903

>>2887
Ricochet
TorChat

Nanonymous No.2901 [D]

>>2892
>why pidgin?
I use pidgin because I can use both otr and omemo, actually, and also because it can be setup to work with onion services without torsocks. irssi is a fine irc client, but I don't find it particularly pleasant to use for secure IM-type interaction.
>why not omemo?
omemo is promising, but omemo's implementation on many clients is pretty rotten and it's often difficult to verify that it is doing what it should be doing without peeking at debug logs and whatnot. until things improve, I'll stick with something that gives me clearer indication that a connection is negotiated and issues obvious signs when something isn't right (eg, garbage messages from the person I'm talking to, not just silently dropping them or even spewing some as plaintext as it seems omemo on many clients are known do occasionally). I also don't believe in multiple device support: it inevitably means someone left their phone running with logs being taken (see: Conversations per default). I honestly dislike otr too, but again: it does the job. And as cumbersome as the whole xmpp/otr thing is, I've seen no indication that it isn't secure: if it works, why be eager to change to something else?

Nanonymous No.2903 [D]

>>2899
>Ricochet
>TorChat
promising, but development of both stalled years ago. torchat in particular is known to have a number of security issues with the implementation that probably will never be addressed. these are not presently safe to use imo.

Nanonymous No.2904 [D] >>2909

bitmessage

Nanonymous No.2909 [D] >>2934

>>2904
a great idea, but the main sites don't be accepting sign-ups.

Nanonymous No.2923 [D] >>2926 >>3587

has anyone tried keybase?
it looks it wants you to give it a lot of your information, to "strengthen your identity", so it doesn't seem very anonymous.

Nanonymous No.2926 [D] >>2928

>>2923
>doesn't seem very anonymous
That's the point anon. If I send a real life friend a message they should be able to determine that it's actually me. If I post a message on nanochan, it doesn't matter who I am, or even if I'm the same person who made another post.

Nanonymous No.2928 [D] >>3587

>>2926
Why do this when signing messages with PGP keys exists? Trusting any organization with your info might verify your identity but probably decreases your security overall.

Nanonymous No.2934 [D]

>>2909
BitMessage doesn't require sign-up, it is somewhat similar to BitCoin but for sending messages, just don't use the centralized BitMessage proxies like https://bitmessage.ch

But, looking at the protocol of BitMessage it does leak quite a lot of metadata:
https://web.archive.org/web/20190128062951/https://bitmessage.org/wiki/Protocol_specification

And there's no perfect forward secrecy, meaning if you lose your key all previous and next communications can be compromised.

Nanonymous No.2935 [D]

>>2894
I tried selfhosting my own Matrix server. The setup is way too complicated for what it is. You quickly realize your server won't be used if you don't host a riot instance, too, and that software is a PoS.
Use IRC and Mumble. Use encrypted mail when you want permanent messages.

Nanonymous No.3190 [D] >>3201

There's nothing Riot solves that XMPP+OMEMO hasn't solved already. Without a gay ass phone-like retard interface either, use Gajim 0.16.X
That's the last release before they switched to gtk3

Nanonymous No.3201 [D]

>>3190
>There's nothing Riot solves that XMPP+OMEMO hasn't solved already
Voip

Nanonymous No.3212 [D]

>>2887
>What's the most secure
anything that acknowledges Zooko's Triangle. e.g
names are local, you share keys instead of "readable" addresses

Nanonymous No.3443 [D] >>3475

deleting messages after send it is the most secure way i know to communicate.

Nanonymous No.3469 [D]

>What's the most secure messaging protocol/program?
If you want to get your message to a second party and you want to be secure, you better not rely on third party service.
But then again, you'd be in the very least signing in with your IP, unless you're routing your messages through TOR or using a VPN.

Nanonymous No.3475 [D]

>>3443
Did someone intercept it and save it?
Rhetorical question: multiple state-sponsored parties saved it

Nanonymous No.3584 [D]

>matrix homeserver hacked

<"Now for some real transparency "
I wonder what the motive was.

Nanonymous No.3587 [D]

>>2923
that's what PGP is for nigger
>>2928
>might
not even, it's weaker than just using PGP like a white man

Nanonymous No.3612 [D]

What about Briar?
https://briarproject.org/how-it-works.html