/g/ - Technology

install openbsd

[Make a Post]
[X]





Secure Communications General Nanonymous No.2887 [D][U][F][S][L][A][C] >>2888 >>2893 >>2899 >>3212
File: a9b394a7cceb11af93376d4d4f241ed471d38fc207b69f992dc27416999a1418.png (dl) (10.77 KiB)

What's the most secure messaging protocol/program? Which one do you use?
Also, what do you think about pic related?

Nanonymous No.2888 [D] >>2889 >>2890

>>2887
not exactly the answer you're looking for, but email + gnupg through tor is practical and secure if you're not dealing with normalfags.

otherwise, I remain an xmpp + otr holdout (also over tor). it's a bit cumbersome and there doesn't seem to be single decent xmpp client out there (I use pidgin), but it does the job.

Nanonymous No.2889 [D]

>>2888
Email and XMPP are both old and still have a lot of issues, and if you don't selfhost it's even worse.

Here's a few more:
- Ricochet - actually looks very nice, but the last release was in 2016.
- Tox and Telegram - uses home-made encryption.
- Signal - has shady devs and requires a phone number.
- IRC + OTR - don't know how secure it is, but having to remain connected to the server to receive messages is pretty annoying.
- Matrix + Riot - looks good, but I don't know much about it, so I'm curious what /g/ thinks.

I've been using XMPP with a third-party clearnet server over Tor, because Conversations (Android client) refuses to work with a .onion server - I assume it's because it forces TLS connection, and hidden services either use self-signed certificates or none at all. You could easily fork it and remove TLS requirement but then you lose out on the convenient F-droid updates.
I only tested it with securejabber's onion service so I might be wrong about that though. Suggest other XMPP servers that have hidden services because I don't know any others.

Nanonymous No.2890 [D] >>2891

Ugly, buggy drop-in discord/slack replacement also trying to replace irc.
>>2888
It's kind of sad that the best xmpp client is on android(conversations).
Also why not omemo?
And why pidgin when there's irssi and profanity?

Nanonymous No.2891 [D] >>2892

>>2890
> And why pidgin when there's irssi and profanity?
Irssi and profanity don't support omemo yet (https://omemo.top)
To my knowledge, the only tui client that does support it is finch, but it's the shittiest fucking program I've ever used

Nanonymous No.2892 [D] >>2896 >>2901

>>2891
https://github.com/ReneVolution/profanity-omemo-plugin
irssi doesn't, true
And if you use pidgin, why use otr? https://github.com/gkdr/lurch

Nanonymous No.2893 [D]

>>2887
Matrix cryptography details

For one-on-one communication:
https://git.matrix.org/git/olm/about/docs/olm.rst

For group chat:
https://git.matrix.org/git/olm/about/docs/megolm.rst

For both:
https://matrix.org/speculator/spec/HEAD/client_server/unstable.html#end-to-end-encryption
https://matrix.org/docs/guides/e2e_implementation.html

Nanonymous No.2894 [D] >>2935

I've been reading more about Matrix/Riot, and unfortunately they look like a letdown.
Riot is the only good client because all the other actively maintained ones don't (fully) support end-to-end encryption, plus it's the only Android client.
Riot uses Cloudflare MITM on their main domain.
Selfhosting your own Matrix homeserver is the best option, but you can't use Tor hidden services (clearnet domain used over Tor is still possible though.)

Nanonymous No.2895 [D][U][F]
File: a632238db28e7b5110a16eddd7a5ed59e22a3644512e4bd68179907c8c3bb025.png (dl) (311.32 KiB)

>tfw too much of a recluse so I don't have any use for overly secure messaging apps

Nanonymous No.2896 [D]

>>2892
That profanity plugin was more of a proof of concept from a rando on github, iirc
Good news though, next version will have official omemo support: https://github.com/boothj5/profanity/pull/1039

Nanonymous No.2899 [D] >>2903

>>2887
Ricochet
TorChat

Nanonymous No.2901 [D]

>>2892
>why pidgin?
I use pidgin because I can use both otr and omemo, actually, and also because it can be setup to work with onion services without torsocks. irssi is a fine irc client, but I don't find it particularly pleasant to use for secure IM-type interaction.
>why not omemo?
omemo is promising, but omemo's implementation on many clients is pretty rotten and it's often difficult to verify that it is doing what it should be doing without peeking at debug logs and whatnot. until things improve, I'll stick with something that gives me clearer indication that a connection is negotiated and issues obvious signs when something isn't right (eg, garbage messages from the person I'm talking to, not just silently dropping them or even spewing some as plaintext as it seems omemo on many clients are known do occasionally). I also don't believe in multiple device support: it inevitably means someone left their phone running with logs being taken (see: Conversations per default). I honestly dislike otr too, but again: it does the job. And as cumbersome as the whole xmpp/otr thing is, I've seen no indication that it isn't secure: if it works, why be eager to change to something else?

Nanonymous No.2903 [D] >>5270

>>2899
>Ricochet
>TorChat
promising, but development of both stalled years ago. torchat in particular is known to have a number of security issues with the implementation that probably will never be addressed. these are not presently safe to use imo.

Nanonymous No.2904 [D] >>2909

bitmessage

Nanonymous No.2909 [D] >>2934

>>2904
a great idea, but the main sites don't be accepting sign-ups.

Nanonymous No.2923 [D] >>2926 >>3587

has anyone tried keybase?
it looks it wants you to give it a lot of your information, to "strengthen your identity", so it doesn't seem very anonymous.

Nanonymous No.2926 [D] >>2928

>>2923
>doesn't seem very anonymous
That's the point anon. If I send a real life friend a message they should be able to determine that it's actually me. If I post a message on nanochan, it doesn't matter who I am, or even if I'm the same person who made another post.

Nanonymous No.2928 [D] >>3587

>>2926
Why do this when signing messages with PGP keys exists? Trusting any organization with your info might verify your identity but probably decreases your security overall.

Nanonymous No.2934 [D]

>>2909
BitMessage doesn't require sign-up, it is somewhat similar to BitCoin but for sending messages, just don't use the centralized BitMessage proxies like https://bitmessage.ch

But, looking at the protocol of BitMessage it does leak quite a lot of metadata:
https://web.archive.org/web/20190128062951/https://bitmessage.org/wiki/Protocol_specification

And there's no perfect forward secrecy, meaning if you lose your key all previous and next communications can be compromised.

Nanonymous No.2935 [D]

>>2894
I tried selfhosting my own Matrix server. The setup is way too complicated for what it is. You quickly realize your server won't be used if you don't host a riot instance, too, and that software is a PoS.
Use IRC and Mumble. Use encrypted mail when you want permanent messages.

Nanonymous No.3190 [D] >>3201

There's nothing Riot solves that XMPP+OMEMO hasn't solved already. Without a gay ass phone-like retard interface either, use Gajim 0.16.X
That's the last release before they switched to gtk3

Nanonymous No.3201 [D]

>>3190
>There's nothing Riot solves that XMPP+OMEMO hasn't solved already
Voip

Nanonymous No.3212 [D]

>>2887
>What's the most secure
anything that acknowledges Zooko's Triangle. e.g
names are local, you share keys instead of "readable" addresses

Nanonymous No.3443 [D] >>3475

deleting messages after send it is the most secure way i know to communicate.

Nanonymous No.3469 [D]

>What's the most secure messaging protocol/program?
If you want to get your message to a second party and you want to be secure, you better not rely on third party service.
But then again, you'd be in the very least signing in with your IP, unless you're routing your messages through TOR or using a VPN.

Nanonymous No.3475 [D]

>>3443
Did someone intercept it and save it?
Rhetorical question: multiple state-sponsored parties saved it

Nanonymous No.3584 [D]

>matrix homeserver hacked

<"Now for some real transparency "
I wonder what the motive was.

Nanonymous No.3587 [D]

>>2923
that's what PGP is for nigger
>>2928
>might
not even, it's weaker than just using PGP like a white man

Nanonymous No.3612 [D]

What about Briar?
https://briarproject.org/how-it-works.html

Nanonymous No.5270 [D] >>5558
Briar is cool but only on Android.

Adamant is all blocakchainy which means NOTHING EVER GETS DELETED.

Matrix is cool but there is no ez post deletion only redaction and account nuking.
Plus you get fucked if the the homesever you are using goes down, you can't delete shit!
>Matrix homesever hacked
That's matrix.org, only ONE of the homeservers. Anyone can make one because it is FEDERATED!

Tox is badass but totally broken.

>>2903

This.

XMPP is a meme.
IRC is just Matrix for retards in a sense, most of them are impossible to join over Tor.

Nanonymous No.5271 [D] >>5676
>email

DeltaChat for some reason doesn't yet have Tor Proxy support.

Jami is promising actually.

>BitMessage

wtf is that

Nanonymous No.5557 [D]
Jami does not even have group chat yet, let alone Tor support.

Nanonymous No.5558 [D] >>5573
>>5270
>XMPP is a meme.
Why?

Nanonymous No.5564 [D] >>5567 >>5591
In case you haven't seen it, last year there were some pretty bad attacks against GPG and other PGP implementations:
http://archivecaslytosk.onion/F7Z43
Clients seem to be patched now, but the take-away is that the encryption (or at least the default encryption) used by GPG is not so great. Also remember no forward secrecy etc. I'm sure this has been discussed many times...
Remember if you prioritize security, you want to be using software as simple as possible. Mutt for example wasn't a vulnerable client because there was no back channel to exfil data with - Mutt doesn't prefetch images or other links at all. Use plain-text email.

Nanonymous No.5565 [D] >>5567 >>5572
9 hours ago matrix.org deleted imageboard rooms off their server. I woke up to several pages of people with matrix.org accounts leaving the room.

Nanonymous No.5567 [D] >>5572 >>5575
>>5565
You can run your own matrix server. This is what decentralization means.
>>5564
>Use plain-text email.
Don't use email at all.

Nanonymous No.5572 [D] >>5575
>>5565 >>5567
Or use a different one.
Matrix.org, Disroot (and a lot of the main homeservers) are run by PC leftists.

Nanonymous No.5573 [D]
>>5558

My understanding is it's worse than Matrix.
Seems more complicated than IRC too.

Nanonymous No.5575 [D] >>5579
>>5567
>>5572
I am just giving commentary on what is happening in the matrix ecosystem. I personally do not use a matrix.org account, nor am I in any rooms on matrix.org.

Nanonymous No.5579 [D]
>>5575

Good for you!

Alas, some people get the wrong idea when they hear that "Matrix.org" is doing PC stuff, and in their centralized thinking brains think "Matrix.org = all of Matrix".

Probably why those that oppose censorship ignore Mastodon as an alternative, because they think it's a unitary centralized progressive hellhole.

Instead it's a decentralized progressive hellhole (with probably a few exceptions I can't name, the non-politcal instances are probably better), ripe for exodus into if someone setup an uncrapped instance.

Yes they could get blocked by other instances (like Gab did, but Gab doesn't give a crap about decentralization anyway, and didn't), but eventually they would form their own "fediverse within a fediverse", and instances that federate with both may smooth that out.

Nanonymous No.5591 [D] >>5707
>>5564
Instead of GPG, you could use reop: http://www.tedunangst.com/flak/post/reop

Nanonymous No.5638 [D]
Someone on github has a hacking tool up, but it has what seems like a secure file sharing tool. https://github.com/JusticeRage/freedomfighting

Nanonymous No.5676 [D][U][F]
File: a4ef5b3f6c38cb3e07a945cbb9f403e741df9d0ef905fe3d539ea9c553b9eade.png (dl) (77.60 KiB)
>>5271
>jami
picrel
Original link at https://git.jami.net/savoirfairelinux/ring-project/issues/542 but it seems like the issue was deleted

Nanonymous No.5707 [D]
>>5591
NOW BACK IN MY DAY, WE DIDN'T USE NO IDE OR NO TEXT EDITORS. WE PIONEERS OF COMPUTER SCIENCE USED TO PUNCH INDIVIDUAL BITS INTO A PIECE OF CARD AND FEED IT INTO THE MAINFRAME! KIDS THESE DAYS DON'T TRULY UNDERSTAND TECHNOLOGY. THEY JUST KNOW HOW TO PLAY GTA AND MINECRAFT! DAMN IT I KNEW THERE WAS SOMETHING WRONG WITH SO MANY KIDS 'LEARNING TECHNOLOGY' THESE DAYS, IT'S ALL JUST A BUNCH OF ANTI-AMERICAN COMMIE GOBBLE-DE-GOOK MEANT TO NEUTER OUR EDUCATION SYSTEM AND TURN US ALL INTO COMMIE BASTARDS LIKE THEM. GOD BLESS.
This post was made using voice recognition software by Elenvire Technologies, Inc. (C) 1997 Microsoft Corporation. ALL RIGHTS RESERVED.

Nanonymous No.10237 [D] >>10238 >>10239 >>10258
Freesoftwareextremist
neckbeard.xyz (Even has a onion address)
((gab.com))
are good instances

Nanonymous No.10238 [D]
>>10237
freespeechextremist.com*

Nanonymous No.10239 [D] >>10258
>>10237
A good list of instances:
http://ygltukjocrxnyff5.onion/fed.txt

Nanonymous No.10258 [D]
>>10237 >>10239
Gab is terrible, how do you even use it over Tor?
Even former proponets of it are getting off the wagon, as they begin to ban people they dislike.

Nanonymous No.10262 [D]
>banning
OH SHIT NIGGER WHAT ARE YOU DOING LMAOOOO LIKE ITS 2020 WHY IS YOUR NETWORK STILL CENSORABLE JUST USE A WOT LOLLLL

Nanonymous No.10279 [D]
gab is a low-key honeypot and a cesspool for autistic boomer normalfags. if you're going to fediverse, don't pick (((torba))) to run your show.