Add a warning to the Ricochet description #474
Comments
|
It's not dead. As I answered to you in the issue you referenced and in ricochet-im/ricochet#578, Ricochet is sicure and development is still going on. There are no reasons to remove it from "Encrypted Instant Messanger". |
|
@ilovelinux Are you blind? You are not a ricochet developer anyway. Read. |
ghost
mentioned this issue
|
Related website, prism-break.org, removed Ricochet. What about you? |
|
I don't think this should be removed as there's nothing to cause reason that it does not work. The security of this mostly uses Tor Hidden Services. Perhaps a warning about making sure that you're using the latest version of Tor and not the bundled binary would be helpful. The program did undergo an audit in 2016. It is inevitable that more complex clients such as the proprietary options are going to be able to support other features at the cost of security. It's probably the best choice for avoiding metadata collection at this point in time. Not everyone needs A/V, server side logs, multi-device etc. Perhaps we could keep an eye on https://redmine.tails.boum.org/code/issues/8173 |
ghost
mentioned this issue
|
I second that we should add a notice regarding using a new version of Tor. I think the only publicly known vulns in the main ricochet client right now are just in the Tor version it uses. |
ghost
mentioned this issue
ghost
changed the title
|
👍 Can anyone create a PR adding what @beardog108 mentioned? |
|
How does this look:
|
|
Looks good! The only change I'd make is: So: And maybe add a command to copy it on Linux and OS X? Hm, maybe a symlink would be better, because updating Tor browser would update the binary for Ricochet as well? And can't the tor binary location be changed in Ricochet's settings? It feels kinda hacky to copy the binary. The symlink command would look like this: $ mv ~/Downloads/ricochet/tor ~/Downloads/ricochet/tor.old
$ ln -s ~/Downloads/tor-browser_en-US/Browser/TorBrowser/Tor/tor ~/Downloads/ricochet/tor |
Easy done.
It would be better to delete the Tor binary included with Ricochet as there's absolutely no reason to use an old vulnerable version of Tor. It would be better for Ricochet to not open than to risk it using a vulnerable version of Tor. For MacOSX and Linux it should be sufficient to just "delete" the bundled Tor binary as long as Tor is in the I would do this by using the
There doesn't seem to be a way within the configuration file or within the user interface to change the location of where the Tor binary is located. On Windows it seems that it's hard coded. I think copying it will be the only solution for Windows without making changes to the Ricochet source. See: https://github.com/ricochet-im/ricochet/blob/master/src/tor/TorManager.cpp#L274 Does this seem like an acceptable solution to you? |
|
Great. Since it has a fallback to PATH, there's no need to create symlinks. On my OS, there's: a) For me, $ which tor
/usr/sbin/tor
Maybe |
|
When referring to using If you installed Ricochet through apt-get you're going to find that it doesn't include Tor and will depend on it instead. The maintainer will keep that up to date.
Unless 'a' i in your path it's never going to be found. 'b' would be used. As I suppose it would just be safer to make a symlink ie It's fairly safe to assume on MacOSX that the Tor binary will be in
|
ghost
mentioned this issue
I meant to keep a copy of the tor version that ricochet uses. Just a small detail, not important. |
|
better removing ricochet is outdated as hell and there are many bugs inside it and Tor new versions not supported by it. Wonder why the hell its still hanging there. |
It still works, does it not? It also has been audited by NCC.
Such as? All software has bugs, this is not sufficient reason to remove it. If we did that we would have nothing left. Unless they are directly related to security and are not fixed, as in do X de-anonymise user Y. Considering anonymity is one of Ricochet's selling points vs other messengers.
My understanding was it still worked with Hidden Services v2 does it not? Documentation was being improved to instruct how to replace the binary with a newer version.
Is there something better that uses HiddenServices? On a side note, I am curious about https://cwtch.im however it is still firmly experimental at the moment. |
working with dying soul. i dunno what kind of a joke of audition is this.
yeah but bugs in this case wont fix inside ricochet stuff from 2011 ... example im facing chat deletion,contact removal issue, tor not updated and 2.x has alot of horrible hidden services issues... no way to be considered reliable. Good replacement is Tox Chat.
yes hidden services v2 still working with Tor 3.x, but the issue when you are using Tor 2.x and using onion v2 = thats fucked.
nope. and cwtch im sure wont be much. |
You're welcome to check out the code and make some of the improvements you desire. I'm sure your PRs will be appreciated. Also Ricochet Security Assessment February 15, 2016 – Version 1.2.
The bug poster hasn't provided enough information, see my reply ricochet-im/ricochet#593 (comment). Maybe you could do that instead of running around purporting to be a Whonix developer when you're not and have made no commits to the project.
You could pay for a bug bounty. That would certainly encourage someone to move a bit faster in completing ricochet-im/ricochet#575
Considering the authors of Tox clearly state it is experimental it cannot in good faith be recommended anything more than as experimental at this point. In particular:
What it sets out to do is significantly more complex than Ricochet which mostly leaves the heavy lifting crypto to Tor. I doubt an audit will occur before the documentation (TokTok) is completed. Audits cost a lot of money and are usually done in the final stage of development after protocol design has been stabilized and frozen. Additionally as I commented in https://github.com/privacytoolsIO/privacytools.io/issues/736#issuecomment-456901644 it has already been added to the website. Looking at your history it seems you have a problem with using the search function (many of your opened issues have been closed as DUPLICATE).
Are you a fortune teller? |
not reliable. since the project havent been active since more than 3 years, plus the one who involved there is the same maintainer of Ricochet itself who left it and run away.. (are you kidding me..) .
Anyone whos running ricochet know how sucks its performance and stability (unless the user too blind to see that) , no need logs to prove it. and im just a user of whonix not a developer.
I wont pay a dollar for a dead project which there are no known maintainers to it anymore.
Well maybe you missed that as well in Ricochet main page: So your argument of experimental or not has no value.
And many others wont fix , and many others still open ... so you are not making any sense at all.
Yes |
Well unless you can point to some new 0days out there, I think the report from NCC is still valid enough. As far as I am aware the only vulnerabilities relate to the old Tor binary distributed (which can be replaced) and not Ricochet itself.
That issue you cited had nothing to do with performance. It was a null pointer exception.
You didn't make any effort to correct people when they assumed you were. Using the name "whonix_anonymous_os" , "Whonix" and their project logo would give off that vibe. When you then suggest things like collaboration, people would assume you had something to do with the project as that would be something for the actual project members to decide. 1, 2, 3, 4
Why don't you become it's maintainer? If there was a bug bounty I'm sure someone would make some improvements. The code isn't all that mystical, it just needs someone's time. That being said it looks like cwtch.im is getting quite a few commits so this might very well be a healthy fork with some new features. I hope it works out well for them.
Yes but it's far less drastic than what Tox proposes (own crypto) vs using HiddenServices. I wish them good fortune as well and have used qTox a number of times for video conferencing.
And if you'd actually used the search option you'd see that Tox is already on the privacytools.io website like I told you in https://github.com/privacytoolsIO/privacytools.io/issues/736#issuecomment-456901644 Anyway I've wasted enough time on you. |
ghost
mentioned this issue
|
Clearly as there's been a lack of understanding here, I suggest https://github.com/privacytoolsIO/privacytools.io/issues/746 |
|
I tried to look into Ricochet for a moment and I think I agree with adding a warning or even removing it entirely.
Other issues getting my attention that may be interesting, but irrelevant to this issue:
|
I agree on removing it @Shifterovich. |
|
I'm too busy rn to look into it enough but there's so many good IM tools that removing the less-than-ideal ones does more good than harm. Feel free @Vincevrp |
Yes these are the major issues here, now particularly if HSv3 is default. I can see a time sometime in the future where HSv2 may be deprecated entirely from newer Tor releases. I think at this point it's only a matter of when. Removing it would also solve https://github.com/privacytoolsIO/privacytools.io/pull/618 meaning that would no longer be needed. It does seem there's not going to be any new development. If you look at this ticket ricochet-im/ricochet#574 @s-rah seems to be busy developing cwtch which is the next iteration of Ricochet.
Which kind of links to the last point.
A lot of things aren't reproducible unfortunately.
This one would require a complete redesign, as it would no longer be peer-to-peer you'd need some sort of decentralized net or server infrastructure to store messages. It may very well be that cwtch.im is able to succeed here. Too early to be added however. Work does seem to be occurring though https://git.openprivacy.ca/cwtch.im/cwtch/commits/master On a side note Ricochet is still included in Debian https://packages.debian.org/sid/ricochet-im but that's only because nobody has investigated it enough to find an exploit, get a CVE and then have it's unmaintained nature brought into the spotlight. It does appear that it's not going to be added to Tails any time soon https://redmine.tails.boum.org/code/issues/8173
This one is kind of lol, what's the point of an anonymous messenger over Tor if your voice can be identified. |
|
I see the argument for removing it and agree with most points, however it is sad to see it unmaintained and removed since it is currently one of the only decent (in design) Tor-default, p2p chat applications. I say we put it in worth mentioning with the warning to update the tor binary. However i think i'm a little outnumbered, so i'll just remove it if no one else makes a pr soon. |
I do like the way that Ricochet works. Nothing really quite comes close to it in regard to metadata resistance. I think it's a less of a case of it being unmaintained, and more of a case of the current maintainers are active on the successor project, cwtch which aims to "fix" some of the issues with Ricochet (which was basically TorChat with a nicer UI). One of those things being updating the Tor binary, multi device support and offline messaging. Unfortunately it is still very 'alpha' at this state. Using something that is that experimental may very well be detrimental. I do think we need to reorganize the instant messenger section. How we do that is a topic of discussion. https://github.com/privacytoolsIO/privacytools.io/issues/746 https://github.com/privacytoolsIO/privacytools.io/issues/729 because all things simply are not equal. |
This is the most relevant part IMO. Good reason to keep/put it in worth mentioning |
|
Is having up-to-date Tor enough if the software itself doesn't support hidden service version 3? Has anyone tested that it still works with Tor versions that default to HSv3 (or it uses HSv2 explicitly and isn't affected by the default changing)? If the answer is yes to both, then I think it would be OK to keep as worth mentioning on Debian, but will most of Windows users start updating the Tor binary? (More relevant question might be whether they would install Ricochet at all though.) |
|
I opened an issue to ask if Ricochet should instead be replaced by Cwtch (https://github.com/privacytoolsIO/privacytools.io/issues/781). |
Ah yes, that more a less repeats what was said in ricochet-im/ricochet#574 (comment) that I linked in my comment https://github.com/privacytoolsIO/privacytools.io/issues/474#issuecomment-471776595
I decided to test this between two hosts. Host 1 from the Debian repositories and Host 2 a Windows machine. Here's what I started with: [
{
"Machine": "1",
"OS": "Debian 9",
"Versions": {
"Ricochet": "1.1.4",
"Tor": "0.2.9.16 (git-9ef571339967c1e5)",
"Libevent": "2.0.21-stable",
"OpenSSL": "1.1.0j",
"Zlib": "1.2.8"
}
},
{
"Machine": "2",
"OS": "Windows 10",
"Versions": {
"Ricochet": "1.1.4",
"Tor": "0.2.8.9",
"Libevent": "2.0.22-stable",
"OpenSSL": "1.0.2j",
"Zlib": "1.2.8"
}
}
]Everything seemed to work. However Host 2 is vulnerable as it is using the shipped copy of Tor. Note to see the version number one needs to add Now updating the Windows version using the binaries from 18,21c18,21
< "Tor": "0.2.8.9",
< "Libevent": "2.0.22-stable",
< "OpenSSL": "1.0.2j",
< "Zlib": "1.2.8"
---
> "Tor": "0.3.5.7 (git-9beb085c10562a25)",
> "Libevent": "2.1.8-stable",
> "OpenSSL": "1.0.2q",
> "Zlib": "1.2.11"Things were not so great. The first error I got was
So I copied the binaries Unfortunately then I got:
So it seems its not as simple as it was back then https://github.com/privacytoolsIO/privacytools.io/pull/618 to just update
Well I guess that depends on whether we can solve the above issue. |
ghost
mentioned this issue
|
as ricochet has been demoted to worth mentioning and now also has several warnings, i think it is right to close this issue |
See below.
No, it is not enough, because Ricochet uses [1] https://github.com/ricochet-im/ricochet/blob/master/src/tor/AddOnionCommand.cpp#L56 |
ricochet-im/ricochet#579
It's already dead.
The text was updated successfully, but these errors were encountered: