Silk Road forums
Discussion => Security => Topic started by: Nuggz on January 19, 2013, 02:16 am
-
I'm having trouble finding a way to have a secure end to end chat. How safe is Pidgin? I did find an answer about torchat
Torchat is total trash
and this guy knows what he's talking about.
-
I hear a lot of negative things about the security of the pidgin code base. However, I like it and with OTR + Tor it is quite nice. I notice that IRSSI with OTR and Tor is a more popular choice with the the l33t haxx0r and cypherpunk crowds, however I have never been a big fan of the more traditional IRC clients simply from a usability point of view. Pidgin has a much less steep learning curve than other IRC clients imo, although it has been several years since I tried anything else and Pidgin was the first program I used for IRC so if you are old school in regards to IRC you may have better luck with less noob friendly and probably more securely coded alternatives.
-
I used to recommend NOT using Pidgin because it had glaring security issues, but a Tor developer named Jacob Appelbaum (ioerror) has done a lot of work to make it more secure.
https://developer.pidgin.im/ticket/15286
https://developer.pidgin.im/ticket/15290
He doesn't criticize it as vocally as he used to.
https://twitter.com/ioerror/status/239093399045672961
https://twitter.com/ioerror/status/7539468040
Most of the bugs he references have been fixed, so I would give a tentative thumbs up to Pidgin at this point.
-
I'm having trouble finding a way to have a secure end to end chat. How safe is Pidgin? I did find an answer about torchat
Torchat is total trash
and this guy knows what he's talking about.
Pidgin works well for me. Another option I've seen others use is KVIrc, but I personally love Pidgin and am so used to it now anyway. :)
-
Applebaum still doesn't seem super thrilled. You link had this quote from him:
"Sad discovery of the day: Pidgin leaks DNS when you use a SOCKS5 proxy and jabber accounts"
Do you have a recommendation on which service to use with Pidgin?
-
Sorry, I wasn't clear. Those were examples of when he was critical of Pidgin, like 6 months ago. If you follow the link in that tweet to the bug report:
https://developer.pidgin.im/ticket/11110
That one was fixed too. I think overall Pidgin is much safer than it was even a year ago, mostly thanks to his good work.
Edit: Actually that particular bug was fixed almost 2 years ago.
-
Applebaum still doesn't seem super thrilled. You link had this quote from him:
"Sad discovery of the day: Pidgin leaks DNS when you use a SOCKS5 proxy and jabber accounts"
Do you have a recommendation on which service to use with Pidgin?
That is fixed, now Pidgin lets you select a special proxy option called 'Tor' instead of 'SOCKS5', and this takes care of the DNS leaks. That said I still doubt he is very fond of Pidgin, none of the ultra l33t hackers seem to be. But it has been steadily improving. Conservatively speaking I guess I would suggest against it, or at least suggest isolating it (I do), but as far as user friendliness goes it really isn't beat by any other IM/chat program IMO. I use too many chat protocols to want to bother with anything else (pidgin supports everything I use), and I don't want to fuck around with doing IRC from a command line like the big boys do (even though I probably should).
-
Lots of helpful info. Thanks guys!