Silk Road forums
Discussion => Security => Topic started by: sentience on August 08, 2012, 11:34 pm
-
Hi. I don't like GPG and would like to use XMPP and OTR instead. Are there any good hidden service XMPP servers around, or should I host my own? Is there a precedent for this type of use on SR? A lot of people use tormail and stuff, but I think that a XMPP and OTR solution is a lot more flexible. What do you guys think?
-
Hi. I don't like GPG
Any particular reason?
and would like to use XMPP and OTR instead.
GPG and XMPP/OTR address different needs and they're both good at what they do. XMPP and OTR are only a viable option if both parties are online at the same time, which definitely can't be guaranteed.
Are there any good hidden service XMPP servers around, or should I host my own?
I don't know of any existing hidden Jabber services, but even if there are you would be better off running your own and so would everyone using one (which also isn't a viable option for many people).
It is worth mentioning that DuckDuckGo runs a Jabber service and a Tor exit node (their search engine is also available as a hidden service). I do not know if the Jabber service is available via Tor as well.
https://duck.co/topic/duckduckgo-s-new-public-xmpp-jabber-service-on-dukgo-com
Is there a precedent for this type of use on SR?
No idea, we'd need to ask someone who has been here longer.
A lot of people use tormail and stuff, but I think that a XMPP and OTR solution is a lot more flexible. What do you guys think?
If you can solve the (right) people being online simultaneously problem and make sure that there are enough trusted servers for everyone, then it may provide a good additional line of communication for those who want it.
Those people using the Tor Browser Bundle would need to get used to also running the Vidalia Bundle with Privoxy so they can easily run Pidgin (or Adium for OS X users) through that. Remember, the IM component of the Tor Browser Bundle is not available to everyone, only Windows users. Also, this bug from a couple of years ago appears to still be open:
https://trac.torproject.org/projects/tor/ticket/1676
Essentially Jabber/XMPP connections over Tor still leak DNS lookup information. Read through the full ticket for details.
I think the only way to know for sure, though, is to test it. You'll need at least three systems (in addition to any existing servers or routers): a server running the XMPP server (as a hidden service), a client running Vidalia and the IM program of your choice (ideally more than one to see what happens) and a third running tcpdump or wireshark to make sure that neither the client nor the server try to send any related data out to the clearnet. If you can try for multiple client systems running different operating systems and IM programs.
-
Are there any good hidden service XMPP servers around
riseup.net / ztmc4p37hvues222.onion
The hidden service isn't currently loading for me, but the same address is still listed on their website. Of course it could just be available on the relevant XMPP ports, so I'll have a play with it later. Thanks.
Essentially Jabber/XMPP connections over Tor still leak DNS lookup information. Read through the full ticket for details.
this was fixed
Excellent! :)
-
Hi. I don't like GPG
Any particular reason?
GPG does not afford perfect forward secrecy or deniability.
and would like to use XMPP and OTR instead.
GPG and XMPP/OTR address different needs and they're both good at what they do. XMPP and OTR are only a viable option if both parties are online at the same time, which definitely can't be guaranteed.
XMPP has support for offline messages. I haven't tested that with OTR yet, but as long as you have a secure session established, I don't see why it can't work. Not to mention, I leave my computer on 24/7 anyway so if the seller tries to establish a connection when I'm not around it will succeed.
Are there any good hidden service XMPP servers around, or should I host my own?
I don't know of any existing hidden Jabber services, but even if there are you would be better off running your own and so would everyone using one (which also isn't a viable option for many people).
It is worth mentioning that DuckDuckGo runs a Jabber service and a Tor exit node (their search engine is also available as a hidden service). I do not know if the Jabber service is available via Tor as well.
https://duck.co/topic/duckduckgo-s-new-public-xmpp-jabber-service-on-dukgo-com
Cool, I'll check it out.
-
Hi. I don't like GPG
Any particular reason?
GPG does not afford perfect forward secrecy or deniability.
The former depends more on the message delivery method and can be obtained through remailers. The decrypted data is just as open to abuse or poor security procedures as XMPP.
As for deniability:
--hidden-recipient (-R) instead of --recipient (-r)
hidden-encrypt-to instead of encrypt-to in the gpg.conf
Alternatively:
--throw-keyids in any encryption command will conceal all keys the message is encrypted with.
and would like to use XMPP and OTR instead.
GPG and XMPP/OTR address different needs and they're both good at what they do. XMPP and OTR are only a viable option if both parties are online at the same time, which definitely can't be guaranteed.
XMPP has support for offline messages. I haven't tested that with OTR yet, but as long as you have a secure session established, I don't see why it can't work.
Yeah, that's worth testing.
Not to mention, I leave my computer on 24/7 anyway so if the seller tries to establish a connection when I'm not around it will succeed.
Fair enough. Probably a good idea to run your own Jabber server if you're going to do that. Setting up ejabberd is dead simple normally, but I'm not sure about getting it to play with a Tor hidden service.
Are there any good hidden service XMPP servers around, or should I host my own?
I don't know of any existing hidden Jabber services, but even if there are you would be better off running your own and so would everyone using one (which also isn't a viable option for many people).
It is worth mentioning that DuckDuckGo runs a Jabber service and a Tor exit node (their search engine is also available as a hidden service). I do not know if the Jabber service is available via Tor as well.
https://duck.co/topic/duckduckgo-s-new-public-xmpp-jabber-service-on-dukgo-com
Cool, I'll check it out.
Plus the one Shannon posted earlier from Riseup. I'd lean more towards running your own server, though, and leaving third party services for people who can't run their own servers.