dino-im messenger

Development
,
17

Please don’t demean anybody’s work without an informed opinion by an expert security auditor.

I’m confused. Is this about the backports version?

1 Like
18

It clear like the sun in the middle of the day, doesnt need security consultation on obvious things.

i will simplify:

  • from stable debian repository: dino wont connect at all to Tor.
  • from debian-backports: dino will connect at the first time and you create account …etc then close and reopen it again and it wont connect.
19

OK so I wouldn’t count that as working.

Can you try registering a new account with a different service server to the ones they bundle and see if they block connections?

20

Doesnt matter same thing.

HulaHoop via Whonix Forum:

21

Hi. I’ve had success with dino from backports. I can sign in, add contacts and have conversations. OMEMO works with other dino im users, but the people on Gajim cannot exchange keys with dino. Apps have nuances in how they implement OMEMO and it’s causing breakage across the ecosystem.

Can’t post links.

Google the article OMEMO is broken in general across the ecosystem on monal’s blog.

There aren’t any OMEMO clients on MacOS or iOS that are bug free and easy to use. Some servers like jabber de have a web chat feature with OMEMO running in a browser.

1 Like
22

Thanks for the report. I will update the docs and see if upstream can get its act together.

Tasks remaining:

A default install won’t happen before Debian Bullseye at the earliest since we don’t carry backports.

1 Like
23

Instant Messenger Chat

  • Dino IM is the best option currently. It provides the best UX, a modern and clean look and OMEMO support.

Instant Messenger Chat

It’s planned for inclusion by default in Whonix 16.

Should be installed in milestone_whonix_16 by default?

(If it doesn’t have a milestone on phabricator or discourse forums, it will potentially be forgotten by that time.)

1 Like
24

Yeah.

OK saw that. Adding tags is available when editing the topic title.

1 Like
25

at this point, if it’s an instant messenger that works without hassle, even if it is limited to people using the same damn client software, i’m cool with it. instant message client’s have been the bane of my existence when it’s come to having timely complete documentation.

1 Like
26

This fits the bill perfectly at last. It’s embarrassing that we have a libre kernel and entire FOSS stacks on top of it and yet a secure IM with offline messaging has taken this long to happen.

27

we were talking about blocker bugs , bugs which make the app useless over whonix/tor. Unless they fix these bugs the app is just extra space inside whonix.

#115 , #666 , and it wont connect inside whonix as i reported before.

doesnt encrypt messages by default: #884 (the developer so naive to the level he doesnt differentiate between by default enabled encryption and manually enabled encryption)

by this case why are we arguing against gajim if dino has same if not more shitty architecture?

28

Fixed in buster-backports?

Can ship a settings file by default in Whonix which enables dino encryption by default?

29

Fixed in buster-backports?

nope , according to my testing above.

Can ship a settings file by default in Whonix which enables dino
encryption by default?

I dont know

Patrick_mobile via Whonix Forum:

30

According to recent wiki changes by HulaHoop I assume buster-backports
version can connect now.

1 Like
31

Dino IM has serious privacy issues. I think the first point is fundamental for most Whonix users.

1) It was written that Dino prohibits to disable or purge history. I tried to use another Jabber-client on the same JID for the sensitive chats. And I tried to boot from an old snapshot which made before sensitive messages. But Dino downloads the missed history and tricks it into logs anew. I tested this on PGP chat. And I received most of the history I didn’t want to keep.

All stored history is not encrypted. Physical or remote access allows to get the every chat for all time. You cannot delete no one message. Everything you write is forever in Dino.

2) Open user info. Everyone can see the record “Using Dino” and the name resourse like “dino.535nshGJ”. It identifies that you are not Windows user. It reduces privacy. And it can help to choose an attack vector using Dino vulnerabilities. There are no plugins or settings to hide this data.

3) Modifying hostname and port configuration not fixed since 3 years.

2 Likes
32

Thanks for your feedback. I will open tickets with these on their bugtracker and see their response.

EDIT:

1 Like
33

4) I did not find the option to cancel/disable file transfer. For example you and I use Dino. I can send you file even you do not want it.

Dino IM is good project but not for Whonix. Editing of messages, convenient management of PGP/OMEMO, history synchronization between devices, temporary keys. It’s very nice. But it’s provided through the reduced privacy and security.

All issues from my last message are at Github tickets for a long time. Developers are not ready to change something.

1 Like
34

Updates:

Opt-in chat logs and encrypted in case selected - They will add the functionality to make this possible though not a default.

Scrub client user-agent - Even if they randomize it, it will stand out because no one does this and the client can still be enumerated by the announced featureset to a server.

Pretty reasonable explanations to me. I’d prefer you joining the conversation on Github instead of me being postman, but I am still happy to hear feedback from you to follow up with suggestions or better ideas on how to improve these problems.

Aren’t these XMPP features though? These all depend on the server supported functionality IIRC. These are enabled almost by every service out there and you have no control over them unless you’re hosting your own infrastructure.

1 Like
35
1 Like
36

I answered on Gihub. Here is the most important point: Opt-in chat logs and encrypted in case selected · Issue #953 · dino/dino · GitHub

Edit by Patrick:
fix link

1 Like