Dino IM has serious privacy issues. I think the first point is fundamental for most Whonix users.
1) It was written that Dino prohibits to disable or purge history. I tried to use another Jabber-client on the same JID for the sensitive chats. And I tried to boot from an old snapshot which made before sensitive messages. But Dino downloads the missed history and tricks it into logs anew. I tested this on PGP chat. And I received most of the history I didn’t want to keep.
All stored history is not encrypted. Physical or remote access allows to get the every chat for all time. You cannot delete no one message. Everything you write is forever in Dino.
2) Open user info. Everyone can see the record “Using Dino” and the name resourse like “dino.535nshGJ”. It identifies that you are not Windows user. It reduces privacy. And it can help to choose an attack vector using Dino vulnerabilities. There are no plugins or settings to hide this data.
3) Modifying hostname and port configuration not fixed since 3 years.
4) I did not find the option to cancel/disable file transfer. For example you and I use Dino. I can send you file even you do not want it.
Dino IM is good project but not for Whonix. Editing of messages, convenient management of PGP/OMEMO, history synchronization between devices, temporary keys. It’s very nice. But it’s provided through the reduced privacy and security.
All issues from my last message are at Github tickets for a long time. Developers are not ready to change something.
Opt-in chat logs and encrypted in case selected - They will add the functionality to make this possible though not a default.
Scrub client user-agent - Even if they randomize it, it will stand out because no one does this and the client can still be enumerated by the announced featureset to a server.
Pretty reasonable explanations to me. I’d prefer you joining the conversation on Github instead of me being postman, but I am still happy to hear feedback from you to follow up with suggestions or better ideas on how to improve these problems.
Aren’t these XMPP features though? These all depend on the server supported functionality IIRC. These are enabled almost by every service out there and you have no control over them unless you’re hosting your own infrastructure.
The final list based on Dino’s answers. There are new issues.
Dino prohibits Onion servers and manual configuration of hostname and port. This issue has been discussed for several years (#115). Users asked to allow these settings. The developers refuse.
Dino does not allow to disable the download / decryption of old history.
GPG. Dino downloads, fully decrypts and saves the entire GPG-history from the server every time when Dino starts. Most public jabber servers stores history from a week to a month.
OMEMO. Dino downloads both OMEMO and GPG chats. Messages, time, senders, recepients are visible in OMEMO logs. But OMEMO texts cannot be read.
Gajim and others provides an option to disable history downloading. The developers of Dino do not want to make this option (#953).
Let’s say you are running Dino from secured and cleared Whonix snapshots with zero history. This makes correct OMEMO encryption impossible. If you use OMEMO chat, you cannot run Dino many times from one Workstation snapshot. You are obliged to save all changes and all received files, even if the file contains a trojan. Or you cannot use OMEMO chat (#977). This is not a Dino bug but a security feature of OMEMO. But this feature creates a very big issue with Dino because of point 4 and point 5.
Dino saves chat logs to disk. There is no log encryption. It’s impossible to disable saving. Returning to a snapshot with a clean history is not decision (point 3). Users have been asking to disable logs during for three years (#67). The developers informed (#953) that they may disable logging in the future. It is not yet clear when and how the log management will be changed.
Dino does not allow you to disable or stop receiving files. Dino receives and saves to disk any file sent to the user. Returning to the previous snapshot causes a crash in the entire OMEMO-chat (point 3). The developers have included canceling file transfers to the wishlist (#955).
The developers refused to make the option to hide or show system time, hide or show or spoof OS and client name. The reasons are described in the discussion (#954).
I suppose points 1, 3, 4, 5 will be critical for most Whonix users. Point 2 is very serious for some. The developers are not ready to change anything in points 1, 2, 3, 6. This should be understood by every Whonix user.
@nurmagoz do you have experience using dino-im with the JMP service?
I would like to know whether the bullseye-backports package (dino-im version 0.2.0) supports voice calls? Alternatively, if not, does gajim currently support these features in Whonix per the Wiki instructions?
I know that I can connect to XMPP with dino-im (non-HS, but over Tor). I do not know this with respect to gajim. If I recall correctly, there were problems with its connecting over Tor.
Dino allows attackers to modify the personal bookmark store via a crafted message. The attacker can change the display of group chats or force a victim to join a group chat; the victim may then be tricked into disclosing sensitive information.
for sure there was my ticket at 666 (sadly not archived).
Not using onion connectivity support, not encrypting local messages/files, no encryption is enabled by default, no canceling of file transfer once initiated…etc stupid stuff one after another.
I don’t count this one. Also Thunderbird and most other applications don’t encrypt their local data. That’s much better done through use of FDE.
This is really sad indeed. dino-im unfortunately isn’t designed as an encryption-by-default messenger such as for example Signal.
Signal has its own issues. And I am not suggesting to install Signal by default. Signal issues are mostly off-topic here. But at least Signal is encrypted by default without exception.
dino-im however is a jabber client. And it seems jabber itself wasn’t designed as an encrypted-by-default protocol. Therefore not a big surprise that dino-im isn’t encrypted by default either and therefore somewhat understandable that dino-im doesn’t enable encryption by default.
Therefore dino-im (or perhaps even every jabber client) isn’t near perfect or at least very good for good security and privacy.
IIRC they modified their app to not depend on SRV DNS records ages ago allowing it to be compatible with DNS resolution over Tor.
Many respectable apps like Conversations on Android don’t enable OMEMO by default either and do allow non-encrypted messages. But it is stupidly simple to request your conversation partner toggle it on. Your use of words such as “garbage” is too harsh and denigrating of other people’s hard work. It’s also not a fair assessment if you compare it to the other options in the FOSS private chat landscape.
As it stands today, dino is the only desktop app with a clean and usable interface and simple menu options that are readily understood. It is also highly compatible with jabber implementations on other platforms. I am in favor of including it by default in the stable Bookworm based release. Those who don;t like it are free to use something else.