Dino allows attackers to modify the personal bookmark store via a crafted message. The attacker can change the display of group chats or force a victim to join a group chat; the victim may then be tricked into disclosing sensitive information.
for sure there was my ticket at 666 (sadly not archived).
Not using onion connectivity support, not encrypting local messages/files, no encryption is enabled by default, no canceling of file transfer once initiatedā¦etc stupid stuff one after another.
I donāt count this one. Also Thunderbird and most other applications donāt encrypt their local data. Thatās much better done through use of FDE.
This is really sad indeed. dino-im unfortunately isnāt designed as an encryption-by-default messenger such as for example Signal.
Signal has its own issues. And I am not suggesting to install Signal by default. Signal issues are mostly off-topic here. But at least Signal is encrypted by default without exception.
dino-im however is a jabber client. And it seems jabber itself wasnāt designed as an encrypted-by-default protocol. Therefore not a big surprise that dino-im isnāt encrypted by default either and therefore somewhat understandable that dino-im doesnāt enable encryption by default.
Therefore dino-im (or perhaps even every jabber client) isnāt near perfect or at least very good for good security and privacy.
IIRC they modified their app to not depend on SRV DNS records ages ago allowing it to be compatible with DNS resolution over Tor.
Many respectable apps like Conversations on Android donāt enable OMEMO by default either and do allow non-encrypted messages. But it is stupidly simple to request your conversation partner toggle it on. Your use of words such as āgarbageā is too harsh and denigrating of other peopleās hard work. Itās also not a fair assessment if you compare it to the other options in the FOSS private chat landscape.
As it stands today, dino is the only desktop app with a clean and usable interface and simple menu options that are readily understood. It is also highly compatible with jabber implementations on other platforms. I am in favor of including it by default in the stable Bookworm based release. Those who don;t like it are free to use something else.