dino-im messenger

Not surprising security issue CVE-2023-28686

Dino allows attackers to modify the personal bookmark store via a crafted message. The attacker can change the display of group chats or force a victim to join a group chat; the victim may then be tricked into disclosing sensitive information.

2 Likes

Now that Debian bookworm is out and Whonix being ported to it as we speak, what should happen with this ticket?

In my opinion just nothing, just keep Dino-IM out of any default
installation. Itā€™s a garbage app/development, but whoever needs it can
install it.

Patrick via Whonix Forum:

Could this list be updated please?

//cc @IMV

What specifically?

#115 , #666 (they delete it?)ā€¦ all of the above tickets either kept open or closed as wont fix.

Link works for me.

There was such a ticket? Theyā€™re only at 495 ticket number.

I didnā€™t notice any.

So your major complaint is missing onion connectivity support?

This ticket at 844

for sure there was my ticket at 666 (sadly not archived).

Not using onion connectivity support, not encrypting local messages/files, no encryption is enabled by default, no canceling of file transfer once initiatedā€¦etc stupid stuff one after another.

Ok.

I donā€™t count this one. Also Thunderbird and most other applications donā€™t encrypt their local data. Thatā€™s much better done through use of FDE.

This is really sad indeed. dino-im unfortunately isnā€™t designed as an encryption-by-default messenger such as for example Signal.

Signal has its own issues. And I am not suggesting to install Signal by default. Signal issues are mostly off-topic here. But at least Signal is encrypted by default without exception.

dino-im however is a jabber client. And it seems jabber itself wasnā€™t designed as an encrypted-by-default protocol. Therefore not a big surprise that dino-im isnā€™t encrypted by default either and therefore somewhat understandable that dino-im doesnā€™t enable encryption by default.

Therefore dino-im (or perhaps even every jabber client) isnā€™t near perfect or at least very good for good security and privacy.

1 Like

IIRC they modified their app to not depend on SRV DNS records ages ago allowing it to be compatible with DNS resolution over Tor.

Many respectable apps like Conversations on Android donā€™t enable OMEMO by default either and do allow non-encrypted messages. But it is stupidly simple to request your conversation partner toggle it on. Your use of words such as ā€œgarbageā€ is too harsh and denigrating of other peopleā€™s hard work. Itā€™s also not a fair assessment if you compare it to the other options in the FOSS private chat landscape.

As it stands today, dino is the only desktop app with a clean and usable interface and simple menu options that are readily understood. It is also highly compatible with jabber implementations on other platforms. I am in favor of including it by default in the stable Bookworm based release. Those who don;t like it are free to use something else.

1 Like

Is it actual task? I apologize for the delay.

1 Like

Yes.

1 Like

Ok, Iā€™ll try to check Dino again

Is there any update? Dino looked promising at a glance, but I donā€™t like the attitude of the developers at all.

Thats why there is no update.