Gajim is a python based XMPP + OTR instant messenger. Its more secure compared to the complex libpurple partly because its written in a memory safe language and supports one protocol instead of a dozen.
https://micahflee.com/2013/02/using-gajim-instead-of-pidgin-for-more-secure-otr-chat/
Should gajim be bundled with Whonix? I think so because its good for convenience and usability. Stream isolation is a good thing to have by default.
Sounds good overall, but its OTR plugin is not packaged for Debian:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=722130
According to the comments on your link, I am also not sure it supports socks proxy settings for stream isolation.
Seems the situation has improved since?
OMEMO support has been added at least though I don’t know if stretch has it.
The last reply to this topic was 917 days ago.
A lot has changed since.
omemo is available for gajim and installable from jessie backports.
Just now documented gajim.
https://www.whonix.org/wiki/Chat#Gajim
Is gajim still advisable or are there any deal breakers?
There is some TODO bullet points at the bottom. Most of them require contacting Debian or gajim upstream. Could you please work on that?
Yes its all good. I’ll look into the todo list.
Socks5 support has been implemented for a decade:
https://dev.gajim.org/gajim/gajim/issues/799#note_153489
Tor DNS resolution support status is “patches welcome”. Python libs have limited ability to to tricks with DNS routing. I think this is potentially a problem with every other IM software that is not Tor Messenger.
https://dev.gajim.org/gajim/gajim/issues/8538
It installs its config in: /home/user/.config/gajim/config I’m not sure that’s useful without .d style support. If this is figured out
accounts.Local.log_encrypted_sessions = True
plugins.plugin_installer.active = True
could be set to False.
The plugininstaller is annoying and actively pushes users to update and install code over CA TLS which is broken in our threat model.
The DNS problem can be considered a “protocol leak” but in the context this page describes this (using the bittorrent example), its not relevant Whonix since it can’t leak that info.
Its up to you if you want to go forward with this given this info.
Worth going forward. I see potential in gajim that we could one day install it by default.
Answered in a separate thread.
https://forums.whonix.org/t/should-strict-stream-isolation-by-a-requirement-in-whonixs-default-appliation-policyRight. As a short term unclean solution: This is currently documented on how to disable it. This solution could also be automated in the security-misc package.
sudo dpkg-divert --add --rename /usr/share/gajim/plugins/plugin_installer/__init__.py
Long term clean solution todo: Debian feature request to ship the gajim plugin-installer plugin in a separate Debian package
Added another todo: feature request for .d config folder support
Sounds good.
Also can gajim be turned into stream isolation compliant by using uwt or bindp?
It depends somewhat on this TODO:
check if above makes sense - gajim might intelligently set a Tor socks user name per account already and manually setting a user name might worsen that
Depends on what upstream answers. Does Gajim set the socks user name different per account? If it does, torsocks might kill the DNS leak, but would also kill the per account socks user name isolation.
torsocks can only be a solution, if it’s known that the application is known to play well with torsocks, i.e. long term tested, mentioned in TorifyHOWTO, audited by somene. This is not the case with gajim.
uwt is just automating torsocks. Cannot surpass torsocks in terms of leak prevention. The first question to ask isn’t uwt, but torsocks.
bindp is only useful for applications using incoming Tor hidden services, that are opening local listeners on localhost 127.0.0.1 that should rather listen on eth0.
Thanks for explaining. Its worth adding this to the wiki design docs if it isn’t in there already.
I found more links on gajim socks support. I don’t know if this changes anything.
Scroll to the bottom of this page:
https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/InstantMessaging
Doesn’t change anything.
Looks like https://dev.gajim.org/gajim/gajim/issues/7026 is already implemented.
I knew https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/InstantMessaging.
My god … can anyone tell me the instruction in the documentation for whonix is suitable? I can just do what’s written there step by step and everything?
Preferences -> Advanced -> global proxy -> mange -> Tor -> check Use proxy authentication -> set username to gajim -> set password to gajim/
It means that I have to write there my nickname, which I use for communication? And the password I used to register on the jabber server for this nickname?
How to change the language?
No. As it says. Set to gajim.
Some developments on the DNS leaks in Gajim including patches by Jeremy Rand: https://dev.gajim.org/gajim/gajim/issues/8538
Meanwhile I have a suggestion on how Gajim’s traffic can be forced to use stream isolation. What if it is installed under its own user account and then you can use bindp to force all traffic for that user over its own isolated stream? Does that make sense? Can it fix things?
Another idea is to setup a local DNS server to forward requests to the port that we want (for the gajim user specifically). In that case you must be careful to disable caching so requests don’t stand out.
Other ideas in the same area: using lxc containers, namespaces or apparmor profiles to manipulate per application network settings.