Is there any solution for XMPP clients via Whonix or Qubes?

drhall · 2018-09-08 20:50:21 UTC

According to Whonix’s wiki, Tor Messenger has been deprecated and should therefore no longer be used with Whonix. On the same page, no XMPP client is suggested.

Is there any way (running a chat client from a stick?, for example) that XMPP could be used through Whonix or Qubes in a safe way? Yes, it is not decentralized, but that doesn’t mean Whonix isn’t safe since of course the servers that hold the XMPP communications have nothing to do with Whonix.

I’d also like to know, if anyone is willing to share, what chat client would be safest to use via Whonix and Qubes? The same Whonix wiki suggests CoyIM, but in the comments therein people criticize it as not being up to the job. I’d like to use XMPP but also to have an alternative that is not centralized. Tox is nice but then it doesn’t really do much in the way of obfuscating one’s IP. If it’s through Whonix that problem is of course solved but still. Ricochet IM I’ve never tried but apparently, like Tox, it’s another P2P. Not sure if wireshark would help identify IP addresses.

Anyways, the most important for now, at least for me, is figuring out an XMPP client that works in Whonix and that is as safe as any other XMPP client.

Thank you for reading and for any help you might offer!!

tempest · 2018-09-08 23:25:54 UTC

this is an issue that has resulted in me struggling for over a year. there are a number of xmpp clients that each come with significant setbacks:

pidgin: works as expected. otr is easy enough to install in it through apt-get. however, it has the potential to be exploited remotely with quite negative results.

gajim: largely works as expected. however, i’ve had some weird instances where the config file changes for no reason that i can determine other than that i added new accounts at some point in the chain. additionally, there does not appear to be working otr plugin for it at the moment. thus, your only option is omemo. the omemo plugin, over the past few weeks of experimentation, has not worked consistently. whether that is a gajim issue, or something to do with running it in a vm with memory constraints, is something i haven’t determined yet.

coyim: this one is very easy to use and has potential. however, it will not be supporting the omemo protocol. it will only support otr. also, at the moment, it is simply to light on features to be good for a persistent account that is known publicly due to the fact that it will display messages sent to you by anyone. there is not yet a control in place to only receive messages from accounts in your contact list.

i’m reaching a point where i may just keep the guide i’m working on with pidgin for now. the tails project still uses pidgin. however, this is not ideal. sadly, this is the state we’re currently in when it comes to xmpp clients. there seems to be some potential for some. but nothing is particularly ideal at the moment for relatively vanilla xmpp communications that are encrypted by default.

drhall · 2018-09-10 16:45:04 UTC

Thank you for sharing your knowledge! I’m curious, do you know if Coyim currently works with OTR? Or is it merely something they are considering implementing, or maybe that one has to implement oneself?

Thank you

goldstein-otg · 2018-09-11 13:42:53 UTC

https://coy.im/what-is-coyim/

It also has built-in support for Tor, OTR and TLS

tempest · 2018-09-15 05:20:34 UTC

coyim is one of the easiest clients i’ve used to get up and running with tor and otr. so, yes, it works with otr from the start.

drhall · 2018-09-15 19:49:51 UTC

Thank you to both @goldstein-otg and @tempest for the info, that helps! One last question, if I may, although I’ll be looking into it as well of course: are there any major known security flaws or security features that should be handled with care? For example I know a lot of people love Tox but a lot of people don’t know that it was never actually designed to hide a user’s IP address. Of course a bit of reading up on it reveals such but as an example you can understand how important it is to know if one is worried about their security or the like.

Anyways, looking into it, so thank you again!!

tempest · 2018-09-21 16:29:22 UTC

i’ve only played with tox minimally. it was all through the whonix workstation and, therefore, concerns about my ip address being revealed were not present. however, i was not testing anything leak related. i was simply curious about the various clients.

at the moment, i don’t believe there is any tox client in the debian repos. thus, i have not given it a lot of attention.