Did anyone noticed that psi plus leaks info about operation system? If you add contact to your roster and auth it on the other side user info will be looks like “Using: Psi+ 0.16.330 (2014-04-05) / Whonix GNU/Linux 8.6 (jessie)”. Does anyone worried about it? Does anyone know how can I turn this psi “feature” off? Or at least to give less info about me.
Use privacy friendly software like Tor Messenger which is designed not to leak stuff like that.
1 Like
It’s obvious way to use privacy friendly software like Tor Messenger and so on. But you can’t make your contacts using it. So what xmpp+otr client is recommended?
The problem is Psi implementation “XEP-0092: Software Version”. By XEP this feature should be optional, but by Psi implementation - is not. So one of the possible Whonix workarounds is to modify /usr/bin/lsb_release. For example in such way (indent lost):
…
if options.description or options.all:
if short:
# print(distinfo.get(‘DESCRIPTION’, ‘n/a’))
print(‘Windows 7’)
else:
print(‘Description:\t%s’ % distinfo.get(‘DESCRIPTION’, ‘n/a’))
if options.release or options.all:
if short:
# print(distinfo.get(‘RELEASE’, ‘n/a’))
print(‘7’)
…
May be it will break some automatic release detection distro features (apt?), but it works.
It’s obvious way to use privacy friendly software like Tor Messenger and so on. But I can’t make my contacts using it. So what xmpp+otr client do you recommend? Or how can I disable psi leaking feature?
Not worth the effort. You just found an obvious leak. Either an application gets an in-depth privacy review and fixes or fixing one obvious leak and not being aware of other leaks is actually worse.
I don’t think there is one recommended for your use case where you have to connect to legacy networks.
Perhaps look into jabber transports? Server based services that build a bridge between jabber and legacy networks.
What do you mean “legacy networks”? Is xmpp legacy proto? What “privacy friendly software” could provide bridge to jabber network?
Anyway, I found a the simplest solution to “Psi+ OS info leaks”. You should enable “Client Switcher Plugin” in Options->Plugins menu. Than you could choose whatever you want to show like OS, client version etc. No need to touch /usr/bin/lsb_release. My bad, I had to be careful.
Ha, maybe I shouldn’t call icq, msn and such legacy networks. Anyhow, no xmpp isn’t a legacy network
No software. Use Tor Messenger to use xmpp. Then use some jabber transport. It’s not software running on your computer. It’s a gateway. It’s like connecting to some special jabber server or joining a special jabber room and then the server automagically lets you sign in and use “legacy” (other privacy hostile popular protocols than xmpp). Finding such as transport using search engines was left as an exercise to the reader.
As said, you found one problem, but you don’t know what other privacy issues there are with psi. So we strongly recommend against using it.
Sorry I didn’t know that tor messenger is just another xmpp client software with otr. I thought it using another protocol. Thats why there were strange talks about jabber transport I think. BTW Psi is xmpp-only client.
Tor Messager advantages are:
- tor-integrated - whonix is already tor-integrated, so count out
- “to be secure by default”. Privacy friendly. May be. But it is small and yong project. Beta. In the simplest case, bugs. It’s not even included in the repository. Where is TM/instantbird in-depth privacy/security review? On the words?
But on the other side: limited functionality and adjustability. For my Whonix configuration (vpn over tor) it basicly doesn’t work at all (may be there is internal tor check or some stuff like that, didn’t digging. “No proxy” setting like for TBB doesn’t work).
So imho TM is like “bundle” for easily tor messaging. No need to configure it - perfectly for novice user.
Also I think pre-configuration and sanboxing (apparmor mb) are the best solution for “not privacy oriented” software like Psi etc.
Yes, instant bird (on which Tor Messenger) is based on was extensively discussed and audited by torproject. Search terms:
site:torproject.org instantbird
site:torproject.org instantbird audit
Not in repository isn’t a good metric. TBB is also not in repository and how much work has flown into privacy fixes is undeniable.