Updated the image from user01. It seems that this pic will soon be the avatar of the Instant Messenger Chat page.
2 Likes
User01’s meme turned out to be prophetic. Death is knocking at XMPP’s door - I didn’t know that XMPP uses encryption that is either so outdated or experimental and not recommended in the newer versions (where an outdated encryption standard is also used) Using SimpleX over XMPP (OMEMO) - #18 by nani. It feels like death has come because the project itself will soon die of old age. I will note these issues in the wiki. This could be important information for new users. I wasn’t aware of this before.
1 Like
This user pointed out the issue of current XEPs for Whonix Long Wiki Edits Thread - #2302 by FranklyFlawless
However, all current XEPs are marked as experimental (for testers). It’s a complex question whether it’s better to use very old versions that are 5-7 years outdated or new, untested ones. It can be compared to debian buster and debian sid. Especially considering that the last audit of OMEMO was 9 years ago.
1 Like
I will add a “End-to-end encryption (E2E) protocol” section to the table and publish the protocol name and version. For example, OMEMO v0.3.0, Tapir Protocol v0.2.1, Simplex Messaging Protocol (SMP) v9… and will add links
1 Like
Another dangerous problem is connecting an account through a mobile client. If a malicious actor compromises the mobile device, they will be able to gain access to the conversation history in the desktop client.
Not anonymity specific. Belongs into Kicksecure wiki. Could even be a dedicated bullet point.
2 Likes
Breaking News! Journalists have linked Telegram to Russian intelligence services! Traffic on Telegram servers is processed by Russian companies working for the intelligence services.
With all due respect, that’s not news. 
1 Like
Dunno if that is a reliable source. I’d like to see commentary on that specifically by security researcher(s) before considering that in the wiki.
1 Like
And what if we add these links?
This is a blog by a well-known security expert
and
This can be written as: ‘Journalists have established a possible connection between Telegram and Russian intelligence agencies.’
1 Like
I think there’s no specific reason to pick on Telegram.
No strong technical argument can be made against Telegram that cannot also be made against IRC, Matrix, etc.
If there’s any remote server anywhere in the cloud, assume there’s a chance for a secret NSL or other legal or country equivalent; assume surveillance or even active attacks by any adversary whatsoever (criminals, etc.) and act accordingly.
This could be turned into a generalized decentralization wiki page that explains the dangers of centralized, federated servers and explains the advantages of decentralized, serverless designs.
1 Like
But it’s stated here that control over the router and Telegram traffic analysis is handled by companies that install and maintain equipment for special services, and this equipment is used for surveillance. In the investigation, court documents and government contracts are cited. I think this is no longer just a theory. It’s as if an investigation revealed that the Signal traffic is processed by a company linked to the NSA and CIA. I would mention this.
1 Like
But what is the technical significance? Does this change any user recommendations? Is it OK to use IRC because there are no such reports versus Telegram?
In both cases it’s reasonable to assume surveillance of the servers.
How deep shall server policy review go? Now, there’s a lot of disdain for Telegram. Next, potentially XMPP, then Signal, etc. That’s a lot of burden to review and adds distraction from the main project focus, which isn’t deep investigations into server security of centralized servers.
Hence, I’d like to shortcut the effort with a generalized wiki page decentralization. Then each affected application (not limited to chat) could have a wiki template with a red warning box “Centralized server!” Then we can warn against any centralized server design without needing to have strong evidence for the specific centralized server being compromised.
2 Likes
Okay Patrick, great idea. Thanks.
I think we’ve done a great job and have enough information for now. I’ll only add info after major updates in the messengers. Indeed, overloading the wiki distracts you from developing Whonix. And I really love the new updates and features in Whonix and Kicksecure) Thank you!
2 Likes
In my opinion, there are actually NO public secure messengers and social networks on the Internet that can be easily used with Tor. The main difficulty is that their internal security systems don’t allow Tor users to sign up into their products. If you try to create a new account on Telegram or Instagram using Tor exit node with a disposable phone number, these security systems will just ban your attempts to sign up. A user can try to use User -> Tor -> VPN/Proxy -> Destination server scheme thought it is not guarranteed that security systems will not detect a ‘suspisious activity’.
The safest way to communicate privately is to set up your own XMPP server with an encryption on it. But the main question is… who are you going to communicate with? You won’t be able to communicate with many people around the world as very few people use Jabber.
1 Like
Exactly. So the real question is thread model. Do you really need your DMs to yoga_pants_mom37 encrypted?
I wrote something a while back that would auto-generate encrypted truecrypt containers with hidden volumes and place written text inside. You just share the key or key-file with your counterpart, and the script automatically decrypts and displays the messages. Possible via mail or tunnel.
Really just depends on the risk level. But sharing Iranian missile intel on Telegram is pretty much convention now.
1 Like