Skip to content
This repository has been archived by the owner on Jun 24, 2022. It is now read-only.

🆕 Software Suggestion | Replace Ricochet with Cwtch? #781

Closed
Mikaela opened this issue Mar 16, 2019 · 8 comments · Fixed by #1135
Closed

🆕 Software Suggestion | Replace Ricochet with Cwtch? #781

Mikaela opened this issue Mar 16, 2019 · 8 comments · Fixed by #1135

Comments

@Mikaela
Copy link
Contributor

Mikaela commented Mar 16, 2019

Basic Information

Name: Cwtch
Category: Encrypted Instant Messenger
URL: https://cwtch.im/ (source: https://git.openprivacy.ca/cwtch.im/cwtch)

Description

I get the impression that it's the continuation of Ricochet of which there is a lot of discussion in closed pull request to remove it in https://github.com/privacytoolsIO/privacytools.io/pull/476 and especially in open issue to add a warning to update the shipped Tor binary onto it https://github.com/privacytoolsIO/privacytools.io/issues/474.

@blacklight447
Copy link
Collaborator

Interesting, tried it out but it still seems in early alpha and not ready for practicle use yet, what about Briar? Maybe thats a replacement

@Mikaela
Copy link
Contributor Author

Mikaela commented Apr 30, 2019

I think Briar is Android app and currently has no way to add contacts who aren't physically in the same space, while Richochet and Cwtch are desktop apps, so it wouldn't work as a replacement in my opinion.

@blacklight447
Copy link
Collaborator

@Mikaela There is already a headless client in the works btw. But they are currently focused on the remote contacts feature, which I predict should be ready somewhere this year. after that briar will become a very interesting project to follow, as it will provide e2e encryption, will be peer to peer, so have no server to seize, and will hide almost all metadata because everything hides inside the tor network( so exit nodes are not a problem either)

@blacklight447 blacklight447 added the Tor Anything covering the Tor network label May 21, 2019
@blacklight447
Copy link
Collaborator

update: briar remote contacts are now in alpha and expected to release at the end of next month.

@odiferousmint
Copy link

odiferousmint commented Sep 30, 2019

Cwtch is commonly associated with Ricochet, but I think it would be worth noting that their primary focus seems to be group chat and whatnot. I am not entirely sure that they are NOT willing to sacrifice security for these features. Additionally, it is written in Go which uses a garbage collector, and they do not seem to be using a Go library named memguard[1] to protect against accidental memory leaks among other issues. Perhaps one of their developers will read this message and consider using memguard extensively in Cwtch, but even then, developers of Go's cryptographic library have no intentions doing that anytime soon[4]. In fact, they are copying/passing sensitive data all over the place like there is no tomorrow. For anyone interested in the security details of all this, do grab Cryptography Engineering: Design Principles and Practical Applications by Niels Ferguson, Bruce Schneier, and Tadayoshi Kohno[5], and read chapter 8 Implementation Issues (I).

As far as Ricochet is concerned, at a quick glance, one of the security issues is the use of RSA1024[2] instead of ED25519-V3[3].

[1] https://github.com/awnumar/memguard
[2] https://github.com/ricochet-im/ricochet/blob/master/src/tor/AddOnionCommand.cpp#L56
[3] https://github.com/torproject/torspec/blob/master/control-spec.txt#L1608
[4] golang/go#25355 (comment)
[5] https://www.schneier.com/books/cryptography_engineering/

@Mikaela
Copy link
Contributor Author

Mikaela commented Oct 1, 2019

I am currently somewhat low energy and cannot go into your comment in great detail, but do you think Cwtch would be worth considering as a worth mentioning team chat application?

@odiferousmint
Copy link

odiferousmint commented Oct 1, 2019

I am currently somewhat low energy and cannot go into your comment in great detail, but do you think Cwtch would be worth considering as a worth mentioning team chat application?

Yes, definitely! The mentioned "shortcomings" can be fixed, and I personally like their threat model. I would like to clarify that my suspicion regarding sacrificing security for group chat and whatnot is unfounded. It might not be the case at all. All I am saying is that people should exercise caution. They did note it on their website that it is still an experimental prototype and that it should not be used where security, privacy, or anonymity is critical. In any case, I believe people should know about Cwtch's existence, I would like to see more developers working on it. It absolutely has a great potential!

What I disagree with is referring to Cwtch as a replacement of Ricochet. Ricochet is still a good choice today, and unlike Cwtch, it has been audited[1]. Moreover, according to Secushare, it is "probably the best choice at this given moment in time as it protects metadata and is very easy to install"[2] for desktops.

[1] https://ricochet.im/files/ricochet-ncc-audit-2016-01.pdf
[2] https://secushare.org/comparison

@blacklight447
Copy link
Collaborator

cwtch is still really alpha software though.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants