Delist Ricochet

[Mikaela]

Description

Resolves: #781

Ricochet's development appears to be stopped and in the linked issue I proposed replacing it with Cwtch where I understand the development to continue. However there @blacklight447-ptio said that it's not in usable state and proposed replacing it with Briar instead, which we list as worth mentioning, so I think Ricochet was forgotten.

How long is Ricochet going to stay secure if it's unmaintained? Are users going to follow the instructions to update Tor binary? Are users going to follow Tor's releases and keep the Tor binary up-to-date? I think keeping it listed is a disaster waiting to happen.

Also Tor is misspelled as TOR in our description which in my opinion looks bad and if we won't delist it, we should fix that. I don't know if the misspelling looks like a warning to stay away though, so maybe it can be positive.

[netlify]

Deploy preview for privacytools-io ready!

Built with commit 953d8c3

https://deploy-preview-1135--privacytools-io.netlify.com

[netlify]

Deploy preview for privacytools-io ready!

Built with commit db46562

https://deploy-preview-1135--privacytools-io.netlify.com

[nitrohorse]

LGTM

[jonaharagon]

I was under the impression Ricochet was still safe if the Tor binary was updated. It also doesn’t appear to be completely dead, it looks like development is just more focused on the protocol than the actual client.

[nitrohorse]

I was under the impression Ricochet was still safe if the Tor binary was updated. It also doesn’t appear to be completely dead, it looks like development is just more focused on the protocol than the actual client.

Based on the open issues and PRs it sure looks unmaintained. Hmm... some digging...

The reason I am reluctant to add anyone to the github team is because I know the issues that lurk in the codebase, and the amount of work required to fix them - rolling out a new legacy ricochet release with a new tor version won't fix those problems - a new release without those gives users a false sense of security.

If there truly is desire to revive the old ricochet, I would strongly encourage you to redo both the authentication protocol and the regex handling - both are currently a source of legacy issues, and known vulnerabilities - neither are trivial to fix but If there are secure PRs for those submitted I will try and find time to review & merge them.

If there really is willingness and effort to fund work /input energy into metadata resistant communications, I would ask you to deeply consider joining us to move Cwtch forward rather than investing effort into reviving the original Ricochet.

ricochet-im/ricochet#600 (comment)

In addition to Cwtch it looks like some of the community has moved to https://ricochetrefresh.net/.