General Safety Advice[edit]

Recommended knowledge: Modes of Anonymity.

Note: Most existing instant messenger protocols are unsafe from a privacy point of view. This is not a Whonix specific problem. It is a general problem with instant messengers.

Tor Exit Node eavesdropping can happen if no encryption to the server is enabled. Some protocols have encryption disabled by default, some do not support encryption at all. See also Overview about Pidgin protocols and their encryption features^[1]. If encryption to the server is enabled, the Tor Exit Node can no longer eavesdrop. This fixes one problem, however it also leaves another problem unresolved.

Even with encryption to the server enabled, the server could still gather interesting information. For example:

• Account names
• Buddy list (list of contacts)
• Log login dates and times
• Timestamp of messages
• Who communicates with whom
  • If the recipient knows the sender and the recipient uses a non-anonymous account or the recipient ever logged in without Tor, this can be used as a hint for determining who the sender is.
• Content of messages - Can be prevented using end-to-end encryption. This is covered in OTR encryption below.

Jabber/XMPP is a server-federation-based protocol designed with openness in mind. Its security depends on you making good use of OTR as you can never be sure if servers are properly encrypted between each other. Privacy with Jabber is limited, as it is visible to various kinds of attackers who your account is talking to. Tor only helps to pseudonymize your account and hide your current location, but your social graph may still expose your identity. For a good operational security guide on chatting anonymously see The Intercept's article.

Systems which do not require a server by design, i.e. serverless instant messengers are likely better from a privacy point of view. Such systems are #RetroShare and #Tox.

For IRC inside Whonix-Workstation, the Ident Protocol is automatically blocked because Whonix-Workstation is firewalled. The TorifyHOWTO/IrcSilc contains general IRC safety techniques and other tips.

Why prefer open protocols such as Jabber/XMPP over proprietary ones such as ICQ?

It is estimated that within 10 to 15 years, Quantum Computers will break today's common asymmetric public-key cryptography algorithms used for web encryption (https), e-mail encryption (GnuPG...), SSH and other purposes. See Post-Quantum Cryptography (PQCrypto).

Tor Messenger[edit]

Installation instructions.

Note on platform support: Qubes-Whonix users should use the 64-bit version. [2] Non-Qubes-Whonix users must use the 32-bit version. [3]

(1) Go to https://trac.torproject.org/projects/tor/wiki/doc/TorMessenger#Downloads and download the Tor Messenger for Linux. Store it in /home/user/.

(2) Read https://www.torproject.org/docs/verifying-signatures.html.en and learn how to perform GPG verification.

(3) Go to https://www.torproject.org/docs/signing-keys.html.en to download the relevant GPG signing keys.

(4) Verify the Tor Messenger download.

(5) Navigate to /home/user/ with the file manger. Dolphin example: Dolphin -> View -> Show Hidden Files

(6) If the old version of Tor Messenger is still open, close it.

(7) Rename the old /home/user/tor-messenger_en-US to something else.

(8) Extract the Tor Messenger. Right click on the downloaded archive -> extract -> extract archive here

(9) Done.

(10) To start it, go to the /home/user/tor-messenger_en-US folder and double click start-tor-messenger. ^[4]

To clarify, this will not result in a Tor over Tor scenario when using Tor Messenger. Whonix has a mechanism to disable Tor stacking.

For usage instructions refer to this guide.

Usage of Tor Messenger in Whonix should not differ from usage of Tor Messenger outside of Whonix. Already pre-configured for Stream Isolation, no manual settings changes required.

Forum discussion

Ricochet IM[edit]

Ricochet IM^[5] is a new successor of the unmaintained TorChat.

It is a portable P2P python chat application that does not save chat history. It relies on Tor onion services for creating identities. Its encryption and authentication properties are as strong as Tor's. No metadata is ever collected because it is server-less. An OTF sponsored audit in early 2016 shows that there were a few minor problems (fixed since).^[6][7]

It is packaged in Debian backports. Whonix support is a work in progress.

RetroShare[edit]

RetroShare is not an anonymizing network, it is a friend-to-friend (F2F) network, or optionally a darknet. RetroShare has a very different audience and threat model.

RetroShare is in active development. Users can operate servers for themselves, but the architecture doesn't depend on them. Communications are encrypted end-to-end and provide for messaging, mail, forums, pubsub, file exchange and even telephony. The problems with RetroShare are the confused user interface, the necessity to have it run most of the time and contribute to the distributed hashtable (DHT, causing continuous CPU usage) and three relevant privacy aspects: You expose your social graph to a global passive adversary because friends connect to friends directly. Your public IP is available in the DHT, allowing to track your physical locations. And your visible user name is exposed in the TLS certificate when somebody connects to your RetroShare node.

Several of these problems can be solved by disabling the built-in DHT and hiding RetroShare behind a Tor hidden service. People who scan Tor hidden services will however still be able to connect the service and see the RetroShare user name in the self-signed certificate. This can be prevented by setting up Authenticated Hidden Services and limiting connections only to trusted people.

On November 4, 2014, RetroShare scored 6 out of 7 points on the Electronic Frontier Foundation's secure messaging scorecard. It lost a point because there has not been an independent code audit.^[8] A recent audit by the pen-testing group Elttam uncovered many bugs in the code (some remotely exploitable) that were promptly fixed. The auditor's opinion was that RetroShare's codebase lacked secure coding practice.^[9]

Running RetroShare through Tor enables you, to do things, which are normally potentially dangerous, such as adding random people (from a forum), while staying anonymous. (For example, to join a RetroShare forum.) This is not a recommendation, just stating a possibility. You can exchange your key on dedicated chat servers at: https://retroshare.rocks/

After adding tons of random "friends" from a public forum, connection to a very few people over TCP. ^{[10] [11]} Approximately only 5% were online. Although probably only a very small portion of the network could be seen, the content of the network looked pretty interesting.

RetroShare reports Right click -> DHT Details: NET WARNING No DHT; Behind NAT UNKNOWN NAT STATE MANUAL FORWARD

There still may be some privacy caveats left with RetroShare trying to communicate outside of Tor, but that doesn't matter if Whonix makes any non-Tor traffic impossible.

Installation and Setup[edit]

WARNING: RetroShare packages are signed with weak 1024 bit keys. Until this is fixed we recommend using Ricochet IM with OnionShare instead.

Security warning: Adding a third party repository allows the vendor to replace any package on your system. Proceed at your own risk! See Foreign Sources for further information. For greater safety, users adding third party repositories should always use Multiple Whonix-Workstations to compartmentalize VMs with additional software.

RetroShare is currently available on Debian 7.0 Wheezy and 6.0 Squeeze for armel, armhf, i386 and amd64 architectures and for 8.0 Jessie.

Before adding the repo^[12], fetch the key and verify^[13] fingerprints. Always check the fingerprint for yourself. The output at the moment is:

pub  1024D/0x9418A47921691F91 2011-08-16 home:AsamK OBS Project <home:AsamK@build.opensuse.org>
      Key fingerprint = E2CE 3677 C801 5772 D097  B0AA 9418 A479 2169 1F91

Download key with curl to home folder.

curl -o retroshare-pubkey.asc http://download.opensuse.org/repositories/home:/AsamK:/RetroShare/Debian_8.0/Release.key

Check fingerprints/owners without importing anything.

gpg --keyid-format long --with-fingerprint retroshare-pubkey.asc

If it looks good import into trusted.gpg.d.^[14]

gpg --no-default-keyring --keyring ./retroshare-pubkey.gpg --import retroshare-pubkey.asc
sudo cp retroshare-pubkey.gpg /etc/apt/trusted.gpg.d/retroshare-pubkey.gpg

For stable builds:

sudo su -c "echo -e 'deb http://download.opensuse.org/repositories/home:/AsamK:/RetroShare/Debian_8.0/ /' > /etc/apt/sources.list.d/retroshare06.list"

For nightly builds:

sudo su -c "echo -e 'deb http://download.opensuse.org/repositories/home:/AsamK:/RetroShare/Debian_8.0/ /' > /etc/apt/retroshare06-git.list"

Update the package lists.

sudo apt-get update

Install Retroshare.

sudo apt-get install retroshare06

For the latest nightly package name install retroshare06-git instead.

^[15]

RetroShare setup:

• • Pick a pseudonym and password. Don't use real name or location obviously. Move your mouse to generate enough entropy.

• • Check Advanced Options -> Create a hidden node

• • Change key-length to 4096 bits for adequate security then generate the new profile.

Configure[edit]

I2P[edit]

Follow the steps in this guide to connect to others over I2P.

Tor[edit]

INCOMPLETE - Depends on unimplemented features for Whonix^[16]

On your Whonix-Gateway.

If you want to read an introduction about hidden services and to learn about about hidden service security, see Hidden Services.

If you also want to run a hidden web server on the same .onion domain (nice for testing and learning Hidden Services basics), see Hidden Services.

Open /etc/tor/torrc.

sudo nano /etc/tor/torrc

Add. ^[17]

HiddenServiceDir /var/lib/tor/retroshare/
HiddenServicePort 7812 10.152.152.11:<Local Address port>

Save.

Reload Tor.

sudo service tor@default reload

sudo service tor@default status

Active: active (running) since ...

sudo -u debian-tor tor --verify-config

Sep 17 17:40:41.416 [notice] Read configuration file "/etc/tor/torrc".
Configuration was valid

Reminder: To get your hidden service url.

sudo cat /var/lib/tor/retroshare/hostname

Reminder: Always backup the hidden service key. This is necessary in order to restore it on another machine, on a newer Whonix-Gateway, after HDD/SSD failure, etc. Follow the instructions below to find its location; root permission is required to access it.

/var/lib/tor/retroshare/private_key

sudo qvm-copy-to-vm vault /var/lib/tor/retroshare/private_key

/home/user/QubesIncoming/sys-whonix/private_key

Tox[edit]

Tox ^{[18] [19]} looks like a promising solution for secure, encrypted communications. The official client implementation is based on the Toxcore protocol library, which is very feature-rich and has a variety of functions besides VOIP. By default, Tox does not attempt to cloak your IP address from authorized contacts. However, Tox connections can be tunneled through Tor, allowing communication with others even if they are not anonymous. ^[20] Desktop and mobile client versions have been developed for every major OS platform. ^[21]

In the Tox design, users are assigned a public and private key, with direct connections being established in a peer-to-peer network. Users can message friends, join chat rooms with friends or strangers, and send each other files. Everything is encrypted using the NaCl crypto library, via libsodium. ^{[22] [23]}. Tox helps to protect your privacy by: ^[24]

• Removing the need to rely on central authorities to provide messenger services
• Concealing your identity (in the form of meta-data, e.g. your IP address) from people who are not your authorized friends
• Enforcing end-to-end encryption with perfect forward secrecy as the default and only mode of operation for all messages
• Making your identity impossible to forge without the possession of your personal private key, which never leaves your computer

As at April 2017, the following secure (encrypted) features had been implemented: ^[25]

• Voice and video calls.
• Instant messaging.
• Desktop screen sharing / streaming.
• File sharing.
• Typing indicators.
• Message read-receipts.
• Profile encryption.
• Group messaging, voice and video conferencing.

Additional features can be implemented by any client, so long as they are supported by the core protocol. Features that are not related to the core networking system are left up to the client. ^[26]

Tox Installation[edit]

Security warning: Adding a third party repository allows the vendor to replace any package on your system. Proceed at your own risk! See Foreign Sources for further information. For greater safety, users adding third party repositories should always use Multiple Whonix-Workstations to compartmentalize VMs with additional software.

Note: The following instructions will install the "qTox" graphical user client to your system. ^[27] To install the lightweight version with minimal dependencies ("uTox") or another Linux client like Ricin, Toxic or Toxygen, see here and here.

In the Whonix-Workstation (Qubes-Whonix: whonix-ws TemplateVM), open a terminal (Konsole).

Download the Tox repository release key. ^[28]

wget -nv http://download.opensuse.org/repositories/home:antonbatenev:tox/Debian_8.0/Release.key -O Release.key

Debian stretch, see footnote: ^[29]

Check the fingerprint before importing anything.

gpg --keyid-format long --with-fingerprint Release.key

Always check the fingerprint for yourself. ^[30]

At time of writing, the fingerprint was.

pub   rsa2048/F2AA0B1E5EF8303B 2014-09-04 [SC] [expires: 2019-01-21]
      Key fingerprint = 3EB5 027B 3CD8 D7CA AC30  EB6B F2AA 0B1E 5EF8 303B
uid home:antonbatenev OBS Project <home:antonbatenev@build.opensuse.org>

Convert the Tox signing key to a keyring that can be used by apt-get.

gpg --no-default-keyring --keyring ./tox-pubkey.gpg --import Release.key

Add the Tox signing key.

sudo cp tox-pubkey.gpg /etc/apt/trusted.gpg.d/tox-pubkey.gpg

Add the Tox apt repository. ^[31]

sudo sh -c 'echo deb http://download.opensuse.org/repositories/home:/antonbatenev:/tox/Debian_8.0/ / > /etc/apt/sources.list.d/qtox.list'

Update the package lists.

sudo apt-get update

Install qTox.

sudo apt-get install qtox

The Tox repository and qTox have now been installed.

TODO: Add instructions on how to use Tox with Stream Isolation without Tor over Tor.

Pidgin[edit]

Pidgin supports most protocols. However do not use it. It has a very bad security track record with many remotely exploitable bugs - a result of being written in C and containing many legacy protocols. There is no reason to use it when Tor Messenger is now available. ^[32]

IRC Client HexChat[edit]

See HexChat.

TorChat[edit]

Unfortunately, since time of writing (September 2015) TorChat can not be recommended. This is because the TorChat developer currently does not respond to other people, see TorChat issues. Communication and support is crucial for anonymity related projects. TorChat is an unofficial project. Unaffiliated with The Tor Project. A modern and maintained alternative is Ricochet IM.

In 2015 security analysis^[33] of TorChat protocol and its Python implementation was conducted. It was found that although the design of TorChat is sound, its implementation has several flaws, which make TorChat users vulnerable to impersonation, communication confirmation and denial-of-service attacks.^[34]

Gajim[edit]

Add Debian Jessie Backports to repositories sources lists.

sudo su -c "echo -e 'deb http://http.debian.net/debian jessie-backports main' > /etc/apt/sources.list.d/jessie-backports.list"

Apt-pinning provides a safe mechanism to mix and match packages from different Debian repository branches without breaking your base distribution.

A higher pin priority ensures that apt will prefer the stable package version over any other when installing. Note that these files have a .pref extension or none at all.

Open /etc/apt/preferences.d/debian-pinning.pref in an editor with root rights.

kdesudo kwrite /etc/apt/preferences.d/debian-pinning.pref

sudo nano /etc/apt/preferences.d/debian-pinning.pref

DO NOT USE THIS AT THE MOMENT!

Until this is sorted out.

Paste.

Package: *
Pin: release a=stable
Pin-Priority: 700

Package: *
Pin: release a=jessie-backports
Pin-Priority: 650

Package: *
Pin: release a=testing
Pin-Priority: 600

Package: *
Pin: release a=unstable
Pin-Priority: 550

Package: *
Pin: release a=experimental
Pin-Priority: 500

Save and exit.

Update the package lists.

sudo apt-get update

Install gajim, gajim-omemo and gajim-httpupload.

sudo apt-get -t jessie-backports install gajim gajim-omemo gajim-httpupload

Deactivate gajim plugin installer / updater because it's not secure.

sudo dpkg-divert --add --rename /usr/share/gajim/plugins/plugin_installer/__init__.py

Start Gajim. From start menu or type in konsole.

gajim

Change the following settings for better security and privacy.

• Edit -> Accounts -> uncheck Save conversation logs for all contacts

• Preferences -> Status -> uncheck Away after ^[35]
• Preferences -> Status -> uncheck Not available after

• Preferences -> Advanced-> Privacy -> uncheck
  • Allow client / OS information to be sent
  • Allow local system time information to be sent
  • Log encrypted chat session
  • Allow my idle time to be sent

• Preferences -> Advanced-> applications -> Custom -> clear fields for Browser, Mail Client and File Browser ^[36]

• Preferences -> Advanced -> global proxy -> Tor
• Preferences -> Advanced -> global proxy -> mange -> Tor -> check Use proxy authentication -> set username to gajim -> set password to gajim ^[37]

For Gajim to e installed by default in Whonix, there is more work TODO, see Dev/Gajim.

Other Software[edit]

If it is not listed here, it for now is recommended against. You can search Whonix forums to see if that chat client has been discussed in past or if you think a privacy respecting chat client is missing on this page.

https://forums.whonix.org/t/client-server-instant-messengers-im-oct-2016

Footnotes / References[edit]

1. ↑ http://archive.is/8w0Zf
2. ↑ Qubes-Whonix is 64-bit by default. The 32-bit version should also work, but is not worth bothering with.
3. ↑ Until Whonix 14, the default download version of Whonix is 32-bit. Therefore, 64-bit software won't run unless Whonix is built from source code.
4. ↑ Or type in a terminal.
   [select code]

   {{{path_installed}}}/{{{starter}}}

   {{{path_installed}}}/{{{starter}}}
5. ↑ https://ricochet.im/
6. ↑ https://ricochet.im/files/ricochet-ncc-audit-2016-01.pdf
7. ↑ https://en.wikipedia.org/wiki/Ricochet_(software)
8. ↑ https://www.eff.org/secure-messaging-scorecard
9. ↑ https://www.elttam.com.au/blog/a-review-of-the-eff-secure-messaging-scorecard-pt1/
10. ↑ Chance of working better (untested): Tunnel UDP over Tor.
11. ↑ Note, in case you are using the previous footnote, Other Anonymizing Networks over Tor UDP Tunnel applies.
12. ↑ http://retroshare.sourceforge.net/downloads.html
13. ↑ http://download.opensuse.org/repositories/home:/AsamK:/RetroShare/Debian_8.0/Release.gpg
14. ↑ To import asc key files into trusted.gpg.d they must be converted into a .gpg keychain file first.
15. ↑ RetroShare .deb Packages installation instructions from RetroShare's third party repository
16. ↑ https://github.com/RetroShare/RetroShare/issues/356
17. ↑ Arbitrary choice of port to avoid conflicts with custom RetroShare setups.
18. ↑ https://wiki.tox.chat/users/faq#what_is_tox
19. ↑ https://tox.chat
20. ↑ https://wiki.tox.chat/users/tox_over_tor_tot
21. ↑ https://wiki.tox.chat/clients
22. ↑ http://nacl.cr.yp.to
23. ↑ Tox employs curve25519 for its key exchanges, xsalsa20 for symmetric encryption, and poly1305 for MACs. https://tox.chat/faq.html
24. ↑ https://tox.chat/faq.html
25. ↑ Depending on the mobile / desktop client in use.
26. ↑ https://en.wikipedia.org/wiki/Tox_(software)
27. ↑ This repository is directly referenced on the Tox Download webpage, see: https://software.opensuse.org/download.html?project=home%3Aantonbatenev%3Atox&package=qtox Anton Batenev is a Tox developer.
28. ↑ For later Whonix releases based on Debian Stretch, replace "Debian_8.0" with "Debian_Stretch".
29. ↑
    [select code]

    wget -O - http://download.opensuse.org/repositories/home:antonbatenev:tox/Debian_Stretch/Release.key

    wget -O - http://download.opensuse.org/repositories/home:antonbatenev:tox/Debian_Stretch/Release.key
30. ↑ The list of GPG fingerprints currently in use by qTox developers can be referenced at https://github.com/qTox/qTox
31. ↑ For later Whonix releases based on Debian Stretch, replace "Debian_8.0" with "Debian_Stretch".
32. ↑ https://pidgin.im/news/security/
33. ↑ Security Analysis of Instant Messenger TorChat
34. ↑ https://en.wikipedia.org/wiki/TorChat#Security
35. ↑ To prevent needlessly leaking your activity to the server.
36. ↑ For better security, we better do not risk automatically starting these applications from the chat client.
37. ↑ To get Stream Isolation.

License[edit]

Whonix Chat wiki page Copyright (C) Amnesia <amnesia at boum dot org>
Whonix Chat wiki page Copyright (C) 2012 - 2017 Patrick Schleizer <adrelanos@riseup.net>

This program comes with ABSOLUTELY NO WARRANTY; for details see the wiki source code.
This is free software, and you are welcome to redistribute it
under certain conditions; see the wiki source code for details.

https | (forcing) onion
Share: Twitter | Facebook | Google+

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.

Whonix (g+) is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Libre Software license as Whonix itself. (Why?)