General Safety Advice[edit]

Recommended knowledge: Modes of Anonymity.

Note: Most existing instant messenger protocols are unsafe from a privacy point of view. This is not a Whonix specific problem. It is a general problem with instant messengers.

Tor Exit Node eavesdropping can happen if no encryption to the server is enabled. Some protocols have encryption disabled by default, some do not support encryption at all. See also Overview about Pidgin protocols and their encryption features^[1]. If encryption to the server is enabled, the Tor Exit Node can no longer eavesdrop. This fixes one problem, however it also leaves another problem unresolved.

Even with encryption to the server enabled, the server could still gather interesting information. For example:

• Account names
• Buddy list (list of contacts)
• Log login dates and times
• Timestamp of messages
• Who communicates with whom
  • If the recipient knows the sender and the recipient uses a non-anonymous account or the recipient ever logged in without Tor, this can be used as a hint for determining who the sender is.
• Content of messages - Can be prevented using end-to-end encryption. This is covered in OTR encryption below.

Jabber/XMPP is a server-federation-based protocol designed with openness in mind. Its security depends on you making good use of OTR as you can never be sure if servers are properly encrypted between each other. Privacy with Jabber is limited, as it is visible to various kinds of attackers who your account is talking to. Tor only helps to pseudonymize your account and hide your current location, but your social graph may still expose your identity. For a good operational security guide on chatting anonymously see The Intercept's article.

Systems which do not require a server by design, i.e. serverless instant messengers are likely better from a privacy point of view. Such systems are #RetroShare and #Tox.

For IRC inside Whonix-Workstation, the Ident Protocol is automatically blocked because Whonix-Workstation is firewalled. The TorifyHOWTO/IrcSilc contains general IRC safety techniques and other tips.

Why prefer open protocols such as Jabber/XMPP over proprietary ones such as ICQ?

It is estimated that within 10 to 15 years, Quantum Computers will break today's common asymmetric public-key cryptography algorithms used for web encryption (https), e-mail encryption (GnuPG...), SSH and other purposes. See Post-Quantum Cryptography (PQCrypto).

RetroShare[edit]

RetroShare is not an anonymizing network, it is a friend-to-friend (F2F) network, or optionally a darknet. RetroShare has a very different audience and threat model.

RetroShare is in active development. Users can operate servers for themselves, but the architecture doesn't depend on them. Communications are encrypted end-to-end and provide for messaging, mail, forums, pubsub, file exchange and even telephony. The problems with RetroShare are the confused user interface, the necessity to have it run most of the time and contribute to the distributed hashtable (DHT, causing continuous CPU usage) and three relevant privacy aspects: You expose your social graph to a global passive adversary because friends connect to friends directly. Your public IP is available in the DHT, allowing to track your physical locations. And your visible user name is exposed in the TLS certificate when somebody connects to your RetroShare node.

Several of these problems can be solved by disabling the built-in DHT and hiding RetroShare behind a Tor onion service. People who scan Tor onion services will however still be able to connect the service and see the RetroShare user name in the self-signed certificate. This can be prevented by setting up Authenticated Onion Services and limiting connections only to trusted people.

On November 4, 2014, RetroShare scored 6 out of 7 points on the Electronic Frontier Foundation's secure messaging scorecard. It lost a point because there has not been an independent code audit.^[2] A recent audit by the pen-testing group Elttam uncovered many bugs in the code (some remotely exploitable) that were promptly fixed. The auditor's opinion was that RetroShare's codebase lacked secure coding practice.^[3]

Running RetroShare through Tor enables you, to do things, which are normally potentially dangerous, such as adding random people (from a forum), while staying anonymous. (For example, to join a RetroShare forum.) This is not a recommendation, just stating a possibility. You can exchange your key on dedicated chat servers at: https://retroshare.rocks/

After adding tons of random "friends" from a public forum, connection to a very few people over TCP. ^{[4] [5]} Approximately only 5% were online. Although probably only a very small portion of the network could be seen, the content of the network looked pretty interesting.

RetroShare reports Right click -> DHT Details: NET WARNING No DHT; Behind NAT UNKNOWN NAT STATE MANUAL FORWARD

There still may be some privacy caveats left with RetroShare trying to communicate outside of Tor, but that doesn't matter if Whonix makes any non-Tor traffic impossible.

Installation and Setup[edit]

WARNING: RetroShare packages are signed with weak 1024 bit keys. Until this is fixed we recommend using Ricochet IM with OnionShare instead.

Security warning: Adding a third party repository allows the vendor to replace any package on your system. Proceed at your own risk! See Foreign Sources for further information. For greater safety, users adding third party repositories should always use Multiple Whonix-Workstations to compartmentalize VMs with additional software.

RetroShare is currently available on Debian 7.0 Wheezy and 6.0 Squeeze for armel, armhf, i386 and amd64 architectures and for 8.0 Jessie.

Before adding the repo^[6], fetch the key and verify^[7] fingerprints. Always check the fingerprint for yourself. The output at the moment is:

pub  1024D/0x9418A47921691F91 2011-08-16 home:AsamK OBS Project <home:AsamK@build.opensuse.org>
      Key fingerprint = E2CE 3677 C801 5772 D097  B0AA 9418 A479 2169 1F91

Download key with curl to home folder.

curl -o retroshare-pubkey.asc http://download.opensuse.org/repositories/home:/AsamK:/RetroShare/Debian_8.0/Release.key

Check fingerprints/owners without importing anything.

gpg --keyid-format long --with-fingerprint retroshare-pubkey.asc

If it looks good import into trusted.gpg.d.^[8]

gpg --no-default-keyring --keyring ./retroshare-pubkey.gpg --import retroshare-pubkey.asc
sudo cp retroshare-pubkey.gpg /etc/apt/trusted.gpg.d/retroshare-pubkey.gpg

For stable builds:

sudo su -c "echo -e 'deb http://download.opensuse.org/repositories/home:/AsamK:/RetroShare/Debian_8.0/ /' > /etc/apt/sources.list.d/retroshare06.list"

For nightly builds:

sudo su -c "echo -e 'deb http://download.opensuse.org/repositories/home:/AsamK:/RetroShare/Debian_8.0/ /' > /etc/apt/retroshare06-git.list"

Update the package lists.

sudo apt-get update

Install Retroshare.

sudo apt-get install retroshare06

For the latest nightly package name install retroshare06-git instead.

^[9]

RetroShare setup:

• • Pick a pseudonym and password. Don't use real name or location obviously. Move your mouse to generate enough entropy.

• • Check Advanced Options -> Create a hidden node

• • Change key-length to 4096 bits for adequate security then generate the new profile.

Configure[edit]

I2P[edit]

Follow the steps in this guide to connect to others over I2P.

Tor[edit]

INCOMPLETE - Depends on unimplemented features for Whonix^[10]

On your Whonix-Gateway.

If you want to read an introduction about onion services and to learn about about onion service security, see Onion Services.

If you also want to run a hidden web server on the same .onion domain (nice for testing and learning Onion Services basics), see Onion Services.

For Whonix 14 and later releases, all unique Tor configurations should be stored in /usr/local/etc/torrc.d/50_user.conf. Users should not edit /etc/tor/torrc directly.

Open /etc/tor/torrc.

sudo nano /etc/tor/torrc

Add. ^[11]

HiddenServiceDir /var/lib/tor/retroshare/
HiddenServicePort 7812 10.152.152.11:<Local Address port>

Save.

Reload Tor.

sudo service tor@default reload

sudo service tor@default status

Active: active (running) since ...

sudo -u debian-tor tor --verify-config

Sep 17 17:40:41.416 [notice] Read configuration file "/etc/tor/torrc".
Configuration was valid

Reminder: To get your onion service url.

sudo cat /var/lib/tor/retroshare/hostname

Reminder: Always backup the onion service key. This is necessary in order to restore it on another machine, on a newer Whonix-Gateway, after HDD/SSD failure, etc. Follow the instructions below to find its location; root permission is required to access it.

/var/lib/tor/retroshare/private_key

sudo qvm-copy-to-vm vault /var/lib/tor/retroshare/private_key

/home/user/QubesIncoming/sys-whonix/private_key

Tox[edit]

Tox ^{[12] [13]} looks like a promising solution for secure, encrypted communications. The official client implementation is based on the Toxcore protocol library, which is very feature-rich and has a variety of functions besides VOIP. By default, Tox does not attempt to cloak your IP address from authorized contacts. However, Tox connections can be tunneled through Tor, allowing communication with others even if they are not anonymous. ^[14] Desktop and mobile client versions have been developed for every major OS platform. ^[15]

In the Tox design, users are assigned a public and private key, with direct connections being established in a peer-to-peer network. Users can message friends, join chat rooms with friends or strangers, and send each other files. Everything is encrypted using the NaCl crypto library, via libsodium. ^{[16] [17]}. Tox helps to protect your privacy by: ^[18]

• Removing the need to rely on central authorities to provide messenger services
• Concealing your identity (in the form of meta-data, e.g. your IP address) from people who are not your authorized friends
• Enforcing end-to-end encryption with perfect forward secrecy as the default and only mode of operation for all messages
• Making your identity impossible to forge without the possession of your personal private key, which never leaves your computer

As at April 2017, the following secure (encrypted) features had been implemented: ^[19]

• Voice and video calls.
• Instant messaging.
• Desktop screen sharing / streaming.
• File sharing.
• Typing indicators.
• Message read-receipts.
• Profile encryption.
• Group messaging, voice and video conferencing.

Additional features can be implemented by any client, so long as they are supported by the core protocol. Features that are not related to the core networking system are left up to the client. ^[20]

Tox Installation[edit]

Security warning: Adding a third party repository allows the vendor to replace any package on your system. Proceed at your own risk! See Foreign Sources for further information. For greater safety, users adding third party repositories should always use Multiple Whonix-Workstations to compartmentalize VMs with additional software.

Note: The following instructions will install the "qTox" graphical user client to your system. ^[21] To install the lightweight version with minimal dependencies ("uTox") or another Linux client like Ricin, Toxic or Toxygen, see here and here.

In the Whonix-Workstation (Qubes-Whonix: whonix-ws TemplateVM), open a terminal (Konsole).

Download the Tox repository release key. ^[22]

wget -nv http://download.opensuse.org/repositories/home:antonbatenev:tox/Debian_8.0/Release.key -O Release.key

Debian stretch, see footnote: ^[23]

Check the fingerprint before importing anything.

gpg --keyid-format long --with-fingerprint Release.key

Always check the fingerprint for yourself. ^[24]

At time of writing, the fingerprint was.

pub   rsa2048/F2AA0B1E5EF8303B 2014-09-04 [SC] [expires: 2019-01-21]
      Key fingerprint = 3EB5 027B 3CD8 D7CA AC30  EB6B F2AA 0B1E 5EF8 303B
uid home:antonbatenev OBS Project <home:antonbatenev@build.opensuse.org>

Convert the Tox signing key to a keyring that can be used by apt-get.

gpg --no-default-keyring --keyring ./tox-pubkey.gpg --import Release.key

Add the Tox signing key.

sudo cp tox-pubkey.gpg /etc/apt/trusted.gpg.d/tox-pubkey.gpg

Add the Tox apt repository. ^[25]

sudo sh -c 'echo deb http://download.opensuse.org/repositories/home:/antonbatenev:/tox/Debian_8.0/ / > /etc/apt/sources.list.d/qtox.list'

Update the package lists.

sudo apt-get update

Install qTox.

sudo apt-get install qtox

The Tox repository and qTox have now been installed.

TODO: Add instructions on how to use Tox with Stream Isolation without Tor over Tor.

IRC Client HexChat[edit]

See HexChat.

Gajim[edit]

Add Debian Jessie Backports to repositories sources lists.

sudo su -c "echo -e 'deb http://http.debian.net/debian jessie-backports main' > /etc/apt/sources.list.d/jessie-backports.list"

Update the package lists.

sudo apt-get update

Install gajim, gajim-omemo and gajim-httpupload.

sudo apt-get -t jessie-backports install gajim gajim-omemo gajim-httpupload

Deactivate gajim plugin installer / updater because it's not secure.

sudo dpkg-divert --add --rename /usr/share/gajim/plugins/plugin_installer/__init__.py

Start Gajim. From start menu or type in konsole.

gajim

Change the following settings for better security and privacy.

• Edit -> Accounts -> uncheck Save conversation logs for all contacts

• Preferences -> Status -> uncheck Away after ^[26]
• Preferences -> Status -> uncheck Not available after

• Preferences -> Advanced-> Privacy -> uncheck
  • Allow client / OS information to be sent
  • Allow local system time information to be sent
  • Log encrypted chat session
  • Allow my idle time to be sent

• Preferences -> Advanced-> applications -> Custom -> clear fields for Browser, Mail Client and File Browser ^[27]

• Preferences -> Advanced -> global proxy -> Tor
• Preferences -> Advanced -> global proxy -> mange -> Tor -> check Use proxy authentication -> set username to gajim -> set password to gajim ^[28]

For Gajim to e installed by default in Whonix, there is more work TODO, see Dev/Gajim.

Ricochet IM[edit]

The following information only applies to the testers-only version of Whonix. (Whonix 14 and above).

Ricochet IM^[29] is a new successor of the unmaintained TorChat.

It is a portable P2P python chat application that does not save chat history. It relies on Tor onion services for creating identities. Its encryption and authentication properties are as strong as Tor's. No metadata is ever collected because it is server-less. An OTF sponsored audit in early 2016 shows that there were a few minor problems (fixed since).^[30][31]

On Whonix-Gateway, onion-grater needs some adjustments.

Extend onion-grater Whitelist

sudo mkdir -p /usr/local/etc/onion-grater-merger.d/

sudo ln -s /usr/share/onion-grater-merger/examples/40_ricochet.yml /usr/local/etc/onion-grater-merger.d/

sudo service onion-grater restart

Modify Whonix-Workstation User Firewall Settings

sudo mkdir -p /rw/config/whonix_firewall.d

kdesudo kwrite /rw/config/whonix_firewall.d/50_user.conf

sudo nano /etc/whonix_firewall.d/50_user.conf

## Please use "/etc/whonix_firewall.d/50_user.conf" for your custom configuration,
## which will override the defaults found here. When Whonix is updated, this
## file may be overwritten.

nano /etc/whonix_firewall.d/30_default.conf

Add.

EXTERNAL_OPEN_ALL=true

Save.

Reload Whonix-Workstation Firewall.

sudo whonix_firewall

On Whonix-Workstation, start ricochet. Either through start menu or from the command line.

ricochet

Deprecated Chat Clients[edit]

Tor Messenger[edit]

No longer use! Deprecated by upstream developers. ^[33]

Pidgin[edit]

Pidgin supports most protocols. However do not use it. It has a very bad security track record with many remotely exploitable bugs - a result of being written in C and containing many legacy protocols. ^[34]

TorChat[edit]

Unfortunately, since time of writing (September 2015) TorChat can not be recommended. This is because the TorChat developer currently does not respond to other people, see TorChat issues. Communication and support is crucial for anonymity related projects. TorChat is an unofficial project. Unaffiliated with The Tor Project. A modern and maintained alternative is Ricochet IM.

In 2015 security analysis^[35] of TorChat protocol and its Python implementation was conducted. It was found that although the design of TorChat is sound, its implementation has several flaws, which make TorChat users vulnerable to impersonation, communication confirmation and denial-of-service attacks.^[36]

Other Software[edit]

If it is not listed here, it for now is recommended against. You can search Whonix forums to see if that chat client has been discussed in past or if you think a privacy respecting chat client is missing on this page.

https://forums.whonix.org/t/client-server-instant-messengers-im-oct-2016

Footnotes / References[edit]

1. ↑ http://archive.is/8w0Zf
2. ↑ https://www.eff.org/secure-messaging-scorecard
3. ↑ https://www.elttam.com.au/blog/a-review-of-the-eff-secure-messaging-scorecard-pt1/
4. ↑ Chance of working better (untested): Tunnel UDP over Tor.
5. ↑ Note, in case you are using the previous footnote, Other Anonymizing Networks over Tor UDP Tunnel applies.
6. ↑ http://retroshare.sourceforge.net/downloads.html
7. ↑ http://download.opensuse.org/repositories/home:/AsamK:/RetroShare/Debian_8.0/Release.gpg
8. ↑ To import asc key files into trusted.gpg.d they must be converted into a .gpg keychain file first.
9. ↑ RetroShare .deb Packages installation instructions from RetroShare's third party repository
10. ↑ https://github.com/RetroShare/RetroShare/issues/356
11. ↑ Arbitrary choice of port to avoid conflicts with custom RetroShare setups.
12. ↑ https://wiki.tox.chat/users/faq#what_is_tox
13. ↑ https://tox.chat
14. ↑ https://wiki.tox.chat/users/tox_over_tor_tot
15. ↑ https://wiki.tox.chat/clients
16. ↑ http://nacl.cr.yp.to
17. ↑ Tox employs curve25519 for its key exchanges, xsalsa20 for symmetric encryption, and poly1305 for MACs. https://tox.chat/faq.html
18. ↑ https://tox.chat/faq.html
19. ↑ Depending on the mobile / desktop client in use.
20. ↑ https://en.wikipedia.org/wiki/Tox_(software)
21. ↑ This repository is directly referenced on the Tox Download webpage, see: https://software.opensuse.org/download.html?project=home%3Aantonbatenev%3Atox&package=qtox Anton Batenev is a Tox developer.
22. ↑ For later Whonix releases based on Debian Stretch, replace "Debian_8.0" with "Debian_Stretch".
23. ↑
    [select code]

    wget -O - http://download.opensuse.org/repositories/home:antonbatenev:tox/Debian_Stretch/Release.key

    wget -O - http://download.opensuse.org/repositories/home:antonbatenev:tox/Debian_Stretch/Release.key
24. ↑ The list of GPG fingerprints currently in use by qTox developers can be referenced at https://github.com/qTox/qTox
25. ↑ For later Whonix releases based on Debian Stretch, replace "Debian_8.0" with "Debian_Stretch".
26. ↑ To prevent needlessly leaking your activity to the server.
27. ↑ For better security, we better do not risk automatically starting these applications from the chat client.
28. ↑ To get Stream Isolation.
29. ↑ https://ricochet.im/
30. ↑ https://ricochet.im/files/ricochet-ncc-audit-2016-01.pdf
31. ↑ https://en.wikipedia.org/wiki/Ricochet_(software)
32. ↑ Using /usr/local/etc/onion-grater-merger.d/ because that onion-grater settings folder is persistent in Qubes-Whonix TemplateBased ProxyVMs, i.e. Whonix-Gateway (commonly called sys-whonix). Non-Qubes-Whonix users could also use /etc/onion-grater-merger.d/. Qubes-Whonix users could also use /etc/onion-grater-merger.d/ but then users would have to make /etc/onion-grater-merger.d/ persistent, which would require doing this inside the Whonix-Gateway TemplateVM (commonly called whonix-gw) and restart their Whonix-Gateway ProxyVM or to use bind-dirs. Both is more more complicated than simply using /usr/local/etc/onion-grater-merger.d/ which is persistent either way and even allows multiple Whonix-Gateway ProxyVMs based on the same Whonix-Gateway TemplateVM for lets say one Whonix-Gateway ProxyVM extending and relaxing onion-grater's whitelist and the other Whonix-Gateway ProxyVM with the default more restricted onion-grater whitelist.
33. ↑
    • https://blog.torproject.org/sunsetting-tor-messenger
    • Deprecated#Tor_Messenger
    • http://forums.whonix.org/t/tor-messenger-is-no-longer-maintained-as-of-march-2018
34. ↑ https://pidgin.im/news/security/
35. ↑ Security Analysis of Instant Messenger TorChat
36. ↑ https://en.wikipedia.org/wiki/TorChat#Security

License[edit]

Whonix Chat wiki page Copyright (C) Amnesia <amnesia at boum dot org>
Whonix Chat wiki page Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>

This program comes with ABSOLUTELY NO WARRANTY; for details see the wiki source code.
This is free software, and you are welcome to redistribute it
under certain conditions; see the wiki source code for details.

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.

Whonix is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Libre Software license as Whonix itself. (Why?)