/d/OpSec icon

/d/OpSec

16,634 subscribers

Must read: https://anonymousplanet-ng.org/guide.html

Discussion of OpSec, Threat Models, Protection, Assessment & Countermeasures.

Vendors, please use /d/vendor_handbook.

While the focus of this community's OpSec discussions may center around Dark Net (DN) activity, all members of this sub are encouraged to think about, discuss, and share ideas relating to OpSec that extend beyond the bounds of the DN.

Analysis of Secure Chat Communications in Progresss (Pinned post)

by /u/HeadJanitor Moderator · 40 votes · 1 month ago

At the enlightened request by /u/Pygmalion ... probably after 291,340 repeated questions---from one who does not chat, with corroboration and expertise from /u/tito33, undergoing is a project to expose the better of the chat/messenger software that is in current development, offers end-to-end encryption, is fully open-source, has been tested and released.

Do keep in my mind that nothing is perfect, nothing will deliver every stronghold but some will outrank others.

1. ___________________Section by /u/HeadJanitor

2. ___________________Section by /u/tito33

IN PROGRESS

INCOMPLETE

No particular order, yet.

Ricochet Refresh
Ricochet Refresh is an open-source project to allow private and anonymous instant messaging
Ricochet Refresh uses the original Ricochet open-source software but has improved on it substantially, such as upgrading its security and making it compatible with Tor Onion Services v3 instead of the older v2.
There are no servers to trust, monitor, or hack
The source code is available for inspection and development
https://www.ricochetrefresh.net
SecP2P
This is a Tor based peer to peer, encrypted messaging app. The goal of this project is to bring real-time messaging on Tor, enabling users to chat each other with anonymity in mind. This version of the app is on very initial stages however it provides text messaging with media sharing capability.
This application creates v3 onion hidden service, using 56 char hostname as the ID of the user. It does not include server for managing all the messages that are sent, rather than are sent directly to the receiver. There is no online or typing status for the app (but might be added in the coming releases), but it does indicate that message has been delivered to the user. Moreover, sharing media over SecP2P is slow as compared to other messaging application, because everything runs over Tor network. Sharing large files is also possible, but you have to rely on the network speed of Tor nodes and your connection.
https://github.sre.pub/miIiano/SecP2P
Tinfoil Chat - Onion-routed, endpoint secure messaging system
Tinfoil Chat (TFC) is a FOSS+FHD peer-to-peer messaging system that relies on high assurance hardware architecture to protect users from passive collection, MITM attacks and most importantly, remote key exfiltration. TFC is designed for people with one of the most complex threat models: organized crime groups and nation state hackers who bypass end-to-end encryption of traditional secure messaging apps by hacking the endpoint.
State-of-the-art cryptography
TFC uses XChaCha20-Poly1305 end-to-end encryption with deniable authentication to protect all messages and files sent to individual recipients and groups. The symmetric keys are either pre-shared, or exchanged using X448, the base-10 fingerprints of which are verified via an out-of-band channel. TFC provides per-message forward secrecy with BLAKE2b based hash ratchet. All persistent user data is encrypted locally using XChaCha20-Poly1305, the key of which is derived from password and salt using Argon2id, the parameters of which are automatically tuned according to best practices. Key generation of TFC relies on Linux kernel's getrandom(), a syscall for its ChaCha20 based CSPRNG.
Anonymous by design
TFC routes all communication exclusively through the Tor anonymity network. It uses the next generation (v3) Tor Onion Services to enable P2P communication that never exits the Tor network. This makes it hard for the users to accidentally deanonymize themselves. It also means that unlike (de)centralized messengers, there's no third party server with access to user metadata such as who is talking to whom, when, and how much. The network architecture means TFC runs exclusively on the user's devices. There are no ads or tracking, and it collects no data whatsoever about the user. All data is always encrypted with keys the user controls, and the databases never leave the user's device.
https://github.sre.pub/maqp/tfc
Mumble
Open Source, Low Latency, High Quality Voice Chat
Mumble is a free, open source, low latency, high quality voice chat application.
Mumble was the first VoIP application to establish true low latency voice communication over a decade ago. But low latency and gaming are not the only use cases it shines in.
We heard from users who record podcasts with our multi-channel audio recorder, players seeking realism with our positional audio in games, Eve Online players with huge communities of over 100 simultaneous voice participants (I bet they make good use of our extensive permission system 😄), the competitive Team Fortress 2 community making us their required voice communication platform, hobby radio transmission users, and a variety of workplaces adapting Mumble to fit their needs - be it on-head mobile devices or communicating across countries or into airplanes.
https://www.mumble.info/
Tox over Tor with Tails (and Orbot)
install Orbot and TRIfA both are available from F-Droid repositories if you don’t have or don’t want to use Google Play Store open Orbot click the button to turn on “VPN Mode” at the bottom where it says “Tor-Enabled Apps” click the little gear wheel on the right on the following screen check the box for TRIfA and any other apps you want to be forced through Tor hit the back arrow in orbot click the big “Start” button. once orbot has a connection to Tor open TRIfA app and follow instructions for setting up your account
(NOTE: If you were already using Tox in Tails, you should back up your config files before installing Tox again. Go to Places -> Dotfiles, then hit ctrl-H, then go into .config folder and copy the folder named "tox" and all its contents to your Persistent folder as a backup.
With the rise of government surveillance programs, Tox, a FOSS initiative, aims to be an easy to use, all-in-one communication platform that ensures full privacy and secure message delivery.
Tox is a FOSS (Free and Open Source) project. All Tox code is open source and all development occurs in the open. Tox is developed by volunteer developers who spend their free time on it, believing in the idea of the project. Tox is not a company or any other legal organization. Currently we don't accept donations as a project, but you are welcome to reach out to developers individually.
https://tox.chat/download.html
Linphone
Linphone is an open source SIP phone that makes it possible to communicate freely with people over the internet
- Secure communications with end-to-end encryption
- Fully SIP-based, for all calling, presence and IM features
https://www.linphone.org/
Send Signal Messages over Tor with Whonix ™
It is possible to install the standalone Signal Desktop application version for Linux in Whonix-Workstation ™, and tunneling the application over the Tor network. However, this configuration is not recommended because although the traffic will be routed over the Tor network
https://www.whonix.org/wiki/Signal
uTox
Tox is a Free Software project whose goal is to free users from the grip of Proprietary instant messengers.
Tox is all about security and privacy. All your communications are encrypted using ROCKSOLID encryption.
Tox is easy to use for anyone. No registration required, just open it and start adding friends or give your friends your Tox ID so they can add you. You can find your Tox ID in the settings tab. You can now, directly through uTox, use it for buying and selling Cryptocurrencies in Australia. Coinspot Australia is the first exchange we have partnered up with. Another Australian company we are working with is seo advantage, they have helped us to get a 8x increase in traffic to our site.
https://utox.org/
qTox
Nowadays, every government seems to be interested in what we're saying online. qTox is built on a "privacy goes first" agenda, and we make no compromises. Your safety is our top priority, and there isn't anything in the world that will change that.
qTox is both free for you to use, and free for you to change. You are completely free to both use and modify qTox. Furthermore, qTox will never harass you with ads, or require you to pay for features.
qTox takes your privacy seriously. With leading-class encryption, you can rest assured knowing that the only people reading your messages are the ones you send them to.
https://qtox.github.io
Jami
Jami (formerly GNU Ring, SFLphone) is a SIP-compatible distributed peer-to-peer softphone and SIP-based instant messenger for Linux, Microsoft Windows, OS X, iOS, and Android. Jami was developed and maintained by the Canadian company Savoir-faire Linux.
Jami is free and open-source software released under the GNU GPL-3.0-or-later. In November 2016, it became part of the GNU Project.
By adopting distributed hash table technology (as used, for instance, within the BitTorrent network), Jami creates its own network over which it can distribute directory functions, authentication and encryption across all systems connected to it.
Packages are available for all major Linux distributions including Debian, Fedora, and Ubuntu.[13] Separate GNOME and KDE versions are available.
https://git.jami.net/savoirfairelinux
darkwire.io
End-to-end encrypted instant web chat.
Simple encrypted web chat. Powered by socket.io, the web cryptography API. This project is an example of how client side encryption works and how you can integrate it as a chat service.
Darkwire uses a combination of asymmetric encryption (RSA-OAEP), symmetric session keys (AES-CBC) and signing keys (HMAC) for security.
Darkwire encodes documents into base64 using btoa and is encrypted the same way chat messages are.
Chat history is stored in each participant's browser, so it is effectively erased (for that user) when their window is closed.
darkwire.io
https://github.sre.pub/darkwire/darkwire.io
Briar
Briar uses the Tor network to prevent eavesdroppers from learning which users are talking to each other. Each user’s contact list is encrypted and stored on her own device.
Briar is a messaging app designed for activists, journalists, and anyone else who needs a safe, easy and robust way to communicate. Unlike traditional messaging apps, Briar doesn’t rely on a central server - messages are synchronized directly between the users’ devices. If the internet’s down, Briar can sync via Bluetooth or Wi-Fi, keeping the information flowing in a crisis. If the internet’s up, Briar can sync via the Tor network, protecting users and their relationships from surveillance.
Briar uses direct, encrypted connections between users to prevent surveillance and censorship.
Typical messaging software relies on central servers and exposes messages and relationships to surveillance.
Peer-to-peer encrypted messaging and forums Messages are stored securely on your device, not in the cloud Connect directly with nearby contacts - no Internet access required Free and open source software
https://briarproject.org/
Speek
All messages are end-to-end encrypted. The Speek client is creating a Tor hidden service on the client PC. The message is then routed via the Tor onion network to the receiver. This makes it possible that the IP addresses are never public and the users can stay anonymous. The users are identified with public keys. Each user can share their public key with others to add them to the contacts list.
In comparison to popular messaging applications like Telegram, WhatsApp and Signal, Speek is by far the most secure way to converse. Speek is serverless, stores no metadata, requires no ID or phone number and all the messages are encrypted and routed via the Tor network.
Decentralized
Your IP address is not shared with anybody.
Surveillance is impossible by design
Nobody is able to intercept your messages. The messages are only temporarily stored on your device. When you close the Speek app, all your messages are deleted. It is like talking in real life. Nothing is saved.
https://speek.network/
OnionFruit™ Connect
OnionFruit™ Connect is a free utility that allows users to connect to the Tor network with minimal effort. Taking a similar form to a VPN program, it's easy to use and gives the user maximum control. Acting as a system proxy, the majority of programs will also be able to connect without much further configuration (including web browsers!).
Simple design No admin elevation needed for most features [Experimental with compatibility warnings] DNS-over-Tor (including .onion sites) Custom traffic entry/exit country (US, GB, ES, etc.) Auto start on Windows login Custom launch pages Discord Game Status Standard, obfs4, meek and snowflake Bridge Support Regular updates with bug fixes, performance improvements and new features
OnionFruit™ Connect - Tor access client with country selection, bridge configuration, pluggable transports and experimental DNS support
https://github.com/dragonfruitnetwork/onionfruit
cryptpad
CryptPad is a collaboration suite that is end-to-end-encrypted and open-source. It is built to enable collaboration, synchronizing changes to documents in real time. Because all data is encrypted, the service and its administrators have no way of seeing the content being edited and stored
Security CryptPad offers a variety of collaborative tools that encrypt your data in your browser before it is sent to the server and your collaborators. In the event that the server is compromized the database holds encrypted data that is not of much value to attackers. The code which performs the encryption is still loaded from the host server like any other web page, so you still need to trust the administrator to keep their server secure and to send you the right code. An expert can download code from the server and check that it isn't doing anything malicious like leaking your encryption keys, which is why this is considered an active attack. The platform is designed to minimize what data is exposed to its operators. User registration and account access is based on a cryptographic key that is derived from your username and password so the server never needs to see either and you don't need to worry about whether they are being stored securely. It is impossible to verify whether a server's operators are logging your IP or other activity, so if you consider this information sensitive it is safest to assume it is being recorded and access your preferred instance via Tor browser. A correctly configured instance has safeguards to prevent collaborators from doing some nasty things like injecting scripts into collaborative documents or uploads. The project is actively maintained and bugs that our safeguards don't catch tend to get fixed quickly. For this reason it is best to only use instances that are running the most recent version, which is currently on a three-week release cycle. It is difficult for a non-expert to determine whether an instance is otherwise configured correctly, so we are actively working on allowing administrators to opt in to a public directory of servers that meet our strict criteria for safety.
https://github.com/xwiki-labs/cryptpad

End: 1. ___________________Section by /u/HeadJanitor

Feedback, suggestions ... please.

Comments (82)
/u/WhiteWolf · 3 votes · 1 month ago · Link

Great work as always. We as a community will benefit from such list, refer newbies and compare different software.

Every third post on Dread is about "what secure messenger to use for comms" anyway.

I think this should be stickied at the very least.

You could add Jitsi, cwtch and Gajim to the list too.

/u/HeadJanitor Moderator OP · 1 votes · 1 month ago · Link

We'll break in down once and for all and for all to see. Thank you!

/u/whalez · 3 votes · 1 month ago · Link

Finally, this will put and end to the endless stream of typical lame questions.

Good job fam, upfucking voted and I clearly suggest anyone to do just that !

/u/HeadJanitor Moderator OP · 2 votes · 2 weeks ago · Link

I apologize about my extended get-away. Thank you, kindly. We'll sort all the answers (but they'll still be asked ;) Hope you've been well.

/u/nasyer P · 3 votes · 1 month ago · Link

I prefer Briar

/u/HeadJanitor Moderator OP · 2 votes · 1 month ago · Link

Yeah, everyone seems to like it too. All have pros and cons. Nobody will be 100% satisfied so we'll just put out the facts.

/u/nasyer P · 2 votes · 1 month ago · Link

Agreed, HeadJanitor

I prefer it may be I'm familiar with now and everyone looks for the same in which he can fit himself comfortably as Human nature.

But as always, your research was too awesome.

Honestly, I wanna let you know that i like your efforts and your content because Opsec is the subject which can't be fully practised as Doctor, Everyday you have too learn against new tactics and technologies. Seriously you are the most valuable person right now on Dread because you are like the mud who holds the root of dread forum as Opsec is the root of everything.

All above words and alphabet i used above is purely your fan by Heart, because this Opsec is the only subject which is always my favourite and prefer it before i start any new project.

Don't know what other thinks about Opsec but it must be priority for you and your family whatever you do on dark-net.

Thanks HeadJanitor

/u/nasyer P · 1 votes · 1 month ago · Link

and Please don't forget to rate my grammar as i didn't use any translating app to write my comment this time, I'm try to learning without it.

Thanks

/u/FixN_Time · 2 votes · 3 weeks ago · Link

PLEASE do Session!! It's Signal's code modified w/o phone number verification. They have desktop and mobile apps and it's what I've been using. Let me know how much I would need to pay to get it analyzed if you don't want to. Let me know if you can do network and what other kinds of analysis of the desktop and mobile apps. You can Google getsession but its the org.

/u/FUDPolice P · 1 votes · 1 month ago · Link

I've tested A LOT of options. Some on the surface seem great but when you actually use it another story. Jami is an example of that. Used it for a while till it become unbearable. Element is a pain in the fucking ass, reliant on servers, slow sync, messages not deleting, no exif removal overall not ideal. Session i wouldn't touch at all.

My favourite currently is Briar. No central server is a big plus. Available on F-Droid, great running on Graphene OS for ultimate security connect over TOR. Self destruction messages. A couple key features not advertised that blew my socks off are exif data removed by default (lots of apps don't). Also, where Briar really wins over others that suits big drug enterprises is the zero knowledge groups which is something some invite only cartel devices do. But basically, if you're a "middle person", you can connect someone with the goods, and someone wanting goods into the same group. Those people are connected anonymously and separately, so they can't go organizing deals without you. This is something big players like.

It's interesting you mention cryptpad. Great service. Although must say you need to be careful as data can corrupt easy when it's syncronising.

/u/dreadaccountusername2 · 1 votes · 1 month ago · Link

What's wrong with Session? I've used it a little in the past and it worked well for my limited needs. And it's supposed to be open source. I was given to understand it's a better version of Signal since Session doesn't require a phone number or email. I'm not saying you're wrong, it's just that if I'm using something flawed I'd like to know and improve my setup.

/u/FUDPolice P · 1 votes · 1 month ago · Link

Ah the fact that AU laws force IT admins, ceos to give back door access if requested, to alter information, access it in real time and the operator can't legally let the public know it's occurring if it was and if they said no they face 10 year prison sentence. Says all you need to know.

/u/HeadJanitor Moderator OP · 1 votes · 1 month ago · Link

That is life 100 years ago :(

/u/FUDPolice P · 1 votes · 1 month ago · Link

Not sure i comprehend.

/u/HeadJanitor Moderator OP · 1 votes · 2 weeks ago · Link

Australia, such a beautiful land and culture, deserves so much better than what it's decaying into along with Germany. This police state charade has got to end before it gets ugly. Australia, of all places I can think of, does not deserve what is taking place.

/u/dreadaccountusername2 · 1 votes · 1 month ago · Link

If those laws apply to Session, don't they apply to everything else on the list? Doesn't that mean they are all equally flawed?

/u/FUDPolice P · 1 votes · 1 month ago · Link

AU laws only apply to AU companies of which Session is.

Briar which i mentioned isn't AU, messages are peer-to-peer.

/u/dreadaccountusername2 · 1 votes · 1 month ago · Link

Oh I see what you're saying now. I didn't know that was something that we needed to watch out for. Thank you.

/u/FUDPolice P · 1 votes · 1 month ago · Link

The AU laws weren't designed to force companies to break encryption. Instead, it's argued at the point in which something is clear text. Law enforcement must be able to have real time access. The information is routing somewhere, what's not to say it's not also phoning home. Then LE expanded the laws recently, they don't just want real time viewing, they want to be able to manipulate the data i.e change messages and send messages. It's so fucked.

Session did well in taking signals code base then removing phone number basically. But they picked literally the worst country to setup in. You're facing 10 years prison here for not decrypting your device, providing phone pin / pass code. That's how fucked our laws are.

Keep in mind, AU LE released another encrypted app called An0m and handed it out to all the big drug syndicates. Then they sat back and collected so much fucking data, assasinations, customs officers on the payroll for large trafficking of cocaine, transportation and handoff details about plane importations, sea trafficking. That lead to the biggest busts in our history.

This is why peer-to-peer is beautiful. No one in the fucking middle.

Briar is hands down, the best app i've had the pleasure of using. Yet it's never mentioned or used.

/u/dreadaccountusername2 · 1 votes · 1 month ago · Link

Interesting. Yeah I've never heard about Briar. I'll have to check it out. How much of those laws would affect someone in the states? I read the FAQ on Session's site and they said that they will cooperate with court ordered mandates, but they said they intentionally set it up so that they can't ever have access to any information that could identify an individual user. They said that everything is open source and been reviewed so if they had any backdoors it would have been discovered by now.

I lack the coding knowledge to know if a backdoor could be hidden in a way that it wouldn't be spotted in an open source code when somebody is specifically looking for backdoors.

/u/FUDPolice P · 1 votes · 1 month ago · Link

We've just extended our laws to our 5 eyes partners which includes USA.

USA is just as bad as AU for secret deals and backdoor access as snowden showed you.

/u/NotNero123 · 1 votes · 3 weeks ago · Link

I wouldnt worry too much about the Australia stuff, all the apps are completely open source, so to include a backdoor they'd need to Pull request one into the application. This would be noticed by either the community or other non Aussie devs pretty quickly. Session has a number of USA devs as i understand. And nothing came up in their third party security audit last year.

P2P has usability issues related to messaging users who are offline, generally its nice to have some sort of storage medium for offline message delivery

/u/FUDPolice P · 1 votes · 3 weeks ago · Link

Briar does have a storage medium. Encrypted locally, protected by a password, then when the recipient is online either internet (tor) or if you were say in ukraine and internet was taken down by russians, you can message wifi / bluetooh. The encrypted message basically jumps from one device to the next until the intended recipient can receive and decrypt it.

It really is ground breaking.

Sorry USA devs are mean't to be our safety check considering our intelligence agreements with NSA? Session doesn't need to change the source code, when the penetration can occur on ownership of the data in transit. What's to say a phone home to check the user is online turns out to be feeding back data cleartext? How would you know? When the company cannot legally tell you if it's occuring.

Those laws by the way were later extended to 5 eyes partners. So that assures some cooperation with USA.

/u/NotNero123 · 1 votes · 2 weeks ago · Link

Try to onboard a user onto Briar and you will quickly run into issues when they cant message their friend because their phone isn't on. Its a massive issue, and counterintuitive to regular usage.

The local network connectivity is pretty nightmarish for privacy and doesn't work all that well, they don't have an iOS app which pretty much rules it out of usage in any western country where 50% of devices are iOS.

Briar is already developed mostly in the UK which is in the 5 eyes and has active legislation which is already about as bad as the Australian regulations. Briar is also partially funded by DRL (US Government) grants.

You would know if Session is phoning home by reading the source code of the app, if you cant do that then trust the third party audits they have gotten which say it isnt. How do you know that the Briar devs havent got a feature which phones home?

/u/FUDPolice P · 1 votes · 2 weeks ago · Link

You can message your friend. They simply only read it when they're online to read it. Shock horror.

It's like writing a letter. You have to check your mail to receive it.

/u/We_Are_9000 Paranoia Level · 1 votes · 1 month ago · Link

TOX is a no go if you use Whonix.

Tox

Tox is a fully-featured, decentralized (server-less) option which employs strong encryption, but the software is in alpha status.

qTox has been removed from Whonix ™

due to serious security issues.

/u/HeadJanitor Moderator OP · 1 votes · 1 month ago · Link

Good to know. Thank you.

/u/We_Are_9000 Paranoia Level · 1 votes · 1 month ago · Link

Here is a chat list for Whonix, good info here :-)

https://www.whonix.org/wiki/Chat

/u/HeadJanitor Moderator OP · 1 votes · 1 month ago · Link

Thanks for the beast least.

(A lot of them all no good. What about plain ol' Dino.)

Element Web (JavaScript)

Converse.js (JavaScript)

Deprecated Chat Clients

Introduction

CoyIM

Nheko

Pidgin

RetroShare

Ricochet IM

TorChat

Tor Messenger

Tox

/u/Akela · 1 votes · 1 month ago · Link

The IM situation is utter crap, they all suck. I've tried them all. The best still I believe is Jabber, over tor and omemo.

Many of my friends also use qtox, but I believe if one party is offline, you are fucked. I remember it was pretty pain in the ass.

/u/HeadJanitor Moderator OP · 2 votes · 1 month ago · Link

I'm personally favoring Dino.

/u/We_Are_9000 Paranoia Level · 1 votes · 1 month ago · Link

I have Dino for OMEMO encryption.

/u/PokerClub · 1 votes · 1 month ago · Link

Yes. I like Dino too

/u/LeftRightWing · 1 votes · 1 month ago · Link

Man element is the best, I've tried most of the software you wrote and they are not even close to element, you can overcome the java problem in element with downloading the app (its open source)

/u/FUDPolice P · 2 votes · 1 month ago · Link

Element sucks balls. You're reliant of policies of external server hosting unless you host your own. Uptime can be shit. Lag can be shit. Anyone you're chatting with can see your sessions i.e device Linux, Firefox, Windows, Iphone etc. There's no exif data removal for images. If you get into using it a lot, it can take days to clear delete a conversation. Even then, if you have other sessions running those messages may stay there forever. When i delete something i want it gone. Not a 2 week slow wait to maybe delete. This is using some of the best servers available mind you. In theory it's nice. You're safe in the fact that no one really uses it so it isn't on a radar. But that's the end of my love for Element. Tried it extensively, then quit.

/u/We_Are_9000 Paranoia Level · 1 votes · 1 month ago · Link

And this....From the Whonix Wiki

Ricochet IM

Ricochet IM (original) is no longer recommended as a decentralized (server-less) option because it is not functional in Whonix ™ and deprecated upstream by its original developers. Ricochet IM 'only' uses onion encryption and is difficult to set up and use. OTR or OMEMO-grade encryption is not available and offline messages are not supported. [37] [38] Ricochet Refresh is unsupported since it was broken in Whonix ™ 15 despite all efforts to fix it

. A contributor submitted github pull requests [39] which were unfortunately rejected due to Ricochet Refresh's rewrite gosling

in development. The Ricochet Refresh was changed and Ricochet rewrite is now non-freedom software

. The chosen license for gosling (a rewrite of Ricochet Refresh) is the same non-freedom software license

Commons Clause

.

Ambox warning pn.svg.png non-freedom

See Avoid non-freedom software.

Related: Whonix ™ Policy On Non-Freedom Software

An issue Ricochet-Refresh is now proprietary

had been reported. According to the Ricochet-Refresh developer's reply

it seems unlikely that the license would be reverted to a Freedom Software license.

(archived documentation)

/u/HeadJanitor Moderator OP · 1 votes · 1 month ago · Link

Ricochet Refresh went open source. If you are developer, or are comfortable compiling from source, the latest source code for V3 can be found on GitHub.

Ricochet Refresh

R2: Ricochet Refresh

Ricochet Refresh is the new updated version of Ricochet, supported by Blueprint for Free Speech.. We are a non-government, not-for-profit organisation working to safeguard the freedom of expression for whistleblowers, activists, and everybody else, worldwide. To find out more, check out our profile, or head to blueprintforfreespeech.net. Blueprint was the original sponsor of Ricochet, written by developer J. Brooks.

What is Ricochet Refresh?

Ricochet Refresh is an instant messenger where no one knows your identity, who you're talking to, or what you're talking about.

You can talk to whoever you want, without them knowing your identity (or IP address)

No one can know who you're talking to, or when you're talking to them* (no metadata)

You talk directly to your contact - there's no middleman server that could be compromised, putting you at risk.

It's cross-platform, easy to install, and easy to use!

It's open source, and open to contribution!

/u/FUDPolice P · 1 votes · 1 month ago · Link

/u/HeadJanitor

A very worthy mention for conference calling to replace zoom is Jitsi meet. Completely cross platform. No account needed. E2EE encrypted.

https://jitsi.org/

https://github.com/jitsi/jitsi-meet-electron/releases

/u/HeadJanitor Moderator OP · 1 votes · 1 month ago · Link

Sweeeeeet.

Thank you!

The more easier. Maybe not.

/u/FUDPolice P · 1 votes · 1 month ago · Link

/u/HeadJanitor

Do you know any software like Veracrypt that provides plausible deniability through Hidden Volumes?

/u/HeadJanitor Moderator OP · 1 votes · 1 month ago · Link

https://github.com/aforensics/HiddenVM

?

/u/nomad-traveller · 1 votes · 1 month ago · Link

Would be nice if you reported which of these is available on f-droid/google store, cheers

/u/HeadJanitor Moderator OP · 2 votes · 1 month ago · Link

I figure there will be a lot of work going to all of this.

/u/KyleKlemons54 · 1 votes · 1 month ago · Link

Is qTox compatible with TAILS OS? Just asking.

/u/HeadJanitor Moderator OP · 1 votes · 1 month ago · Link

Tails has have is called Tor Enforcement. Noting leaves its IPTABLES.

/u/invisible · 1 votes · 1 month ago · Link

How long has Ricochet been around for?

/u/HeadJanitor Moderator OP · 1 votes · 1 month ago · Link

Several years, perhaps. This is a whole new revision.

/u/plkqcs · 1 votes · 1 month ago · Link

My head hurts. I blame /u/Pygmalion

/u/HeadJanitor Moderator OP · 1 votes · 1 month ago · Link

In the end, it'll end up being one or two.

/u/LeftRightWing · 1 votes · 1 month ago · Link

i am impressed that matrix protocol with element client is not even mentioned here! it's the best way to communicate safely and anonymously. its open source and decentralized and tor friendly and you can goggle for servers that don't ask for number and email and its easy to use and full of discoverable groups and communities with beautiful UI

/u/HeadJanitor Moderator OP · 1 votes · 1 month ago · Link

I love Matrix / Element - I think it's so year 3,000

The few people I've showed it to frowned on the JavaScript embedded element and collections.

/u/Pygmalion Vendor Opsec · 1 votes · 1 month ago · Link

/u/kaizushi can help harden your OS with SELinux to sandbox the JS of Matrix.

Talk to her.

/u/LeftRightWing · 1 votes · 1 month ago · Link

Just Download it like how you download gajim or any XMPP clien! no need for weep version (there are a lot off sand boxing projects like flatpak for example. matrix/element is really the decentralized communication revolution that we all need here

/u/HeadJanitor Moderator OP · 1 votes · 1 month ago · Link

I have a feeling Matrix/Element will take on its own course in the next year. It's very rich-feature and the potential to set up rooms (even at a corporate level) is fantastic.

In the end, just reviewing these technologies I don't know if the crowd is looking for something handheld and mobile or behind a screen. Each, naturally, has pros and cons. I'll just lay it all out and it'll probably be preferential.

/u/Pacco P Kilos Staff · 1 votes · 1 month ago · Link

Great resource.Cant remember if it was anomphone or not but i think i have seen some anonymous phone brands preinstalling Briar or it was some cartel phone.I did some research and fascinated by the tech of it.Using v3 as id for communication.No servers No setup No registration,just fire up the app.You can even use it without internet with bluetooth.

If i were the cartel i would create a mesh network of wifi devices without connection to the internet and use briar with it.

You can add jitsi there.Free open source alternative to zoom.

/u/HeadJanitor Moderator OP · 1 votes · 1 month ago · Link

Thank you, /u/Pacco

I'll be adding Jitsi for sure.

/u/[deleted] · 1 votes · 1 month ago · Link

You totally forgot Bitmessage^^

https://en.wikipedia.org/wiki/Bitmessage

https://wiki.bitmessage.org/

https://github.com/Bitmessage/PyBitmessage/releases/

/u/HeadJanitor Moderator OP · 1 votes · 1 month ago · Link

Stable release

0.6.3.2 / February 13, 2018; 4 years ago

___________________________________

Security audit needed Bitmessage is in need of an independent audit to verify its security. If you are a researcher capable of reviewing the source code, please email the lead developer. You will be helping to create a great privacy option for people everywhere!

/u/BigDaddy2K · 1 votes · 1 month ago · Link

Hey nice work compiling the good ones here still for some I am not sure if they are viable to today's standard and are doing as intended

/u/HeadJanitor Moderator OP · 1 votes · 1 month ago · Link

Thank you!

/u/Pygmalion Vendor Opsec · 1 votes · 1 month ago · Link

Tox is a dead end technology wise. The code is broken on a too primitive level and there are a bunch of issues that cannot be fixed easily, so it's pretty much where it is and that's that.

Send Signal Messages over Tor with Whonix ™

too limited and hacky.

I suggest we rank these by features and active development and future proofness.

/u/Haven_Shill_XHV · 1 votes · 1 month ago · Link

/u/Paris & /u/Hugbunter, I know you guys already have so much on your plate so I'm sorry for bothering you, but I would really love a "follow" feature so I don't miss posts from guys like this after not logging in for a bit. I'm probably not the only one.

/u/HeadJanitor Moderator OP · 1 votes · 1 month ago · Link

I hear ya. For now, click on the "Save" button.

/u/Haven_Shill_XHV · 1 votes · 1 month ago · Link

The "save" function doesn't really do what I need tho. I could go into their profile and check for new posts periodically, but that seems kinda weird and stalker-y, and also a pain in the ass lol. They could also do something like give a portion of dread subscription profits to the highest followed contributors, in order to reward quality posting.

/u/HeadJanitor Moderator OP · 1 votes · 1 month ago · Link

Thank you as always, /u/Haven_Shill_XHV

/u/Haven_Shill_XHV · 1 votes · 1 month ago · Link

Yo, if any of those dudes come at you looking for therapy, send em my way. I'll straighten em out lol

Edit: Not kidding.

/u/HeadJanitor Moderator OP · 1 votes · 1 month ago · Link

Will do. From the whole human spectrum.

/u/Haven_Shill_XHV · 1 votes · 1 month ago · Link

Like I said, not kidding. lol I'd be happy to help

Edit: Assuming they'd even trust me

/u/vekocy · 1 votes · 1 month ago · Link

I filtered out any messenging app that's centralized and messaging that's not designed from ground up using tor network.

Briar has nice and very refined interface but it is only available on mobile only. Hopefully they are able to port it over Windows, Linux or intergrate inside Whonix or Tails.

Speek on the other hand is available on Windows, Linux and Mobile but the user interface is a bit confusing. It will not work in Whonix as the app itself is trying to connect to TOR and Whonix already wraps the TOR. So its TOR and TOR.

/u/HeadJanitor What about OnionShare?

/u/HeadJanitor Moderator OP · 1 votes · 1 month ago · Link

I'll gladly take your input and feedback on this.

I did a post on OnionShare over at /d/Guides for it's awesome file transfer feature.

With OnionShare, the chat room requires JavaScript ........ which scares everyone away.

Same with Matrix/Element Web, which is so futuristic and has so much to offer.

/u/vekocy · 1 votes · 1 month ago · Link

Oh yeah I forgotten to mention.

Briar does not support obfs4 bridge which may be a problem for people in country where TOR is banned.

Speek allows obfs4 and custom bridges.

/u/vekocy · 1 votes · 1 month ago · Link

Sorry Briar supports bridge I found the settings.

/u/HeadJanitor Moderator OP · 1 votes · 1 month ago · Link

Nice. In the end, this is gonna be an ugly verdict because it's definitely dimensional. Client Platform A supports Linux but not Windows or Mac, Client B doesn't do file transfer, Client C is written in JavaScript. Ironically the one that supports all operating systems is "Jitsi" and it's Written in Java, JavaScript. At least ... there are choices.

/u/vekocy · 1 votes · 1 month ago · Link

Yeah, in the end everyone falls back to telegram and whatsapp or those paranoid about privacy have all of the chat listed above installed.

/u/KAMAZAS · 1 votes · 3 weeks ago · Link

We and our cutomers are using zChat... While it was free... They are not requiring phone number or some access to phone. Just have internet connection and thats it.

/u/aaronstevens · 1 votes · 2 weeks ago · Link

Is telegram, wikr, protonmail and signal any good for selling drugs and staying safe?

/u/Debora98 · 1 votes · 3 days ago · Link

no, telegram require phone number, wickrme is under AWS and protonmail is under swiss law

/u/HeadJanitor Moderator OP · 1 votes · 18 hours ago · Link

Exactly, and then some. Good call.

/u/CrazyGoat · 1 votes · 1 week ago · Link

I like Session :)

/u/Debora98 · 1 votes · 3 days ago · Link

I'm gonna tell you my personal experience with briar:

If your contact is close to you it works well but as soon as it moves away it literally sucks, you have to teach the password every time you close the app otherwise you won't receive notifications, adding a remote contact is practically impossible, messages 90% of the time they are not delivered or the notification does not arrive

/u/HeadJanitor Moderator OP · 1 votes · 3 days ago · Link

Interesting. Not delivered at all... How close in range until you have loss?

/u/Debora98 · 1 votes · 22 hours ago · Link

Bluetooth range and wifi hotspot range (15/30m without walls but depends on devices)