Last active
December 25, 2015 11:29
-
-
Save arlolra/6969273 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Attentive Otter | |
| =============== | |
| Goal | |
| ---- | |
| Add instant-messaging to the Tor browser bundle in order to provide a secure | |
| communication tool which supports the free flow of information online. | |
| Overview | |
| -------- | |
| Instantbird [1] is a cross-platform IM client based on Mozilla's XULRunner. | |
| The following presents the necessary steps to turn Instantbird into the | |
| future Tor Messenger. | |
| A Way Forward | |
| ------------- | |
| 1. Remove libpurple dependence | |
| This is a trivial amount of work and changes to the build to support it would | |
| be accepted upstream. They are already considering moving libpurple, and the | |
| added protocols it supports, to an add-on for reasons of licensing/code | |
| quality. JS implementations of the following protocols exist: XMPP, Google | |
| Talk, Facebook, IRC, Twitter, with Yahoo landing soon and AIM/ICQ started but | |
| further away. | |
| 2. OTR support | |
| Instantbird currently lacks support for OTR. Two pieces are needed here: a | |
| suitable OTR implementation, and an interface between the client and that | |
| library (essentially, the role that pidgin-otr plays). | |
| To get started, for the OTR library, a js-ctypes wrapper of libotr should be | |
| used in conjunction with the message observer API. Code [2] from a few years | |
| ago towards this end has been written but probably needs to be dusted off and | |
| extended. An effort is underway at Mozilla to implement OTR in JS using NSS, | |
| which could be dropped in as a replacement. A patch has been submitted [3] | |
| but it looks far from complete, so I wouldn't expect it anytime soon. When | |
| asked, they said it won't be ready for *a while*. Should the NSS | |
| implementation fail to materialize entirely, they would still be willing to | |
| take the ctypes wrapper and libotr, as it doesn't present any licensing | |
| issues. In his analysis, Mike suggested converting the ctypes wrapper to an | |
| XPCOM wrapper but it's unclear why that's preferable. | |
| The front-end side seems like a larger undertaking. This involves not only | |
| the interaction with the message observer API but handling the quirks in the | |
| various protocols (think /me in IRC), authentication including SMP, and | |
| importing and storing long-term keys. Sukhe estimated at least a month of | |
| development time and expressed an interest in being the one to undertake it. | |
| On the bright side, the Instantbird team seems eager for OTR support and this | |
| work will most likely be upstreamed. | |
| 3. Disable logging | |
| An add-on may be required to ensure certain desirable configurations, like | |
| logging disable by default. A difference in goals between UX for the | |
| average user and the TIMBB user may force us to maintain these changes. | |
| 4. Tor controller | |
| Tor Launcher will be used as the controller. Sukhe has already reported | |
| having this working. | |
| Using only JS protocol implementations means all HTTP traffic goes through | |
| nsIChannels. For non-HTTP traffic, we'll need to verify what they do with | |
| socket transports [6]. For DNS, network.proxy.socks_remote_dns should be | |
| set. DNS SRV should not be an issue seeing as how it isn't supported by | |
| Mozilla [4]. Should test for other UDP traffic leaks. | |
| 5. Messaging window | |
| Jail it to type=content. Preferably everything is displayed in plaintext, | |
| with HTML disabled or at least sanitized with an XSS filter [5]. Disable JS | |
| and other features. Make use of all the preferences from TorBirdy. | |
| 6. Installer and updates | |
| Leverage the work that's already being done on Mozilla's updater for the TBB. | |
| 7. Deterministic builds | |
| Deterministic builds for the TBB was a major undertaking. I can't imagine | |
| this case being any different, less the experience and groundwork already | |
| laid. | |
| 8. Sandboxing | |
| Come up with a practical, cross-platform way to sandbox the application. | |
| I don't have an answer here. Maybe you do. | |
| 9. Audit | |
| - Instantbird's render attack surface (content window, XSS filter, etc.) | |
| - Crypto in NSS and how JS uses it | |
| - Interface between the UI and OTR | |
| - Proxy by-pass | |
| - And more ... | |
| 10. Translations | |
| Instantbird is available in 14 languages, including French and Spanish. | |
| However, none are RTL and we want to support Arabic and Farsi. Messaging | |
| should already work for RTL languagues though, they've fixed a few bugs | |
| to ensure it, and reflecting the UI is reported to not be a ton of work. | |
| They are definitely willing to accept patches here. | |
| 11. Other considerations | |
| - Disable Instantbird's built-in auto-updater and crash reporter | |
| - For sure OTR on by default, but maybe disallow any non-OTR comm. entirely | |
| - CA verification: TOFU mode? Pin popular domains? | |
| - Disable older TLS/SSL suites | |
| - Consider the interaction between all three Tor bundles (FF, TB, IM). Tor | |
| Launcher could attempt to authenticate and read settings from an already | |
| running control port. | |
| - Choose a different default profile folder (to avoid picking up plugins | |
| and other unsafe settings) | |
| References | |
| ---------- | |
| [1] http://instantbird.com/ | |
| [2] https://gitorious.org/fireotr/fireotr | |
| [3] https://bugzilla.mozilla.org/show_bug.cgi?id=779052#c20 | |
| [4] https://bugzilla.mozilla.org/show_bug.cgi?id=14328 | |
| [5] https://mxr.mozilla.org/comm-beta/source/chat/modules/imContentSink.jsm | |
| [6] http://lxr.instantbird.org/instantbird/source/chat/modules/socket.jsm#549 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment