updates

emdee 2024-02-17 19:48:40 +00:00
parent df4f027447
commit 0a1527d719
3 changed files with 91 additions and 11 deletions

@ -4,6 +4,16 @@ Previous: [[Home]]
> this is slightly overreacting to the actual issues. > this is slightly overreacting to the actual issues.
[426](https://github.com/TokTok/c-toxcore/issues/426) [426](https://github.com/TokTok/c-toxcore/issues/426)
* Although Tox works over Tor, we do not recommend its usage for anonymity
as it leaks DNS requests due to a 6-year old known unaddressed security
issue: https://github.com/TokTok/c-toxcore/issues/469 Do not use it for
anonymous communication unless you have a TCP and UDP firewall in place.
The exception to this is the Toxygen client, which only gives c-toxcore
IP addresses which are resolved through Tor;
Up-to-date code is on https://git.plastiras.org/emdee/toxygen
This also allows us to use onion addresses in the DHTnodes.json file.
Still for anonymous communication we recommend having a firewall in place.
* [[ToxHandshakeVulnerableToKCI]] * [[ToxHandshakeVulnerableToKCI]]
* [[UseGroupPasswordThroughAKDF]] * [[UseGroupPasswordThroughAKDF]]
* [[VulnerabilitiesInTheToxOnion]] * [[VulnerabilitiesInTheToxOnion]]
@ -11,10 +21,11 @@ Previous: [[Home]]
* Currently, toxcore uses onion routing in the process of establishing connections between friends, with the aim of obscuring their identities from third parties. However, this method does not achieve this goal. [This document describes a proposed replacement for onion routing.](https://github.com/zugz/tox-DHTAnnouncements/blob/master/DHTAnnouncements.md)This proposal is adapted from an original proposal by [grayhatter](https://wiki.cmdline.org/doku.php?id=dht:new_friend_finding). * Currently, toxcore uses onion routing in the process of establishing connections between friends, with the aim of obscuring their identities from third parties. However, this method does not achieve this goal. [This document describes a proposed replacement for onion routing.](https://github.com/zugz/tox-DHTAnnouncements/blob/master/DHTAnnouncements.md)This proposal is adapted from an original proposal by [grayhatter](https://wiki.cmdline.org/doku.php?id=dht:new_friend_finding).
##mCVEs: ## CVEs:
* [CVE-2018-25022](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-25022) The Onion module in toxcore before 0.2.2 * [CVE-2018-25022](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-25022) The Onion module in toxcore before 0.2.2
See also: [[ToxComparedWithOtherIm]] See also: [[ToxComparedWithOtherIm]]
See also: <https://github.com/TokTok/c-toxcore/issues?q=is%3Aissue is%3Aopen label%3Asecurity> See also: https://github.com/TokTok/c-toxcore/issues?q=is%3Aissue%20is%3Aopen%20label%3Asecurity

@ -38,7 +38,9 @@ written in pure Python3.
- Changing nospam - Changing nospam
- File resuming - File resuming
- Read receipts - Read receipts
- uses gevent
- NGC groups - NGC groups
- PyQt5, PyQt6, PySide2, PySide6 via qtpy
### Screenshots ### Screenshots
*Toxygen on Ubuntu and Windows* *Toxygen on Ubuntu and Windows*
@ -65,12 +67,11 @@ There's a copy of qweechat in ```thirdparty/qweechat``` backported to
PyQt5 and integrated into toxygen. Follow the normal instructions for PyQt5 and integrated into toxygen. Follow the normal instructions for
adding a ```relay``` to [weechat](https://github.com/weechat/weechat) adding a ```relay``` to [weechat](https://github.com/weechat/weechat)
``` ```
/relay add ipv4.ssl.weechat 9001 /relay add ipv4.ssl.weechat 9000
/relay start ipv4.ssl.weechat /relay start ipv4.ssl.weechat
``` ```
or or
``` ```
/set relay.network.ipv6 off
/relay add weechat 9000 /relay add weechat 9000
/relay start weechat /relay start weechat
``` ```
@ -83,6 +84,7 @@ Weechat has a Jabber plugin to enable XMPP:
/help jabber /help jabber
``` ```
so you can have Tox, IRC and XMPP in the same application! so you can have Tox, IRC and XMPP in the same application!
See docs/ToxygenWeechat.md
## Install ## Install
@ -95,9 +97,10 @@ on pypi as it is a dependency. Just download and install it from
https://git.plastiras.org/emdee/toxygen_wrapper https://git.plastiras.org/emdee/toxygen_wrapper
This is being ported to Qt6 using qtpy https://github.com/spyder-ide/qtpy This is being ported to Qt6 using qtpy https://github.com/spyder-ide/qtpy
It now runs on PyQt5 and should soon run on PyQt6 and may run on PySide2 and It now runs on PyQt5 and PyQt6, and may run on PySide2 and
PySide6 - YMMV. You will be able to choose between them by setting the PySide6 - YMMV. You will be able to choose between them by setting the
environment variable QT_API to one of: pyqt5 pyqt6 pyside2 pyside6. environment variable QT_API to one of: pyqt5 pyqt6 pyside2 pyside6.
It's currently tested only on PyQt5.
To install it, look in the Makefile for the install target and type To install it, look in the Makefile for the install target and type
``` ```
@ -106,13 +109,35 @@ make install
You should set the PIP_EXE_MSYS and PYTHON_EXE_MSYS variables and it does You should set the PIP_EXE_MSYS and PYTHON_EXE_MSYS variables and it does
``` ```
${PIP_EXE_MSYS} --python ${PYTHON_EXE_MSYS} install \ ${PIP_EXE_MSYS} --python ${PYTHON_EXE_MSYS} install \
--no-deps \
--target ${PREFIX}/lib/python${PYTHON_MINOR}/site-packages/ \ --target ${PREFIX}/lib/python${PYTHON_MINOR}/site-packages/ \
--upgrade . --upgrade .
``` ```
and installs into PREFIX which is usually /usr/local and installs into PREFIX which is usually /usr/local
## Updates
Up-to-date code is on https://git.plastiras.org/emdee/toxygen Up-to-date code is on https://git.plastiras.org/emdee/toxygen
Tox works over Tor, and the c-toxcore library can leak DNS requests
due to a 6-year old known security issue:
https://github.com/TokTok/c-toxcore/issues/469 but toxygen looksup
addresses before calling c-toxcore. This also allows us to use onion
addresses in the DHTnodes.json file. Still for anonymous communication
we recommend having a TCP and UDP firewall in place.
Although Tox works with multi-user group chat, there are no checks
against impersonation of a screen nickname, so you may not be chatting
with the person you think. For the Toxic client, the (closed) issue is:
https://github.com/JFreegman/toxic/issues/622#issuecomment-1922116065
Solving this might best be done with a solution to MultiDevice q.v.
The Tox project does not follow semantic versioning so the project may
break the underlying ctypes wrapper at any time; it's not possible to
use Tox version numbers to tel what the API will be. In which case
you'll have to go into the tox.py file in
https://git.plastiras.org/emdee/toxygen_wrapper to fix it yourself.
## MultiDevice ## MultiDevice
Work on this project is suspended until the Work on this project is suspended until the

@ -6,7 +6,7 @@ There's a copy of qweechat in ```thirdparty/qweechat``` backported to
PyQt5 and integrated into toxygen. Follow the normal instructions for PyQt5 and integrated into toxygen. Follow the normal instructions for
adding a ```relay``` to [weechat](https://github.com/weechat/weechat) adding a ```relay``` to [weechat](https://github.com/weechat/weechat)
``` ```
/relay add ipv4.ssl.weechat 9001 /relay add ipv4.ssl.weechat 9000
/relay start ipv4.ssl.weechat /relay start ipv4.ssl.weechat
``` ```
or or
@ -35,7 +35,7 @@ Create a proxy called tor
It should now show up in the list of proxies. It should now show up in the list of proxies.
``` ```
proxy list /proxy list
``` ```
``` ```
@ -68,11 +68,28 @@ Do this for each server you want to connect to, or just use one for all of them.
The main discussion forum for Tox is the #TokTok channel on libera. The main discussion forum for Tox is the #TokTok channel on libera.
libera has an onion server so we can map an address in tor. Add this https://mox.sh/sysadmin/secure-irc-connection-to-freenode-with-tor-and-weechat/
We have to create an account without Tor, this is a requirement to use TOR:
Connect to irc.libera.chat without Tor and register
```
/msg NickServ identify NickName password
/msg NickServ REGISTER mypassword mycoolemail@example.com
/msg NickServ SET PRIVATE ON
```
You'll get an email with a registration code.
Confirm registration after getting the mail with the code:
```
/msg NickServ VERIFY REGISTER NickName code1235678
```
Libera has an onion server so we can map an address in tor. Add this
to your /etc/tor/torrc to your /etc/tor/torrc
``` ```
MapAddress palladium.libera.chat libera75jm6of4wxpxt4aynol3xjmbtxgfyjpu34ss4d7r7q2v5zrpyd.onion MapAddress palladium.libera.chat libera75jm6of4wxpxt4aynol3xjmbtxgfyjpu34ss4d7r7q2v5zrpyd.onion
``` ```
Or without the MapAddress just use
libera75jm6of4wxpxt4aynol3xjmbtxgfyjpu34ss4d7r7q2v5zrpyd.onion
as the server address below, but set tls_verify to off.
Define the server in weechat Define the server in weechat
https://www.weechat.org/files/doc/stable/weechat_user.en.html#irc_sasl_authentication https://www.weechat.org/files/doc/stable/weechat_user.en.html#irc_sasl_authentication
@ -82,6 +99,7 @@ https://www.weechat.org/files/doc/stable/weechat_user.en.html#irc_sasl_authentic
/set irc.server.libera.ipv6 off /set irc.server.libera.ipv6 off
/set irc.server.libera.proxy tor /set irc.server.libera.proxy tor
/set irc.server.libera.username NickName /set irc.server.libera.username NickName
/set irc.server.libera.password password
/set irc.server.libera.nicks NickName /set irc.server.libera.nicks NickName
/set irc.server.libera.tls on /set irc.server.libera.tls on
/set irc.server.libera.tls_cert "${weechat_config_dir}/ssl/libera.chat/NickName.pem" /set irc.server.libera.tls_cert "${weechat_config_dir}/ssl/libera.chat/NickName.pem"
@ -99,6 +117,8 @@ Disconnect and connect back to the server.
/connect libera /connect libera
``` ```
/msg nickserv identify password NickName
### oftc.net ### oftc.net
@ -108,16 +128,21 @@ To use oftc.net over tor, you need to authenticate by SSL certificates.
Define the server in weechat Define the server in weechat
``` ```
/server remove irc.oftc.net /server remove irc.oftc.net
/network add OFTC /server add OFTC irc.oftc.net/6697 -tls -tls_verify
/server add OFTC irc.oftc.net/6697 -proxy tor -autoconnect -ssl_verify -ssl_cert ~/.config/weechat/ssl/irc.oftc.net/NickName.pem
/set irc.server.OFTC.ipv6 off /set irc.server.OFTC.ipv6 off
/set irc.server.OFTC.proxy tor
/set irc.server.OFTC.username NickName
/set irc.server.OFTC.nicks NickName
/set irc.server.OFTC.tls on
/set irc.server.OFTC.tls_cert "${weechat_config_dir}/ssl/irc.oftc.chat/NickName.pem"
# Disconnect and connect back to the server. # Disconnect and connect back to the server.
/disconnect OFTC /disconnect OFTC
/connect OFTC /connect OFTC
``` ```
You must be identified in order to validate using certs You must be identified in order to validate using certs
``` ```
/msg nickserv identify NickName /msg nickserv identify password NickName
``` ```
To allow NickServ to identify you based on this certificate you need To allow NickServ to identify you based on this certificate you need
to associate the certificate fingerprint with your nick. To do this to associate the certificate fingerprint with your nick. To do this
@ -125,3 +150,22 @@ issue the command cert add to Nickserv (try /msg nickserv helpcert).
``` ```
/msg nickserv cert add /msg nickserv cert add
``` ```
### Privacy
[Add somes settings bellow to weechat](https://szorfein.github.io/weechat/tor/configure-weechat/).
Detail from [faq](https://weechat.org/files/doc/weechat_faq.en.html#security).
```
/set irc.server_default.msg_part ""
/set irc.server_default.msg_quit ""
/set irc.ctcp.clientinfo ""
/set irc.ctcp.finger ""
/set irc.ctcp.source ""
/set irc.ctcp.time ""
/set irc.ctcp.userinfo ""
/set irc.ctcp.version ""
/set irc.ctcp.ping ""
/plugin unload xfer
/set weechat.plugin.autoload "*,!xfer"
```