[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Security Analysis of Instant Messenger TorChat



"TorChat processes contact requests and updates the contact list without asking the user's consent." "An attacker can exploit this to add arbitrary contacts to the victim's contact list. . ." OMG, does any IM client allow this?

On 11.05.16 17:00, Arnis wrote:
FYI:
http://kodu.ut.ee/~arnis/torchat_thesis.pdf

Abstract
TorChat is a peer-to-peer instant messenger built on top of the Tor network that not only provides authentication and end-to-end encryption, but also allows the communication parties to stay anonymous. In addition, it prevents third parties from even learning that communication is taking place. The aim of this thesis is to document the protocol used by TorChat and to analyze the security of TorChat and its reference implementation. The work shows that although the design of TorChat is sound, its implementation has several flaws, which make TorChat users vulnerable to impersonation, communication confirmation and denial-of-service attacks.

P.S. Fix not available. The author of TorChat, lacks the resources to fix the flaws.

--
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk