[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #17510 [Tor Messenger]: Tor Messenger: store aliases locally



#17510: Tor Messenger: store aliases locally
---------------------------------+--------------------------
 Reporter:  cypherpunks          |          Owner:  sukhbir
     Type:  enhancement          |         Status:  assigned
 Priority:  High                 |      Milestone:
Component:  Tor Messenger        |        Version:
 Severity:  Normal               |     Resolution:
 Keywords:  messenger, metadata  |  Actual Points:
Parent ID:                       |         Points:
  Sponsor:                       |
---------------------------------+--------------------------
Changes (by arlolra):

 * priority:  Medium => High


Comment:

 > Coy.im is implementing this feature.

 That's great to see!

 > your contacts could still easily and even accidentally reveal your
 identity to the server, which could be compromised or compelled to provide
 this data

 Right, but that applies equally if your contact isn't using Tor Messenger
 to begin with, of which we have no control. If you do, you might want them
 to use Ricochet instead of the protocols that Tor Messenger supports to
 avoid having a server in the middle to be compromised. Further, you
 probably don't want them setting an alias for you at all, less their
 machine be compromised.

 However, Tor Messenger shouldn't be participating in this behaviour (and
 the unwitting part of it scares me), so I've raised the severity.

 Tor Messenger already has local aliases and tags, which it stores in an
 sqlite db (and accesses via the `serverAlias` property, which is an
 unfortunate name). The XMPP prpl seems to have an additional `rosterAlias`
 which is the one it sends to the server. That needs to be disabled and
 this should all be audited further to make sure I got it right.

 https://github.com/mozilla/releases-comm-
 central/blob/master/chat/protocols/xmpp/xmpp.jsm#L808

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17510#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs