[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] pidgin and tor

On 10/8/15, sh-expires-12-2015@xxxxxxxxxxxxxxxx
<sh-expires-12-2015@xxxxxxxxxxxxxxxx> wrote:
> ....
> One of the major problems is the design of Pidign, which tries
> to build a convenient IM client before it takes security into
> consideration

"security vs. usability", as ever...

> Still, it is possible to a achieve a high degree of privacy.
> The amount of "security" will vary and depend on many factors.
> A vm is none of them:
> Confining it, doesn't make it more secure, and it mitigates nothing in
> pidgin or libpurple. A broken IM client is still broken, even when
> confined (I am tempted to say buried) in a VM.

consider the Tor Browser PDF exploit that accessed $HOME for keys and other.

if Tor Browser (and Pidgin) are isolated from each other, this $HOME
type attack of reduced risk.

one example.

> If OP has to rely on an IM, like pidgin or a protocol, there is no more
> or added "security" by putting it into a vm or container.
> All he gains is isolation in a best case scenario.

do you not see the benefit in isolating applications at risk of rogue
remote execution?

i agree it is not the only security measure, nor the most important.
but it is useful, and that is why i mention it. more useful would be
using a secure client, but, again, usability.

> Honestly, let's recommend a more secure implemenation
> of the protocol OP wishes to use and educate OP how to use it in
> a manner, that neither privacy and anonymity of the involved parties
> are compromised and the authenticity of the exchanged messages is given.

i disagree with this approach. make the secure usable. don't force
users to adapt to "secure".

> Using Tor with Pidgin, we are at a disadvantage...
> If security is a result of good design, good design is when there
> is nothing left to remove and the design is still secure.

so, you're going to design and implement a usable, secure chat and presence?

> Contrary to the popular misconception, that security is some kind of
> fairydust, product or duct-tape that we can apply to protocols or software
> afterwarts.

actually, i saw this Kickstarter the other day...  ;P

best regards,
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to