[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #17510 [Tor Messenger]: Tor Messenger: store aliases locally
#17510: Tor Messenger: store aliases locally
---------------------------------+--------------------------
Reporter: cypherpunks | Owner: sukhbir
Type: enhancement | Status: assigned
Priority: High | Milestone:
Component: Tor Messenger | Version:
Severity: Normal | Resolution:
Keywords: messenger, metadata | Actual Points:
Parent ID: | Points:
Sponsor: |
---------------------------------+--------------------------
Changes (by arlolra):
* priority: Medium => High
Comment:
> Coy.im is implementing this feature.
That's great to see!
> your contacts could still easily and even accidentally reveal your
identity to the server, which could be compromised or compelled to provide
this data
Right, but that applies equally if your contact isn't using Tor Messenger
to begin with, of which we have no control. If you do, you might want them
to use Ricochet instead of the protocols that Tor Messenger supports to
avoid having a server in the middle to be compromised. Further, you
probably don't want them setting an alias for you at all, less their
machine be compromised.
However, Tor Messenger shouldn't be participating in this behaviour (and
the unwitting part of it scares me), so I've raised the severity.
Tor Messenger already has local aliases and tags, which it stores in an
sqlite db (and accesses via the `serverAlias` property, which is an
unfortunate name). The XMPP prpl seems to have an additional `rosterAlias`
which is the one it sends to the server. That needs to be disabled and
this should all be audited further to make sure I got it right.
https://github.com/mozilla/releases-comm-
central/blob/master/chat/protocols/xmpp/xmpp.jsm#L808
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17510#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs