[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Security Analysis of Instant Messenger TorChat

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] Security Analysis of Instant Messenger TorChat
From: me@xxxxxxxxxxxx
Date: Fri, 13 May 2016 22:39:02 +0300
Delivered-to: archiver@xxxxxxxx
Delivery-date: Fri, 13 May 2016 15:39:30 -0400
In-reply-to: <57333AF1.30203@xxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <57333AF1.30203@xxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.0

"TorChat processes contact requests and updates the contact listwithout asking the user's consent." "An attacker can exploit thisto add arbitrary contacts to the victim's contact list. . ." OMG, doesany IM client allow this?


On 11.05.16 17:00, Arnis wrote:

FYI:
http://kodu.ut.ee/~arnis/torchat_thesis.pdf

Abstract
TorChat is a peer-to-peer instant messenger built on top of the Tornetwork that not only provides authentication and end-to-endencryption, but also allows the communication parties to stayanonymous. In addition, it prevents third parties from even learningthat communication is taking place.The aim of this thesis is to document the protocol used by TorChat andto analyze the security of TorChat and its reference implementation.The work shows that although the design of TorChat is sound, itsimplementation has several flaws, which make TorChat users vulnerableto impersonation, communication confirmation and denial-of-serviceattacks.
P.S. Fix not available. The author of TorChat, lacks the resources tofix the flaws.


--
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] Security Analysis of Instant Messenger TorChat
  - From: Blake Hadley

References:
- [tor-talk] Security Analysis of Instant Messenger TorChat
  - From: Arnis

Prev by Author: Re: [tor-talk] 'Refresh tor browser' - and then it wasn't one anymore.
Next by Author: Re: [tor-talk] Proton Mail and Tutanota - not exactly Tor friendly.
Previous by thread: Re: [tor-talk] Security Analysis of Instant Messenger TorChat
Next by thread: Re: [tor-talk] Security Analysis of Instant Messenger TorChat
Index(es):
- Author
- Thread