From 0a1527d71994f1d64f4db843d771743d676d428f Mon Sep 17 00:00:00 2001
From: emdee <emdee>
Date: Sat, 17 Feb 2024 19:48:40 +0000
Subject: [PATCH] updates

---
 SecurityVulnerabilities.md | 15 ++++++++--
 Toxygen.md                 | 31 +++++++++++++++++++--
 ToxygenWeechat.md          | 56 ++++++++++++++++++++++++++++++++++----
 3 files changed, 91 insertions(+), 11 deletions(-)

diff --git a/SecurityVulnerabilities.md b/SecurityVulnerabilities.md
index 81c179e..f0ac5bf 100644
--- a/SecurityVulnerabilities.md
+++ b/SecurityVulnerabilities.md
@@ -4,6 +4,16 @@ Previous: [[Home]]
 > this is slightly overreacting to the actual issues.
   [426](https://github.com/TokTok/c-toxcore/issues/426)
 
+* Although Tox works over Tor, we do not recommend its usage for anonymity
+  as it leaks DNS requests due to a 6-year old known unaddressed security
+  issue: https://github.com/TokTok/c-toxcore/issues/469 Do not use it for
+  anonymous communication unless you have a TCP and UDP firewall in place.
+  The exception to this is the Toxygen client, which only gives c-toxcore
+  IP addresses which are resolved through Tor;
+  Up-to-date code is on https://git.plastiras.org/emdee/toxygen
+  This also allows us to use onion addresses in the DHTnodes.json file.
+  Still for anonymous communication we recommend having a firewall in place.
+
 * [[ToxHandshakeVulnerableToKCI]]
 * [[UseGroupPasswordThroughAKDF]]
 * [[VulnerabilitiesInTheToxOnion]]
@@ -11,10 +21,11 @@ Previous: [[Home]]
 * Currently, toxcore uses onion routing in the process of establishing connections between friends, with the aim of obscuring their identities from third parties. However, this method does not achieve this goal. [This document describes a proposed replacement for onion routing.](https://github.com/zugz/tox-DHTAnnouncements/blob/master/DHTAnnouncements.md)This proposal is adapted from an original proposal by [grayhatter](https://wiki.cmdline.org/doku.php?id=dht:new_friend_finding).
 
 
-##mCVEs:
+## CVEs:
 
 * [CVE-2018-25022](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-25022) The Onion module in toxcore before 0.2.2
 
 See also: [[ToxComparedWithOtherIm]]
 
-See also: <https://github.com/TokTok/c-toxcore/issues?q=is%3Aissue is%3Aopen label%3Asecurity>
+See also: https://github.com/TokTok/c-toxcore/issues?q=is%3Aissue%20is%3Aopen%20label%3Asecurity
+
diff --git a/Toxygen.md b/Toxygen.md
index 6ec0c54..f35c01c 100644
--- a/Toxygen.md
+++ b/Toxygen.md
@@ -38,7 +38,9 @@ written in pure Python3.
 - Changing nospam
 - File resuming
 - Read receipts
+- uses gevent
 - NGC groups
+- PyQt5, PyQt6, PySide2, PySide6 via qtpy
 
 ### Screenshots
 *Toxygen on Ubuntu and Windows*
@@ -65,12 +67,11 @@ There's a copy of qweechat in ```thirdparty/qweechat``` backported to
 PyQt5 and integrated into toxygen. Follow the normal instructions for
 adding a ```relay``` to [weechat](https://github.com/weechat/weechat)
 ```
-/relay add ipv4.ssl.weechat 9001
+/relay add ipv4.ssl.weechat 9000
 /relay start ipv4.ssl.weechat
 ```
 or
 ```
-/set relay.network.ipv6 off
 /relay add weechat 9000
 /relay start weechat
 ```
@@ -83,6 +84,7 @@ Weechat has a Jabber plugin to enable XMPP:
 /help jabber
 ```
 so you can have Tox, IRC and XMPP in the same application!
+See docs/ToxygenWeechat.md
 
 ## Install
 
@@ -95,9 +97,10 @@ on pypi as it is a dependency. Just download and install it from
 https://git.plastiras.org/emdee/toxygen_wrapper
 
 This is being ported to Qt6 using qtpy https://github.com/spyder-ide/qtpy
-It now runs on PyQt5 and should soon run on PyQt6 and may run on PySide2 and
+It now runs on PyQt5 and PyQt6, and may run on PySide2 and
 PySide6 - YMMV. You will be able to choose between them by setting the
 environment variable QT_API to one of: pyqt5 pyqt6 pyside2 pyside6.
+It's currently tested only on PyQt5.
 
 To install it,  look in the Makefile for the install target and type
 ```
@@ -106,13 +109,35 @@ make install
 You should set the PIP_EXE_MSYS and PYTHON_EXE_MSYS variables and it does
 ```
 	${PIP_EXE_MSYS} --python ${PYTHON_EXE_MSYS} install \
+		--no-deps \
 		--target ${PREFIX}/lib/python${PYTHON_MINOR}/site-packages/ \
 		--upgrade .
 ```
 and installs into PREFIX which is usually /usr/local
 
+## Updates
+
 Up-to-date code is on https://git.plastiras.org/emdee/toxygen
 
+Tox works over Tor, and the c-toxcore library can leak DNS requests
+due to a 6-year old known security issue:
+https://github.com/TokTok/c-toxcore/issues/469 but toxygen looksup
+addresses before calling c-toxcore. This also allows us to use onion
+addresses in the DHTnodes.json file. Still for anonymous communication
+we recommend having a TCP and UDP firewall in place.
+
+Although Tox works with multi-user group chat, there are no checks
+against impersonation of a screen nickname, so you may not be chatting
+with the person you think. For the Toxic client, the (closed) issue is:
+https://github.com/JFreegman/toxic/issues/622#issuecomment-1922116065
+Solving this might best be done with a solution to MultiDevice q.v.
+
+The Tox project does not follow semantic versioning so the project may
+break the underlying ctypes wrapper at any time; it's not possible to
+use Tox version numbers to tel what the API will be. In which case
+you'll have to go into the tox.py file in
+https://git.plastiras.org/emdee/toxygen_wrapper to fix it yourself.
+
 ## MultiDevice
 
 Work on this project is suspended until the
diff --git a/ToxygenWeechat.md b/ToxygenWeechat.md
index 8416880..1694669 100644
--- a/ToxygenWeechat.md
+++ b/ToxygenWeechat.md
@@ -6,7 +6,7 @@ There's a copy of qweechat in ```thirdparty/qweechat``` backported to
 PyQt5 and integrated into toxygen. Follow the normal instructions for
 adding a ```relay``` to [weechat](https://github.com/weechat/weechat)
 ```
-/relay add ipv4.ssl.weechat 9001
+/relay add ipv4.ssl.weechat 9000
 /relay start ipv4.ssl.weechat
 ```
 or
@@ -35,7 +35,7 @@ Create a proxy called tor
 
 It should now show up in the list of proxies.
 ```
-proxy list
+/proxy list
 ```
 
 ```
@@ -68,11 +68,28 @@ Do this for each server you want to connect to, or just use one for all of them.
 
 The main discussion forum for Tox is the #TokTok channel on libera.
 
-libera has an onion server so we can map an address in tor. Add this
+https://mox.sh/sysadmin/secure-irc-connection-to-freenode-with-tor-and-weechat/
+We have to create an account without Tor, this is a requirement to use TOR:
+Connect to irc.libera.chat without Tor and register 
+```
+/msg NickServ identify NickName password
+/msg NickServ REGISTER mypassword mycoolemail@example.com
+/msg NickServ SET PRIVATE ON
+```
+You'll get an email with a registration code.
+Confirm registration after getting the mail with the code:
+```
+/msg NickServ VERIFY REGISTER NickName code1235678
+```
+
+Libera has an onion server so we can map an address in tor. Add this
 to your /etc/tor/torrc
 ```
 MapAddress palladium.libera.chat libera75jm6of4wxpxt4aynol3xjmbtxgfyjpu34ss4d7r7q2v5zrpyd.onion
 ```
+Or without the MapAddress just use
+libera75jm6of4wxpxt4aynol3xjmbtxgfyjpu34ss4d7r7q2v5zrpyd.onion
+as the server address below, but set tls_verify to off.
 
 Define the server in weechat
 https://www.weechat.org/files/doc/stable/weechat_user.en.html#irc_sasl_authentication
@@ -82,6 +99,7 @@ https://www.weechat.org/files/doc/stable/weechat_user.en.html#irc_sasl_authentic
 /set irc.server.libera.ipv6 off
 /set irc.server.libera.proxy tor
 /set irc.server.libera.username NickName
+/set irc.server.libera.password password
 /set irc.server.libera.nicks NickName
 /set irc.server.libera.tls on
 /set irc.server.libera.tls_cert "${weechat_config_dir}/ssl/libera.chat/NickName.pem"
@@ -99,6 +117,8 @@ Disconnect and connect back to the server.
 /connect libera
 ```
 
+/msg nickserv identify password NickName
+
 
 ### oftc.net
 
@@ -108,16 +128,21 @@ To use oftc.net over tor, you need to authenticate by SSL certificates.
 Define the server in weechat
 ```
 /server remove irc.oftc.net
-/network add OFTC
-/server add OFTC irc.oftc.net/6697 -proxy tor -autoconnect -ssl_verify -ssl_cert ~/.config/weechat/ssl/irc.oftc.net/NickName.pem
+/server add OFTC irc.oftc.net/6697  -tls -tls_verify
 /set irc.server.OFTC.ipv6 off
+/set irc.server.OFTC.proxy tor
+/set irc.server.OFTC.username NickName
+/set irc.server.OFTC.nicks NickName
+/set irc.server.OFTC.tls on
+/set irc.server.OFTC.tls_cert "${weechat_config_dir}/ssl/irc.oftc.chat/NickName.pem"
+
 # Disconnect and connect back to the server. 
 /disconnect OFTC
 /connect OFTC
 ``` 
 You must be identified in order to validate using certs
 ```
-/msg nickserv identify NickName
+/msg nickserv identify password NickName
 ```
 To allow NickServ to identify you based on this certificate you need
 to associate the certificate fingerprint with your nick. To do this
@@ -125,3 +150,22 @@ issue the command cert add to Nickserv (try /msg nickserv helpcert).
 ```
 /msg nickserv cert add
 ```
+
+### Privacy
+
+[Add somes settings bellow to weechat](https://szorfein.github.io/weechat/tor/configure-weechat/).
+Detail from [faq](https://weechat.org/files/doc/weechat_faq.en.html#security).
+
+```
+/set irc.server_default.msg_part ""
+/set irc.server_default.msg_quit ""
+/set irc.ctcp.clientinfo ""
+/set irc.ctcp.finger ""
+/set irc.ctcp.source ""
+/set irc.ctcp.time ""
+/set irc.ctcp.userinfo ""
+/set irc.ctcp.version ""
+/set irc.ctcp.ping ""
+/plugin unload xfer
+/set weechat.plugin.autoload "*,!xfer"
+```