updates
parent
df4f027447
commit
0a1527d719
@ -4,6 +4,16 @@ Previous: [[Home]]
|
|||||||
> this is slightly overreacting to the actual issues.
|
> this is slightly overreacting to the actual issues.
|
||||||
[426](https://github.com/TokTok/c-toxcore/issues/426)
|
[426](https://github.com/TokTok/c-toxcore/issues/426)
|
||||||
|
|
||||||
|
* Although Tox works over Tor, we do not recommend its usage for anonymity
|
||||||
|
as it leaks DNS requests due to a 6-year old known unaddressed security
|
||||||
|
issue: https://github.com/TokTok/c-toxcore/issues/469 Do not use it for
|
||||||
|
anonymous communication unless you have a TCP and UDP firewall in place.
|
||||||
|
The exception to this is the Toxygen client, which only gives c-toxcore
|
||||||
|
IP addresses which are resolved through Tor;
|
||||||
|
Up-to-date code is on https://git.plastiras.org/emdee/toxygen
|
||||||
|
This also allows us to use onion addresses in the DHTnodes.json file.
|
||||||
|
Still for anonymous communication we recommend having a firewall in place.
|
||||||
|
|
||||||
* [[ToxHandshakeVulnerableToKCI]]
|
* [[ToxHandshakeVulnerableToKCI]]
|
||||||
* [[UseGroupPasswordThroughAKDF]]
|
* [[UseGroupPasswordThroughAKDF]]
|
||||||
* [[VulnerabilitiesInTheToxOnion]]
|
* [[VulnerabilitiesInTheToxOnion]]
|
||||||
@ -11,10 +21,11 @@ Previous: [[Home]]
|
|||||||
* Currently, toxcore uses onion routing in the process of establishing connections between friends, with the aim of obscuring their identities from third parties. However, this method does not achieve this goal. [This document describes a proposed replacement for onion routing.](https://github.com/zugz/tox-DHTAnnouncements/blob/master/DHTAnnouncements.md)This proposal is adapted from an original proposal by [grayhatter](https://wiki.cmdline.org/doku.php?id=dht:new_friend_finding).
|
* Currently, toxcore uses onion routing in the process of establishing connections between friends, with the aim of obscuring their identities from third parties. However, this method does not achieve this goal. [This document describes a proposed replacement for onion routing.](https://github.com/zugz/tox-DHTAnnouncements/blob/master/DHTAnnouncements.md)This proposal is adapted from an original proposal by [grayhatter](https://wiki.cmdline.org/doku.php?id=dht:new_friend_finding).
|
||||||
|
|
||||||
|
|
||||||
##mCVEs:
|
## CVEs:
|
||||||
|
|
||||||
* [CVE-2018-25022](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-25022) The Onion module in toxcore before 0.2.2
|
* [CVE-2018-25022](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-25022) The Onion module in toxcore before 0.2.2
|
||||||
|
|
||||||
See also: [[ToxComparedWithOtherIm]]
|
See also: [[ToxComparedWithOtherIm]]
|
||||||
|
|
||||||
See also: <https://github.com/TokTok/c-toxcore/issues?q=is%3Aissue is%3Aopen label%3Asecurity>
|
See also: https://github.com/TokTok/c-toxcore/issues?q=is%3Aissue%20is%3Aopen%20label%3Asecurity
|
||||||
|
|
||||||
|
31
Toxygen.md
31
Toxygen.md
@ -38,7 +38,9 @@ written in pure Python3.
|
|||||||
- Changing nospam
|
- Changing nospam
|
||||||
- File resuming
|
- File resuming
|
||||||
- Read receipts
|
- Read receipts
|
||||||
|
- uses gevent
|
||||||
- NGC groups
|
- NGC groups
|
||||||
|
- PyQt5, PyQt6, PySide2, PySide6 via qtpy
|
||||||
|
|
||||||
### Screenshots
|
### Screenshots
|
||||||
*Toxygen on Ubuntu and Windows*
|
*Toxygen on Ubuntu and Windows*
|
||||||
@ -65,12 +67,11 @@ There's a copy of qweechat in ```thirdparty/qweechat``` backported to
|
|||||||
PyQt5 and integrated into toxygen. Follow the normal instructions for
|
PyQt5 and integrated into toxygen. Follow the normal instructions for
|
||||||
adding a ```relay``` to [weechat](https://github.com/weechat/weechat)
|
adding a ```relay``` to [weechat](https://github.com/weechat/weechat)
|
||||||
```
|
```
|
||||||
/relay add ipv4.ssl.weechat 9001
|
/relay add ipv4.ssl.weechat 9000
|
||||||
/relay start ipv4.ssl.weechat
|
/relay start ipv4.ssl.weechat
|
||||||
```
|
```
|
||||||
or
|
or
|
||||||
```
|
```
|
||||||
/set relay.network.ipv6 off
|
|
||||||
/relay add weechat 9000
|
/relay add weechat 9000
|
||||||
/relay start weechat
|
/relay start weechat
|
||||||
```
|
```
|
||||||
@ -83,6 +84,7 @@ Weechat has a Jabber plugin to enable XMPP:
|
|||||||
/help jabber
|
/help jabber
|
||||||
```
|
```
|
||||||
so you can have Tox, IRC and XMPP in the same application!
|
so you can have Tox, IRC and XMPP in the same application!
|
||||||
|
See docs/ToxygenWeechat.md
|
||||||
|
|
||||||
## Install
|
## Install
|
||||||
|
|
||||||
@ -95,9 +97,10 @@ on pypi as it is a dependency. Just download and install it from
|
|||||||
https://git.plastiras.org/emdee/toxygen_wrapper
|
https://git.plastiras.org/emdee/toxygen_wrapper
|
||||||
|
|
||||||
This is being ported to Qt6 using qtpy https://github.com/spyder-ide/qtpy
|
This is being ported to Qt6 using qtpy https://github.com/spyder-ide/qtpy
|
||||||
It now runs on PyQt5 and should soon run on PyQt6 and may run on PySide2 and
|
It now runs on PyQt5 and PyQt6, and may run on PySide2 and
|
||||||
PySide6 - YMMV. You will be able to choose between them by setting the
|
PySide6 - YMMV. You will be able to choose between them by setting the
|
||||||
environment variable QT_API to one of: pyqt5 pyqt6 pyside2 pyside6.
|
environment variable QT_API to one of: pyqt5 pyqt6 pyside2 pyside6.
|
||||||
|
It's currently tested only on PyQt5.
|
||||||
|
|
||||||
To install it, look in the Makefile for the install target and type
|
To install it, look in the Makefile for the install target and type
|
||||||
```
|
```
|
||||||
@ -106,13 +109,35 @@ make install
|
|||||||
You should set the PIP_EXE_MSYS and PYTHON_EXE_MSYS variables and it does
|
You should set the PIP_EXE_MSYS and PYTHON_EXE_MSYS variables and it does
|
||||||
```
|
```
|
||||||
${PIP_EXE_MSYS} --python ${PYTHON_EXE_MSYS} install \
|
${PIP_EXE_MSYS} --python ${PYTHON_EXE_MSYS} install \
|
||||||
|
--no-deps \
|
||||||
--target ${PREFIX}/lib/python${PYTHON_MINOR}/site-packages/ \
|
--target ${PREFIX}/lib/python${PYTHON_MINOR}/site-packages/ \
|
||||||
--upgrade .
|
--upgrade .
|
||||||
```
|
```
|
||||||
and installs into PREFIX which is usually /usr/local
|
and installs into PREFIX which is usually /usr/local
|
||||||
|
|
||||||
|
## Updates
|
||||||
|
|
||||||
Up-to-date code is on https://git.plastiras.org/emdee/toxygen
|
Up-to-date code is on https://git.plastiras.org/emdee/toxygen
|
||||||
|
|
||||||
|
Tox works over Tor, and the c-toxcore library can leak DNS requests
|
||||||
|
due to a 6-year old known security issue:
|
||||||
|
https://github.com/TokTok/c-toxcore/issues/469 but toxygen looksup
|
||||||
|
addresses before calling c-toxcore. This also allows us to use onion
|
||||||
|
addresses in the DHTnodes.json file. Still for anonymous communication
|
||||||
|
we recommend having a TCP and UDP firewall in place.
|
||||||
|
|
||||||
|
Although Tox works with multi-user group chat, there are no checks
|
||||||
|
against impersonation of a screen nickname, so you may not be chatting
|
||||||
|
with the person you think. For the Toxic client, the (closed) issue is:
|
||||||
|
https://github.com/JFreegman/toxic/issues/622#issuecomment-1922116065
|
||||||
|
Solving this might best be done with a solution to MultiDevice q.v.
|
||||||
|
|
||||||
|
The Tox project does not follow semantic versioning so the project may
|
||||||
|
break the underlying ctypes wrapper at any time; it's not possible to
|
||||||
|
use Tox version numbers to tel what the API will be. In which case
|
||||||
|
you'll have to go into the tox.py file in
|
||||||
|
https://git.plastiras.org/emdee/toxygen_wrapper to fix it yourself.
|
||||||
|
|
||||||
## MultiDevice
|
## MultiDevice
|
||||||
|
|
||||||
Work on this project is suspended until the
|
Work on this project is suspended until the
|
||||||
|
@ -6,7 +6,7 @@ There's a copy of qweechat in ```thirdparty/qweechat``` backported to
|
|||||||
PyQt5 and integrated into toxygen. Follow the normal instructions for
|
PyQt5 and integrated into toxygen. Follow the normal instructions for
|
||||||
adding a ```relay``` to [weechat](https://github.com/weechat/weechat)
|
adding a ```relay``` to [weechat](https://github.com/weechat/weechat)
|
||||||
```
|
```
|
||||||
/relay add ipv4.ssl.weechat 9001
|
/relay add ipv4.ssl.weechat 9000
|
||||||
/relay start ipv4.ssl.weechat
|
/relay start ipv4.ssl.weechat
|
||||||
```
|
```
|
||||||
or
|
or
|
||||||
@ -35,7 +35,7 @@ Create a proxy called tor
|
|||||||
|
|
||||||
It should now show up in the list of proxies.
|
It should now show up in the list of proxies.
|
||||||
```
|
```
|
||||||
proxy list
|
/proxy list
|
||||||
```
|
```
|
||||||
|
|
||||||
```
|
```
|
||||||
@ -68,11 +68,28 @@ Do this for each server you want to connect to, or just use one for all of them.
|
|||||||
|
|
||||||
The main discussion forum for Tox is the #TokTok channel on libera.
|
The main discussion forum for Tox is the #TokTok channel on libera.
|
||||||
|
|
||||||
libera has an onion server so we can map an address in tor. Add this
|
https://mox.sh/sysadmin/secure-irc-connection-to-freenode-with-tor-and-weechat/
|
||||||
|
We have to create an account without Tor, this is a requirement to use TOR:
|
||||||
|
Connect to irc.libera.chat without Tor and register
|
||||||
|
```
|
||||||
|
/msg NickServ identify NickName password
|
||||||
|
/msg NickServ REGISTER mypassword mycoolemail@example.com
|
||||||
|
/msg NickServ SET PRIVATE ON
|
||||||
|
```
|
||||||
|
You'll get an email with a registration code.
|
||||||
|
Confirm registration after getting the mail with the code:
|
||||||
|
```
|
||||||
|
/msg NickServ VERIFY REGISTER NickName code1235678
|
||||||
|
```
|
||||||
|
|
||||||
|
Libera has an onion server so we can map an address in tor. Add this
|
||||||
to your /etc/tor/torrc
|
to your /etc/tor/torrc
|
||||||
```
|
```
|
||||||
MapAddress palladium.libera.chat libera75jm6of4wxpxt4aynol3xjmbtxgfyjpu34ss4d7r7q2v5zrpyd.onion
|
MapAddress palladium.libera.chat libera75jm6of4wxpxt4aynol3xjmbtxgfyjpu34ss4d7r7q2v5zrpyd.onion
|
||||||
```
|
```
|
||||||
|
Or without the MapAddress just use
|
||||||
|
libera75jm6of4wxpxt4aynol3xjmbtxgfyjpu34ss4d7r7q2v5zrpyd.onion
|
||||||
|
as the server address below, but set tls_verify to off.
|
||||||
|
|
||||||
Define the server in weechat
|
Define the server in weechat
|
||||||
https://www.weechat.org/files/doc/stable/weechat_user.en.html#irc_sasl_authentication
|
https://www.weechat.org/files/doc/stable/weechat_user.en.html#irc_sasl_authentication
|
||||||
@ -82,6 +99,7 @@ https://www.weechat.org/files/doc/stable/weechat_user.en.html#irc_sasl_authentic
|
|||||||
/set irc.server.libera.ipv6 off
|
/set irc.server.libera.ipv6 off
|
||||||
/set irc.server.libera.proxy tor
|
/set irc.server.libera.proxy tor
|
||||||
/set irc.server.libera.username NickName
|
/set irc.server.libera.username NickName
|
||||||
|
/set irc.server.libera.password password
|
||||||
/set irc.server.libera.nicks NickName
|
/set irc.server.libera.nicks NickName
|
||||||
/set irc.server.libera.tls on
|
/set irc.server.libera.tls on
|
||||||
/set irc.server.libera.tls_cert "${weechat_config_dir}/ssl/libera.chat/NickName.pem"
|
/set irc.server.libera.tls_cert "${weechat_config_dir}/ssl/libera.chat/NickName.pem"
|
||||||
@ -99,6 +117,8 @@ Disconnect and connect back to the server.
|
|||||||
/connect libera
|
/connect libera
|
||||||
```
|
```
|
||||||
|
|
||||||
|
/msg nickserv identify password NickName
|
||||||
|
|
||||||
|
|
||||||
### oftc.net
|
### oftc.net
|
||||||
|
|
||||||
@ -108,16 +128,21 @@ To use oftc.net over tor, you need to authenticate by SSL certificates.
|
|||||||
Define the server in weechat
|
Define the server in weechat
|
||||||
```
|
```
|
||||||
/server remove irc.oftc.net
|
/server remove irc.oftc.net
|
||||||
/network add OFTC
|
/server add OFTC irc.oftc.net/6697 -tls -tls_verify
|
||||||
/server add OFTC irc.oftc.net/6697 -proxy tor -autoconnect -ssl_verify -ssl_cert ~/.config/weechat/ssl/irc.oftc.net/NickName.pem
|
|
||||||
/set irc.server.OFTC.ipv6 off
|
/set irc.server.OFTC.ipv6 off
|
||||||
|
/set irc.server.OFTC.proxy tor
|
||||||
|
/set irc.server.OFTC.username NickName
|
||||||
|
/set irc.server.OFTC.nicks NickName
|
||||||
|
/set irc.server.OFTC.tls on
|
||||||
|
/set irc.server.OFTC.tls_cert "${weechat_config_dir}/ssl/irc.oftc.chat/NickName.pem"
|
||||||
|
|
||||||
# Disconnect and connect back to the server.
|
# Disconnect and connect back to the server.
|
||||||
/disconnect OFTC
|
/disconnect OFTC
|
||||||
/connect OFTC
|
/connect OFTC
|
||||||
```
|
```
|
||||||
You must be identified in order to validate using certs
|
You must be identified in order to validate using certs
|
||||||
```
|
```
|
||||||
/msg nickserv identify NickName
|
/msg nickserv identify password NickName
|
||||||
```
|
```
|
||||||
To allow NickServ to identify you based on this certificate you need
|
To allow NickServ to identify you based on this certificate you need
|
||||||
to associate the certificate fingerprint with your nick. To do this
|
to associate the certificate fingerprint with your nick. To do this
|
||||||
@ -125,3 +150,22 @@ issue the command cert add to Nickserv (try /msg nickserv helpcert).
|
|||||||
```
|
```
|
||||||
/msg nickserv cert add
|
/msg nickserv cert add
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### Privacy
|
||||||
|
|
||||||
|
[Add somes settings bellow to weechat](https://szorfein.github.io/weechat/tor/configure-weechat/).
|
||||||
|
Detail from [faq](https://weechat.org/files/doc/weechat_faq.en.html#security).
|
||||||
|
|
||||||
|
```
|
||||||
|
/set irc.server_default.msg_part ""
|
||||||
|
/set irc.server_default.msg_quit ""
|
||||||
|
/set irc.ctcp.clientinfo ""
|
||||||
|
/set irc.ctcp.finger ""
|
||||||
|
/set irc.ctcp.source ""
|
||||||
|
/set irc.ctcp.time ""
|
||||||
|
/set irc.ctcp.userinfo ""
|
||||||
|
/set irc.ctcp.version ""
|
||||||
|
/set irc.ctcp.ping ""
|
||||||
|
/plugin unload xfer
|
||||||
|
/set weechat.plugin.autoload "*,!xfer"
|
||||||
|
```
|
||||||
|
Loading…
Reference in New Issue
Block a user