Re: [Tails-dev] Pidgin Protocols Safe?

Delete this message

Reply to this message
Autor: adrelanos
Data:  
Para: tails-dev
Assunto: Re: [Tails-dev] Pidgin Protocols Safe?
intrigeri:
>> Did you check, what kind of "innovative" features the other protocols
>> have? I didn't check, but could imagine they include something similar
>> like CTCP, dishonor proxy settings for file transfer, or send your IP
>> somewhere. (STUN)
>
> I don't think we've checked. Help is welcome :)


Just created a wishlist item. I don't think I am skilled to review them
on a protocol or code base.

On the following wiki page I created an overview about the protocols.
Their default encryption settings. Often default is "if available".
Interestingly one protocol, Gadu-Gadu doesn't let you enforce encryption
and is subsequently vulnerable to encryption strip attacks.

One dangerous feature could be the file transfer proxy in some protocols.

I don't know either if accidentally activating or answering voice or
video is at risk. You have todo/done mute microphone, but what about
webcams?

https://tails.boum.org/todo/Pidgin_Protocol_Review/

>> Pidgin also contains STUN [4], a nice feature for clearnet use, but is
>> it safe in Tails?
>
> I don't think we have researched this.
> Is it enabled? Is it easy to disable?


I don't know.

Use automatically detected IP address: 192.x.x.x is opt-in by default.

Stun server - default: empty
with a hint "Example: stunserver.org".

Haven't looked if stun also works without entering a server.

I could imagine if you google file transfer problems with Pidgin that
the suggestion will be given to enter the stunserver.org and it's also
obvious to try when you look through the settings. Hopefully people
using Tails users abstain from such experiments. I could be totally
wrong and it could allow flawless file transfers over Tor.

> (BTW, link [4] is missing in your email.)


Oops. It was just a link to the wiki article.
https://en.wikipedia.org/wiki/STUN By the way not because I am not sure
you figure out, just to ensure we are talking about the same thing.
Often those acronym have several meanings.

>> Many of the protocols are proprietary. I find their so called
>> "privacy policy" [2] and aup [3] highly questionable.
>
> I doubt Tails should allow or filter access to remote content or
> services depending on the remote side's privacy policies
> and practices.


Yes, privacy by design is stronger than privacy by policy. Just in this
case I am using their privacy by policy to assume...

>> Is support for AIM/ICQ/MSN/[...] important? It's fine for circumvention,
>> if users want to chat with their existing list.
>
> I think it's important to allow users to move part or all of their
> computer activities to Tails, while keeping their existing
> communication channels, at least to start with.


Agreed.

> I think it's important to educate Internet users to use better
> (privacy-wise) protocols, but it's not exactly part of the Tails
> mission. I'm happy that other projects do the education part of
> the work.


Sure, some thing are outside the scope.

>> But people looking for privacy, why should they sign up for
>> AIM/ICQ/MSN/[...]? It's sad, that AIM is on the top of the
>> protocol list.
>
> I'm not sure what you mean here. Do you think people who want to
> create their first IM account would choose the first in the Pidgin
> protocols list?


Something like this.

> I believe most of them would choose what their
> friends use.


What about groups who want to switch their activities to Tor or people
who want to create an anonymous contact address for whatever use case?