-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hoi,
Below you can find the analysis of xmpp-client for the Attentive
otter project, written by dgoulet, nickm, arlo, asn and myself.
All the best,
Jurre
- --------
Intro
xmpp-client is a simple XMPP client written in pure Go with OTRv2
support. It's a terminal program but doesn't have a GUI or a UI like
GTK or ncurses. The software should be considered in an alpha
state.
*Is traffic send over Tor?*
Yes, xmpp-client has support for sending all traffic over Tor, this
includes connecting to onion's. When you connect to jabber.ccc.de or
the riseup.net jabber service, you are automatically connected over
Tor through their onion address (hidden service), if Tor is running.
SRC lookups are not proxied.
*Chat network(s) support*
Only basic XMPP support, no extensions are implemented (XEP -
http://xmpp.org/xmpp-protocols/xmpp-extensions/).
*How trivial is extending XMPP-Client to different protocols?*
This code base is only for XMPP and seems quite hardcoded for that.
Section "Instant Messaging" -
https://code.google.com/p/go-wiki/wiki/Projects#Networking
* XMPP in Go - https://github.com/mattn/go-xmpp
* IRC in Go - https://github.com/husio/go-irc
* Various Go bindings - http://go-lang.cat-v.org/library-bindings
*OTR*
OTR support comes from the Go crypto package:
https://code.google.com/p/go.crypto/
This library only has support for OTRv2 and not the latest OTRv3
specification. If we want to be resistant to several attacks[1] on
the OTR protocol, we need to reimplement the OTR protocol and update
it to the latest version or, we use Cgo, which binds into libotr.
(Open questions: OTR by default?, )
[1]
http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.165.7945&rep=rep1&type=pdf
*What languages are supported?*
Currently, there is only support for English, extending the client
with other languages is rather trivial like Farsi, French, Spanish
and Arabic.
*_Graphical interface_*
A graphical interface needs to be implemented for the client.
However, there is only a limited amount of graphical interfaces
available, all are far from stable to use. The best bet for now is
Go-GTKand extend it and let fixes go upstream. Another thing we
could do is implement or extend an existing minimal implementation
of a QT library. This means however, that we would need to maintain
an extra "third party" UI library, which isn't Tor's core
"business".
* QT: https://github.com/visualfc/go-ui
* GTK: http://mattn.github.io/go-gtk/
* Webkit: https://github.com/mattn/go-webkit
*_Operating System Support_*
*Windows*
* MSI package support - http://golang.org/doc/install#windows
*Mac OS X*
* Package exists for Go - http://golang.org/doc/install#osx
*Linux*
Packaged in most distributions.
*_Build & build automation_*
*Cross-platform*
Go compiles into a static binary. Next to that, Go has the
possibility to build cross-platform binaries.
*Deterministic builds*
Some hacking needs to be involved and having a deterministic binary
for Go might prove more difficult. I'm unsure whether this is going
to be easily implemented (more research needed)
*Browser extention*
Of what I can understand with Xullauncher, we can start any type of
applications shipped in the "TBB sandbox" in a specific path. With
xmpp-client, it would require a Go version that is shipped with the
TBB and every other library we use (i.e. crypto.otr). (Not 100% sure
here...). A fat binary is an option here also (Go + otr +
xmpp-client).
*Control mechanism*
A control mechanism needs to be implemented so xmpp-client can
interact with Firefox in some way or the other.
*_Hardening_*
*Building with hardenend compiler flags*
Hardening is possible by using gccgo, which is a frontend to the GCC
gnu compiler.
* http://golang.org/doc/install/gccgo
*Sandboxing*
* There is an existing AppArmor profile for xmpp-client for Ubuntu
11.04+
* There isn't a Seatbelt OSX sandbox profile.
* There isn't a way to sandbox in windows.
- --
Developer at https://www.useotrproject.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBAgAGBQJSUu2kAAoJELc5KWfqgB0CnNAH/2ZpvUgB/enkgMZ7tH4q1cj7
w0S9N5bRD21JSYHpd9ZhvMOIHUOVOm8fothUvB1HVFwLhTMqsnqB5vtOPe117WYX
WDp9rwicKz110r1dyEDcDhkGnI0OKJ5trDDalmmFaeFaP7gTwedee8lNRBdV+bPs
tEqSGIxtNbY7WUpDZvTUBxkqZjAgWsag4K+fcn3ZA0m1vUmyWpyV+xYXCvjJH6fo
oDVirvXpQibQxZWSLnRceq7otNXI1TdZL60KiipPJNDyfi5g5d3pToo3CU61wJgF
0KtvtzYnG5l476aJhd1hCdfO7Ni3NoZ1dheqPsRGcmNp/kICqbRYnc9MDqiCpEM=
=e6xQ
-----END PGP SIGNATURE-----