-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hoi,

Below you can find the analysis of xmpp-client for the Attentive otter project, written by dgoulet, nickm, arlo, asn and myself.

All the best,
Jurre

- --------

Intro

xmpp-client is a simple XMPP client written in pure Go with OTRv2 support. It's a terminal program but doesn't have a GUI or a UI like GTK  or ncurses. The software should be considered in an alpha state.

*Is traffic send over Tor?*
Yes, xmpp-client has support for sending all traffic over Tor, this  includes connecting to onion's. When you connect to jabber.ccc.de or the riseup.net jabber service, you are automatically connected over Tor through their onion address (hidden service), if Tor is running. SRC lookups are not proxied.

*Chat network(s) support*
Only basic XMPP support, no extensions are implemented (XEP - http://xmpp.org/xmpp-protocols/xmpp-extensions/).

*How trivial is extending XMPP-Client to different protocols?*
This code base is only for XMPP and seems quite hardcoded for that.
Section "Instant Messaging" - https://code.google.com/p/go-wiki/wiki/Projects#Networking

* XMPP in Go - https://github.com/mattn/go-xmpp
* IRC in Go - https://github.com/husio/go-irc

* Various Go bindings - http://go-lang.cat-v.org/library-bindings

*OTR*
OTR support comes from the Go crypto package: https://code.google.com/p/go.crypto/
This library only has support for OTRv2 and not the latest OTRv3  specification. If we want to be resistant to several attacks[1]  on the OTR protocol, we need to reimplement the OTR protocol and update it to the latest version or, we use Cgo, which binds into libotr. (Open questions: OTR by default?, )

[1] http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.165.7945&rep=rep1&type=pdf

*What languages are supported?*
Currently, there is only support for English, extending the client  with other languages is rather trivial like Farsi, French, Spanish and  Arabic.

*_Graphical interface_*

A graphical interface needs to be implemented for the client. However, there is only a limited amount of graphical interfaces available, all are far from stable to use. The best bet for now is Go-GTKand extend it and let fixes go upstream. Another thing we could  do is implement or extend an existing minimal implementation of a QT library. This means however, that we would need to maintain an extra "third party" UI library, which isn't Tor's core "business".

* QT: https://github.com/visualfc/go-ui
* GTK: http://mattn.github.io/go-gtk/
* Webkit: https://github.com/mattn/go-webkit

*_Operating System Support_*

*Windows*
* MSI package support - http://golang.org/doc/install#windows

*Mac OS X*
* Package exists for Go - http://golang.org/doc/install#osx

*Linux*
Packaged in most distributions.

*_Build & build automation_*

*Cross-platform*
Go compiles into a static binary. Next to that, Go has the possibility to build cross-platform binaries.

*Deterministic builds*
Some hacking needs to be involved and having a deterministic binary for Go might prove more difficult. I'm unsure whether this is going to  be easily implemented (more research needed)

*Browser extention*
Of what I can understand with Xullauncher, we can start any type of applications shipped in the "TBB sandbox" in a specific path. With xmpp-client, it would require a Go version that is shipped with the TBB and every other library we use (i.e. crypto.otr). (Not 100% sure here...). A fat binary is an option here also (Go + otr + xmpp-client).

*Control mechanism*
A control mechanism needs to be implemented so xmpp-client can interact with Firefox in some way or the other.

*_Hardening_*

*Building with hardenend compiler flags*
Hardening is possible by using gccgo, which is a frontend to the GCC gnu compiler.

  * http://golang.org/doc/install/gccgo


*Sandboxing*
* There is an existing AppArmor profile for xmpp-client for Ubuntu 11.04+
* There isn't a Seatbelt OSX sandbox profile.
* There isn't a way to sandbox in windows.

- --
Developer at https://www.useotrproject.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJSUu2kAAoJELc5KWfqgB0CnNAH/2ZpvUgB/enkgMZ7tH4q1cj7
w0S9N5bRD21JSYHpd9ZhvMOIHUOVOm8fothUvB1HVFwLhTMqsnqB5vtOPe117WYX
WDp9rwicKz110r1dyEDcDhkGnI0OKJ5trDDalmmFaeFaP7gTwedee8lNRBdV+bPs
tEqSGIxtNbY7WUpDZvTUBxkqZjAgWsag4K+fcn3ZA0m1vUmyWpyV+xYXCvjJH6fo
oDVirvXpQibQxZWSLnRceq7otNXI1TdZL60KiipPJNDyfi5g5d3pToo3CU61wJgF
0KtvtzYnG5l476aJhd1hCdfO7Ni3NoZ1dheqPsRGcmNp/kICqbRYnc9MDqiCpEM=
=e6xQ
-----END PGP SIGNATURE-----