-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hoi,
Below you can find the analysis of xmpp-client for the Attentive otter project, written by dgoulet, nickm, arlo, asn and myself.
All the best, Jurre
- --------
Intro
xmpp-client is a simple XMPP client written in pure Go with OTRv2 support. It's a terminal program but doesn't have a GUI or a UI like GTK or ncurses. The software should be considered in an alpha state.
*Is traffic send over Tor?* Yes, xmpp-client has support for sending all traffic over Tor, this includes connecting to onion's. When you connect to jabber.ccc.de or the riseup.net jabber service, you are automatically connected over Tor through their onion address (hidden service), if Tor is running. SRC lookups are not proxied.
*Chat network(s) support* Only basic XMPP support, no extensions are implemented (XEP - http://xmpp.org/xmpp-protocols/xmpp-extensions/).
*How trivial is extending XMPP-Client to different protocols?* This code base is only for XMPP and seems quite hardcoded for that. Section "Instant Messaging" - https://code.google.com/p/go-wiki/wiki/Projects#Networking
* XMPP in Go - https://github.com/mattn/go-xmpp * IRC in Go - https://github.com/husio/go-irc
* Various Go bindings - http://go-lang.cat-v.org/library-bindings
*OTR* OTR support comes from the Go crypto package: https://code.google.com/p/go.crypto/ This library only has support for OTRv2 and not the latest OTRv3 specification. If we want to be resistant to several attacks[1] on the OTR protocol, we need to reimplement the OTR protocol and update it to the latest version or, we use Cgo, which binds into libotr. (Open questions: OTR by default?, )
[1] http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.165.7945&rep=re...
*What languages are supported?* Currently, there is only support for English, extending the client with other languages is rather trivial like Farsi, French, Spanish and Arabic.
*_Graphical interface_*
A graphical interface needs to be implemented for the client. However, there is only a limited amount of graphical interfaces available, all are far from stable to use. The best bet for now is Go-GTKand extend it and let fixes go upstream. Another thing we could do is implement or extend an existing minimal implementation of a QT library. This means however, that we would need to maintain an extra "third party" UI library, which isn't Tor's core "business".
* QT: https://github.com/visualfc/go-ui * GTK: http://mattn.github.io/go-gtk/ * Webkit: https://github.com/mattn/go-webkit
*_Operating System Support_*
*Windows* * MSI package support - http://golang.org/doc/install#windows
*Mac OS X* * Package exists for Go - http://golang.org/doc/install#osx
*Linux* Packaged in most distributions.
*_Build & build automation_*
*Cross-platform* Go compiles into a static binary. Next to that, Go has the possibility to build cross-platform binaries.
*Deterministic builds* Some hacking needs to be involved and having a deterministic binary for Go might prove more difficult. I'm unsure whether this is going to be easily implemented (more research needed)
*Browser extention* Of what I can understand with Xullauncher, we can start any type of applications shipped in the "TBB sandbox" in a specific path. With xmpp-client, it would require a Go version that is shipped with the TBB and every other library we use (i.e. crypto.otr). (Not 100% sure here...). A fat binary is an option here also (Go + otr + xmpp-client).
*Control mechanism* A control mechanism needs to be implemented so xmpp-client can interact with Firefox in some way or the other.
*_Hardening_*
*Building with hardenend compiler flags* Hardening is possible by using gccgo, which is a frontend to the GCC gnu compiler.
* http://golang.org/doc/install/gccgo
*Sandboxing* * There is an existing AppArmor profile for xmpp-client for Ubuntu 11.04+ * There isn't a Seatbelt OSX sandbox profile. * There isn't a way to sandbox in windows.
- -- Developer at https://www.useotrproject.org/
On Mon, Oct 07, 2013 at 07:21:42PM +0200, Jurre van Bergen wrote:
[...] *Is traffic send over Tor?* Yes, xmpp-client has support for sending all traffic over Tor, this includes connecting to onion's. When you connect to jabber.ccc.de or the riseup.net jabber service, you are automatically connected over Tor through their onion address (hidden service), if Tor is running. SRC lookups are not proxied.
I assume you mean SRV lookups? To clarify, they aren't proxied when Tor is used because they aren't sent at all, correct? (I haven't checked to see, but assumed this is the case since the onion addresses are hardcoded for jabber.ccc.de and riseup.net.)
[...]
- XMPP in Go - https://github.com/mattn/go-xmpp
Note that xmpp-client does not use that xmpp library, it uses this one: https://github.com/agl/xmpp
[...] *OTR* OTR support comes from the Go crypto package: https://code.google.com/p/go.crypto/ This library only has support for OTRv2 and not the latest OTRv3 specification. If we want to be resistant to several attacks[1] on the OTR protocol, we need to reimplement the OTR protocol and update it to the latest version or, we use Cgo, which binds into libotr. (Open questions: OTR by default?, )
OTR by default (or, outright refuse to send non-OTR messages) is a feature I would very much like to see and have been meaning to add myself.
~leif
[...]
Hi,
Jurre van Bergen wrote (07 Oct 2013 17:21:42 GMT) :
Below you can find the analysis of xmpp-client for the Attentive otter project, written by dgoulet, nickm, arlo, asn and myself.
Thanks a lot.
*Linux* Packaged in most distributions.
Unfortunately, it's not in Debian. I've found no RFP or ITP either.
Anyone here with sufficient understanding of both Go and Debian packaging, and wants to add it to Debian? Or should I file a RFP?
Cheers, -- intrigeri | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc
On 10/07/2013 08:44 PM, intrigeri wrote:
Hi,
Jurre van Bergen wrote (07 Oct 2013 17:21:42 GMT) :
Below you can find the analysis of xmpp-client for the Attentive otter project, written by dgoulet, nickm, arlo, asn and myself.
Thanks a lot.
*Linux* Packaged in most distributions.
Unfortunately, it's not in Debian. I've found no RFP or ITP either.
Anyone here with sufficient understanding of both Go and Debian packaging, and wants to add it to Debian? Or should I file a RFP?
I see:
[~] apt-cache search golang
golang - Go programming language compiler - metapackage golang-dbg - Go programming language compiler - debug files golang-doc - Go programming language compiler - documentation golang-go - Go programming language compiler (Package: golang-go (2:1.0.2-1.1)) golang-mode - Go programming language - mode for GNU Emacs golang-src - Go programming language compiler - source files [~]$ cat /etc/debian_version
7.1
Jurre van Bergen wrote (07 Oct 2013 18:50:08 GMT) :
Unfortunately, it's not in Debian. I've found no RFP or ITP either.
Anyone here with sufficient understanding of both Go and Debian packaging, and wants to add it to Debian? Or should I file a RFP?
I see: [~] apt-cache search golang
Sorry if I was unclear: with "it", I was referring to xmpp-client, not to the Go tool chain.
Having the Go tool chain available is great, and a necessary first step, but that's quite different from being able to `apt-get install xmpp-client' and then see the upgrades and security fixes flow in just like for basically all other software I'm running.
Hopefully I'm *not* starting yet another discussion about whether per-language ways of distributing software (CPAN, go get, etc.) are useful or not (I think they are), or about the pros & cons of the new Grand Unified Software Repository™ (Github). Don't feed the troll :)
Cheers! -- intrigeri | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc
intrigeri:
Jurre van Bergen wrote (07 Oct 2013 18:50:08 GMT) :
Unfortunately, it's not in Debian. I've found no RFP or ITP either.
Anyone here with sufficient understanding of both Go and Debian packaging, and wants to add it to Debian? Or should I file a RFP?
I see: [~] apt-cache search golang
Sorry if I was unclear: with "it", I was referring to xmpp-client, not to the Go tool chain.
Having the Go tool chain available is great, and a necessary first step, but that's quite different from being able to `apt-get install xmpp-client' and then see the upgrades and security fixes flow in just like for basically all other software I'm running.
+1, Yes please!
-- mrphs
On Mon, Oct 7, 2013 at 5:21 PM, Jurre van Bergen jurre@useotrproject.org wrote:
*Mac OS X*
- Package exists for Go - http://golang.org/doc/install#osx
Packages exist, but I hear installing Go on OS X is not exactly straight forward (I believe Steven gave this a try at the previous Tor dev meeting).
- There isn't a way to sandbox in windows.
I think the correct statement here is that there is no open source solution available to sandbox in Windows. Options, such as sandboxie.com, do exist for users who trust this service.
On 10/07/2013 09:05 PM, Runa A. Sandvik wrote:
On Mon, Oct 7, 2013 at 5:21 PM, Jurre van Bergen jurre@useotrproject.org wrote:
*Mac OS X*
- Package exists for Go - http://golang.org/doc/install#osx
Packages exist, but I hear installing Go on OS X is not exactly straight forward (I believe Steven gave this a try at the previous Tor dev meeting).
Using Homebrew should make it reasonably easy. The problematic part I see with OSX is implementing GUI support, as compiling GTK would require XQuartz and other painful dependencies to be available and well linked.
C.
Jurre van Bergen:
*OTR* OTR support comes from the Go crypto package: https://code.google.com/p/go.crypto/ This library only has support for OTRv2 and not the latest OTRv3 specification. If we want to be resistant to several attacks[1] on the OTR protocol, we need to reimplement the OTR protocol and update it to the latest version or, we use Cgo, which binds into libotr. (Open questions: OTR by default?, )
[1] http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.165.7945&rep=re...
According to agl: "The DH and DSA code uses Go's math/big library, which isn't constant time."
He said these non-constant time Go primitives are used by OTR, and will be used by TLS if they are specified by the negotiated cipher suite.
So xmpp-client's OTR and TLS support would definitely need to be rewritten to call out to a native code implementation or rewritten to use new constant time Go primitives, independent of OTRv2 vs OTRv3.
On Tue, Oct 8, 2013 at 4:49 PM, Mike Perry mikeperry@torproject.org wrote:
Jurre van Bergen:
*OTR* OTR support comes from the Go crypto package: https://code.google.com/p/go.crypto/ This library only has support for OTRv2 and not the latest OTRv3 specification. If we want to be resistant to several attacks[1] on the OTR protocol, we need to reimplement the OTR protocol and update it to the latest version or, we use Cgo, which binds into libotr. (Open questions: OTR by default?, )
[1]
http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.165.7945&rep=re...
According to agl: "The DH and DSA code uses Go's math/big library, which isn't constant time."
He said these non-constant time Go primitives are used by OTR, and will be used by TLS if they are specified by the negotiated cipher suite.
The easy fix is to make go.crypto constant time, for at least what we need.
If we are okay with bad performance this doesn't require much trickery for DH: saturated limb arithmetic modulo a constant with a precomputed Barrett reduction tables is constant time.
DSA is harder because the modulus is provided as part of the key. I don't know how to do that in constant time.
So xmpp-client's OTR and TLS support would definitely need to be rewritten to call out to a native code implementation or rewritten to use new constant time Go primitives, independent of OTRv2 vs OTRv3.
-- Mike Perry
tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
On Tue, Oct 8, 2013 at 8:40 PM, Watson Ladd watsonbladd@gmail.com wrote:
... The _easy_ fix is to make go.crypto constant time,
"You Keep Using That Word, I Do Not Think It Means What You Think It Means"
-
Claudio -
coderman -
intrigeri -
Jurre van Bergen -
Leif Ryge -
Mike Perry -
Nima -
Runa A. Sandvik -
Watson Ladd