This outline was a collaborative effort between me and Sukhbir Singh. Code and package URLs: Packages: http://instantbird.com/download-all.html Nightlies: http://nightly.instantbird.im/ Instantbird Code: http://hg.instantbird.org Thunderbird Code: https://github.com/mozilla/releases-comm-central FAQ: http://instantbird.com/faq.html Instantbird Overview: + Cross-platform (Windows, OS X, Linux). + Based on XUL+XPCOM (specifically Thunderbird). + Many existing Thunderbird addons should be easy to port. + Periodically syncs its codebase with Thunderbird: - https://bugzilla.mozilla.org/show_bug.cgi?id=920801 + Thunderbird can be used as combined secure Chat+Email communications software. + One piece of software for all secure communications is a usability win + Leveraging the work done on TorBirdy, we can distribute Instantbird and Tor (and related components) in a single package, or as a combined addon. + Use Tor Launcher as the controller (sukhe recently added Thunderbird support) + Will allow seamless zero-configuration Tor usage for normal case, and will share Tor Browser's future Pluggable Transport support with no additional effort. + See the TorBirdy manual for more information: https://trac.torproject.org/projects/tor/wiki/torbirdy#TorBirdywithTorandTor... + Good protocol support: Currently Instantbird supports by default: AIM, Bonjour, Facebook Chat, Gadu-Gadu, Google Talk, Groupwise, ICQ, IRC, MSN, MySpaceIM, Netsoul, Odnoklassniki, QQ, Simple, Twitter, VKontakte, XMPP, Yahoo and Yahoo JAPAN. + Supports "portable version". + InstantBird is available in 14 languages; Thunderbird is available in ~65 + Clean and easy to use interface. + We are amassing a fair amount of in-house expertise with Mozilla/XPCOM, which we can use for code review, UI design, etc. + Can also leverage our existing relationship with Mozilla to share workload Security Properties: * Currently based on libpurple, but Mozilla is working to replace libpurple with pure JS implementations (due to both licensing and code quality/security issues with libpurple). Instantbird nightlies have this code but it must be enabled via about:config. Seems to work. + http://clokep.blogspot.com/2013/10/yahoo-protocol-google-summer-of-code.html + http://lxr.instantbird.org/instantbird/source/chat/protocols/ + http://lxr.instantbird.org/instantbird/source/chat/protocols/xmpp/ - No OTR support yet + OTR support tickets: https://bugzilla.instantbird.org/show_bug.cgi?id=877 https://bugzilla.mozilla.org/show_bug.cgi?id=779052 + For a stopgap/prototype: We can use the js-ctypes wrapper of libotr along with the message observer API + Example observer API use w/ rot13: http://hg.instantbird.org/addons/file/tip/rot13 + JS-Ctypes wrapper for native libotr: http://gitorious.org/fireotr/fireotr/blobs/master/chrome/content/otr_wrapper... + The ctypes wrapper can be converted to an XPCOM wrapper later. + According to sshagarwal #maildev on irc.mozilla.org, Mozilla is also working towards implementing all of the primitives needed for OTR (and OTR itself) in NSS. These are listed in this comment: https://bugzilla.mozilla.org/show_bug.cgi?id=779052#c17 + We could also rely on the ctypes wrapper until native support is available, and possibly skip an XPCOM libotr wrapper entirely. + Solid proxy support. JS XMPP implementation allows you to omit DNS SRV and since everything goes through nsIChannels, proxy support is easy to verify and audit. + Messaging window is jailed to type=content (unlike cryptocat) and is additionally XSS filtered immediately prior to display: https://mxr.mozilla.org/comm-beta/source/chat/modules/imContentSink.jsm Summary of Goals Met: Release a secure, portable chat program that sends all traffic over Tor: + Yes. Can be used with a wide variety of chat networks: + Yes, even without libpurple Uses off-the-record encryption of conversations by default: - Not yet, but support is coming, and it's not too hard to deploy a stopgap French, Spanish, and Arabic support: * Partly yes. Full support for French and Spanish, but Instandbird has no translations for Farsi or Arabic (however Thunderbird does support these locales and can also be used as a chat client). -- Mike Perry