[tor-dev] Attentive Otter: Analysis of xmpp-client

Jurre van Bergen jurre at useotrproject.org
Mon Oct 7 17:21:42 UTC 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hoi,

Below you can find the analysis of xmpp-client for the Attentive otter
project, written by dgoulet, nickm, arlo, asn and myself.

All the best,
Jurre

- --------

Intro

xmpp-client is a simple XMPP client written in pure Go with OTRv2
support. It's a terminal program but doesn't have a GUI or a UI like
GTK  or ncurses. The software should be considered in an alpha state.

*Is traffic send over Tor?*
Yes, xmpp-client has support for sending all traffic over Tor, this 
includes connecting to onion's. When you connect to jabber.ccc.de or the
riseup.net jabber service, you are automatically connected over Tor
through their onion address (hidden service), if Tor is running. SRC
lookups are not proxied.

*Chat network(s) support*
Only basic XMPP support, no extensions are implemented (XEP -
http://xmpp.org/xmpp-protocols/xmpp-extensions/).

*How trivial is extending XMPP-Client to different protocols?*
This code base is only for XMPP and seems quite hardcoded for that.
Section "Instant Messaging" -
https://code.google.com/p/go-wiki/wiki/Projects#Networking

* XMPP in Go - https://github.com/mattn/go-xmpp
* IRC in Go - https://github.com/husio/go-irc

* Various Go bindings - http://go-lang.cat-v.org/library-bindings

*OTR*
OTR support comes from the Go crypto package:
https://code.google.com/p/go.crypto/
This library only has support for OTRv2 and not the latest OTRv3 
specification. If we want to be resistant to several attacks[1]  on the
OTR protocol, we need to reimplement the OTR protocol and update it to
the latest version or, we use Cgo, which binds into libotr. (Open
questions: OTR by default?, )

[1]
http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.165.7945&rep=rep1&type=pdf

*What languages are supported?*
Currently, there is only support for English, extending the client  with
other languages is rather trivial like Farsi, French, Spanish and  Arabic.

*_Graphical interface_*

A graphical interface needs to be implemented for the client. However,
there is only a limited amount of graphical interfaces available, all
are far from stable to use. The best bet for now is Go-GTKand extend it
and let fixes go upstream. Another thing we could  do is implement or
extend an existing minimal implementation of a QT library. This means
however, that we would need to maintain an extra "third party" UI
library, which isn't Tor's core "business".

* QT: https://github.com/visualfc/go-ui
* GTK: http://mattn.github.io/go-gtk/
* Webkit: https://github.com/mattn/go-webkit

*_Operating System Support_*

*Windows*
* MSI package support - http://golang.org/doc/install#windows

*Mac OS X*
* Package exists for Go - http://golang.org/doc/install#osx

*Linux*
Packaged in most distributions.

*_Build & build automation_*

*Cross-platform*
Go compiles into a static binary. Next to that, Go has the possibility
to build cross-platform binaries.

*Deterministic builds*
Some hacking needs to be involved and having a deterministic binary for
Go might prove more difficult. I'm unsure whether this is going to  be
easily implemented (more research needed)

*Browser extention*
Of what I can understand with Xullauncher, we can start any type of
applications shipped in the "TBB sandbox" in a specific path. With
xmpp-client, it would require a Go version that is shipped with the TBB
and every other library we use (i.e. crypto.otr). (Not 100% sure
here...). A fat binary is an option here also (Go + otr + xmpp-client).

*Control mechanism*
A control mechanism needs to be implemented so xmpp-client can interact
with Firefox in some way or the other.

*_Hardening_*

*Building with hardenend compiler flags*
Hardening is possible by using gccgo, which is a frontend to the GCC gnu
compiler.

  * http://golang.org/doc/install/gccgo


*Sandboxing*
* There is an existing AppArmor profile for xmpp-client for Ubuntu 11.04+
* There isn't a Seatbelt OSX sandbox profile.
* There isn't a way to sandbox in windows.

- -- 
Developer at https://www.useotrproject.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJSUu2kAAoJELc5KWfqgB0CnNAH/2ZpvUgB/enkgMZ7tH4q1cj7
w0S9N5bRD21JSYHpd9ZhvMOIHUOVOm8fothUvB1HVFwLhTMqsnqB5vtOPe117WYX
WDp9rwicKz110r1dyEDcDhkGnI0OKJ5trDDalmmFaeFaP7gTwedee8lNRBdV+bPs
tEqSGIxtNbY7WUpDZvTUBxkqZjAgWsag4K+fcn3ZA0m1vUmyWpyV+xYXCvjJH6fo
oDVirvXpQibQxZWSLnRceq7otNXI1TdZL60KiipPJNDyfi5g5d3pToo3CU61wJgF
0KtvtzYnG5l476aJhd1hCdfO7Ni3NoZ1dheqPsRGcmNp/kICqbRYnc9MDqiCpEM=
=e6xQ
-----END PGP SIGNATURE-----

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20131007/04eab199/attachment.html>

More information about the tor-dev mailing list