TorChat is a security hazard

Paul Campbell campbell_paul at rocketmail.com
Wed Feb 24 03:38:38 UTC 2010


Hello.

I'm in no way a security expert.  I never ran "TorChat" but I did read the source code. Read on why I haven't run it.

"TorChat" is an inofficial chat client for the Tor network.  I like the idea behind "TorChat": easy to use, usb-stick portable and runs on Windows 98.

These are the problems I see with "TorChat":

1. No authentication.  There is no way you can know for sure that the person you are chatting with is the person you chatted with yesterday.  Tor's hidden services don't make any such guarantees about incoming connections. The clients stay anonymous.

2. To make things even worse, the only information needed to impersonate a buddy is their .onion address.

3. Buddies have control over your buddylist.  It is just a matter of identifying as a buddy and telling the software to remove this said buddy.

I don't think these are the only problems, but the first one alone is enough to conclude that "TorChat" cannot give adequate security.  It's too easy to impersonate people.  "TorChat" lives off the name of the Tor Project, but unfortunately doesn't deliver.

It is possible to run Off-the-Record Messaging over Tor.  Off-the-Record Messaging has all kinds of features: encryption, perfect forward secrecy and deniable authentication.  And it doesn't have the problems of "TorChat".

Best regards,
Paul



      

***********************************************************************
To unsubscribe, send an e-mail to majordomo at torproject.org with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/



More information about the tor-talk mailing list