[tor-talk] Security Analysis of Instant Messenger TorChat
me at beroal.in.ua
me at beroal.in.ua
Fri May 13 19:39:02 UTC 2016
"TorChat processes contact requests and updates the contact list
without asking the user's consent." "An attacker can exploit this
to add arbitrary contacts to the victim's contact list. . ." OMG, does
any IM client allow this?
On 11.05.16 17:00, Arnis wrote:
> FYI:
> http://kodu.ut.ee/~arnis/torchat_thesis.pdf
>
> Abstract
> TorChat is a peer-to-peer instant messenger built on top of the Tor
> network that not only provides authentication and end-to-end
> encryption, but also allows the communication parties to stay
> anonymous. In addition, it prevents third parties from even learning
> that communication is taking place.
> The aim of this thesis is to document the protocol used by TorChat and
> to analyze the security of TorChat and its reference implementation.
> The work shows that although the design of TorChat is sound, its
> implementation has several flaws, which make TorChat users vulnerable
> to impersonation, communication confirmation and denial-of-service
> attacks.
>
> P.S. Fix not available. The author of TorChat, lacks the resources to
> fix the flaws.
More information about the tor-talk
mailing list