[tor-talk] Security Analysis of Instant Messenger TorChat

me at beroal.in.ua me at beroal.in.ua
Fri May 13 19:39:02 UTC 2016

"TorChat  processes  contact  requests  and  updates  the  contact list  
without asking  the  user's  consent." "An  attacker  can exploit  this  
to add arbitrary contacts to the victim's contact list. . ." OMG, does 
any IM client allow this?

On 11.05.16 17:00, Arnis wrote:
> FYI:
> http://kodu.ut.ee/~arnis/torchat_thesis.pdf
> Abstract
> TorChat is a peer-to-peer instant messenger built on top of the Tor 
> network that not only provides authentication and end-to-end 
> encryption, but also allows the communication parties to stay 
> anonymous. In addition, it prevents third parties from even learning 
> that communication is taking place.
> The aim of this thesis is to document the protocol used by TorChat and 
> to analyze the security of TorChat and its reference implementation. 
> The work shows that although the design of TorChat is sound, its 
> implementation has several flaws, which make TorChat users vulnerable 
> to impersonation, communication confirmation and denial-of-service 
> attacks.
> P.S. Fix not available. The author of TorChat, lacks the resources to 
> fix the flaws.

More information about the tor-talk mailing list