[tor-talk] pidgin and tor
coderman
coderman at gmail.com
Fri Oct 9 02:53:02 UTC 2015
On 10/8/15, sh-expires-12-2015 at quantentunnel.de
<sh-expires-12-2015 at quantentunnel.de> wrote:
> ....
> One of the major problems is the design of Pidign, which tries
> to build a convenient IM client before it takes security into
> consideration
"security vs. usability", as ever...
> Still, it is possible to a achieve a high degree of privacy.
> The amount of "security" will vary and depend on many factors.
>
> A vm is none of them:
> Confining it, doesn't make it more secure, and it mitigates nothing in
> pidgin or libpurple. A broken IM client is still broken, even when
> confined (I am tempted to say buried) in a VM.
consider the Tor Browser PDF exploit that accessed $HOME for keys and other.
if Tor Browser (and Pidgin) are isolated from each other, this $HOME
type attack of reduced risk.
one example.
> If OP has to rely on an IM, like pidgin or a protocol, there is no more
> or added "security" by putting it into a vm or container.
> All he gains is isolation in a best case scenario.
do you not see the benefit in isolating applications at risk of rogue
remote execution?
i agree it is not the only security measure, nor the most important.
but it is useful, and that is why i mention it. more useful would be
using a secure client, but, again, usability.
> Honestly, let's recommend a more secure implemenation
> of the protocol OP wishes to use and educate OP how to use it in
> a manner, that neither privacy and anonymity of the involved parties
> are compromised and the authenticity of the exchanged messages is given.
i disagree with this approach. make the secure usable. don't force
users to adapt to "secure".
> Using Tor with Pidgin, we are at a disadvantage...
> If security is a result of good design, good design is when there
> is nothing left to remove and the design is still secure.
so, you're going to design and implement a usable, secure chat and presence?
:)
> Contrary to the popular misconception, that security is some kind of
> fairydust, product or duct-tape that we can apply to protocols or software
> afterwarts.
actually, i saw this Kickstarter the other day... ;P
best regards,
More information about the tor-talk
mailing list