Deprecated/Ricochet IM

From Whonix
< Deprecated
Revision as of 09:51, 8 June 2019 by Patrick (talk | contribs) (Created page with "100px == Introduction == Ricochet IM is is a portable, P2P, python chat application that is installed in {{project name}} by default. It is the n...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Introduction

Ricochet IM is is a portable, P2P, python chat application that is installed in Template:Project name by default. It is the new successor to the unmaintained TorChat. [1] The Ricochet site describes how the application works: [2]

Ricochet uses the Tor network to reach your contacts without relying on messaging servers. It creates a hidden service, which is used to rendezvous with your contacts without revealing your location or IP address.

Instead of a username, you get a unique address that looks like ricochet:rs7ce36jsj24ogfw. Other Ricochet users can use this address to send a contact request - asking to be added to your contacts list.

You can see when your contacts are online, and send them messages (and soon, files!). Your list of contacts is only known to your computer - never exposed to servers or network traffic monitoring.

Everything is encrypted end-to-end, so only the intended recipient can decrypt it, and anonymized, so nobody knows where it’s going and where it came from.

In summary, the benefits of Ricochet IM include:

  • No saving of chat history.
  • Reliance on Tor onion services for identity creation.
    • Encryption and authentication properties therefore match Tor's strength.
  • The server-less design means no metadata is ever collected.
  • An OTF sponsored audit in early 2016 only identified a few minor problems (since fixed). [3] [4]

Template:Project name Configuration

This application requires incoming connections through a Tor onion service. Supported Whonix-Gateway modifications are therefore necessary for full functionality; see instructions below.

For better security, consider using Multiple Whonix-Gateway and Multiple Whonix-Workstation. In any case, Whonix is the safest choice for running it. [5]


Ricochet should be fully functional in Template:Project name. If any problems are encountered, please leave comments on the open Phabricator ticketarchive.org iconarchive.today icon.

Add a Ricochet Python Profile

In Template:Gateway product name (sys-whonix), onion-grater requires some adjustments.

Extend the onion-grater whitelist in Whonix-Gateway (sys-whonix).

On Whonix-Gateway.

Add onion-grater profile.

Click = Copy Copied to clipboard! sudo onion-grater-add /usr/share/doc/onion-grater-merger/examples/40_ricochet.yml

Modify Firewall Settings

In Template:Workstation product name (anon-whonix), the firewall requires some adjustments.

Modify Whonix-Workstation User Firewall Settings

Note: If no changes have yet been made to Whonix Firewall Settings, then the Whonix User Firewall Settings File /etc/whonix_firewall.d/50_user.conf appears empty (because it does not exist). This is expected.

If using Qubes-Whonix, complete these steps.
In Whonix-Workstation App Qube. Make sure folder /usr/local/etc/whonix_firewall.d exists.

Click = Copy Copied to clipboard! sudo mkdir -p /usr/local/etc/whonix_firewall.d

Qubes App Launcher (blue/grey "Q")Whonix-Workstation App Qube (commonly called anon-whonix)Whonix User Firewall Settings

If using a graphical Whonix-Workstation, complete these steps.

Start MenuApplicationsSystemUser Firewall Settings

If using a terminal-only Whonix-Workstation, complete these steps.

Open file /usr/local/etc/whonix_firewall.d/50_user.conf with root rights.

Click = Copy Copied to clipboard! sudoedit /usr/local/etc/whonix_firewall.d/50_user.conf

For more help, press on Expand on the right.

Add.

Click = Copy Copied to clipboard! EXTERNAL_OPEN_ALL=true

Save.

Reload Whonix-Workstation Firewall.

If you are using Qubes-Whonix, complete the following steps.

Qubes App Launcher (blue/grey "Q")Whonix-Workstation App Qube (commonly named anon-whonix)Reload Whonix Firewall

If you are using a graphical Whonix-Workstation, complete the following steps.

Start MenuApplicationsSystemReload Whonix Firewall

If you are using a terminal-only Whonix-Workstation, run. Click = Copy Copied to clipboard! sudo whonix_firewall

Start Ricochet

In Template:Workstation product name (anon-whonix), launch ricochet either through the start menu or from the command line.

Click = Copy Copied to clipboard! ricochet

Backup/Restore Ricochet ID

Ricochet identities are ephemeral by design, meaning on program restart, a new identity will be generated and the last one with the added contacts will be lost. This is safer as long lived identities are easier to track over time. However one can preserve a certain username string and re-use it.

Backup ricochet.json in the config directory path below which contains the private key under identity in serviceKey. [6]

You need to replace /path/to/backup/location with the actual location of your backup folder.

Click = Copy Copied to clipboard! cp /home/user/.local/share/Ricochet/ricochet/ricochet.json /path/to/backup/location

For now this is enough. Alternatively you could also backup the whole folder /home/user/.local/share/Ricochet.

Click = Copy Copied to clipboard! cp -r /home/user/.local/share/Ricochet /path/to/backup/location

  1. https://github.com/ricochet-im/ricochet/issues/30archive.org iconarchive.today icon
  2. https://ricochet.im/archive.org iconarchive.today icon
  3. https://ricochet.im/files/ricochet-ncc-audit-2016-01.pdfarchive.org iconarchive.today icon
  4. https://en.wikipedia.org/wiki/Ricochet_(software)archive.org iconarchive.today icon
  5. Security considerations:
    • By using Whonix, additional protections are in place for greater security.
    • This application requires access to Tor's control protocol.
    • In the Whonix context, Tor's control protocol has dangerous features. The Tor control command GETINFO address reveals the real, external IP of the Tor client.
    • Whonix provides onion-grater, a Tor Control Port Filter Proxy - filtering dangerous Tor Control Port commands.
    • When this application is run inside Whonix-Gateway with an onion-grater whitelist extension, this will limit Whonix-Workstation application rights to Tor control protocol access only. Non-whitelisted Tor control commands such as GETINFO address are rejected by onion-grater in these circumstances. In the event Whonix-Workstation, it can't determine its own IP address via requesting to Tor Controller, as onion-grater filters the reply.
    • In comparison, if the application is run on a non-Tor focused operating system like Debian, it will have unlimited access to Tor's control protocol (a less secure configuration).
    • If the (non-)Whonix platform is used to host onion services, then running applications are more vulnerable to attacks against the Tor network compared to when Tor is solely used as a client; see also Onion Services Security.
    In conclusion, Whonix is the safest and correct choice for running this application.
  6. https://github.com/ricochet-im/ricochet/issues/577archive.org iconarchive.today icon
Retrieved from "https://www.whonix.org/w/index.php?title=Deprecated/Ricochet_IM&oldid=47875"