-
Notifications
You must be signed in to change notification settings - Fork 88
FAQ
By far the most popular question and comment. Yes, libpurple has had vulnerabilities.
The reasons Pidgin is used:
- It is the only one that comes with usable API to automate message input and output from nh.py via IPC.
- It comes pre-installed with Tails live OS.
- It supports OTR that helps obfuscate use of TFC from IM-server.
The reason vulnerabilities in Pidgin do not matter:
The networked computer (NH) that Pidgin is running on never has access to private keys or plaintext messages. NH is not part of the trusted computing base (TCB), it's part of the network relaying ciphertexts. The same way compromising the software email-server uses to route end-to-end encrypted PGP-emails, compromise of NH relaying ciphertexts doesn't compromise confidentiality of TFC messages.
TFC attempts to be as easy to audit as possible. Python also ensures re-distribution of the program is always done as source code (yes, they might be bytecode, but the decomplication is trivial). Cython is also audited and found well written and secure.
Limiting the direction of data flow with just one Tx-Rx pair and GND wire is certainly possible. It is however hard to guarantee firmware doesn't allow malicious remapping of pins that reverse signal direction. Data diode limits direction of data flow with the laws of physics.
End-to-end encrypted apps are better because it's easier to get people use them. Why advocate something this complex?
End-to-end encryption on a networked system might be more usable and it does increase security of all users in relative sense. But absolutely speaking, unless it actually stops the adversary, the benefit is very small. Making things more secure is trivially easy. Making things secure enough is insanely hard. TFC aims to do that. More security always creates more rules, layers and inconvenience, and while TFC is a step back in convenience and not a guaranteed solution, it at least gives the users a fighting chance. That being said, TFC is for everyone who consider it necessary to assess their threat model: adversaries that hack endpoints. Under such threat model, TFC is the easiest tool to use.
Computers, accessories and components ordered from manufacturers or subcontractors, or the finished products shipped to customers or retailers made by a theoretical company might be subjected to interdiction by intelligence establishments. Additionally, a company selling the products might be coerced by the government to add a backdoor under the pretext of national security. Security-wise, it's better to distribute TFC design to users who can buy inconspicuous, commercial off-the-shelf hardware of their own choosing, and build the data diodes themselves. An ideal finished product is a well written software and a guide on how to setup hardware, install TFC and use it securely.