Hello.
I'm in no way a security expert. I never ran "TorChat" but I did read the
source code. Read on why I haven't run it.
"TorChat" is an inofficial chat client for the Tor network. I like the idea
behind "TorChat": easy to use, usb-stick portable and runs on Windows 98.
These are the problems I see with "TorChat":
1. No authentication. There is no way you can know for sure that the person
you are chatting with is the person you chatted with yesterday. Tor's hidden
services don't make any such guarantees about incoming connections. The clients
stay anonymous.
2. To make things even worse, the only information needed to impersonate a
buddy is their .onion address.
3. Buddies have control over your buddylist. It is just a matter of
identifying as a buddy and telling the software to remove this said buddy.
I don't think these are the only problems, but the first one alone is enough to
conclude that "TorChat" cannot give adequate security. It's too easy to
impersonate people. "TorChat" lives off the name of the Tor Project, but
unfortunately doesn't deliver.
It is possible to run Off-the-Record Messaging over Tor. Off-the-Record
Messaging has all kinds of features: encryption, perfect forward secrecy and
deniable authentication. And it doesn't have the problems of "TorChat".
Best regards,
Paul
***********************************************************************
To unsubscribe, send an e-mail to [email protected] with
unsubscribe or-talk in the body. http://archives.seul.org/or/talk/
