Delivery-Date: Fri, 13 May 2016 15:39:30 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
	T_RP_MATCHES_RCVD autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id 8A2241E0B59;
	Fri, 13 May 2016 15:39:28 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 7197F39FC9;
	Fri, 13 May 2016 19:39:24 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id F366C39E18
 for <tor-talk@lists.torproject.org>; Fri, 13 May 2016 19:39:20 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id ZcKKdKyXnDij for <tor-talk@lists.torproject.org>;
 Fri, 13 May 2016 19:39:20 +0000 (UTC)
Received: from u1.1gb.ua (smtp-1.1gb.com.ua [195.234.4.10])
 by eugeni.torproject.org (Postfix) with ESMTP id 7614139DFA
 for <tor-talk@lists.torproject.org>; Fri, 13 May 2016 19:39:20 +0000 (UTC)
Received: from Spooler by u1.1gb.ua (Mercury/32 v4.52) ID MO007CCD;
 13 May 2016 22:39:20 +0300
Received: from spooler by mail-u1-robots.in-solve.hidden (Mercury/32 v4.52);
 13 May 2016 22:39:13 +0300
Received: from ul1.1gb.ua (195.234.4.24) by smtp-1.1gb.com.ua (Mercury/32
 v4.52) with ESMTP ID MG007CCC; 13 May 2016 22:39:03 +0300
Received: from [192.162.141.53] ([192.162.141.53]) (authenticated bits=0)
 by ul1.1gb.ua (8.14.9/8.14.0) with ESMTP id u4DJd2Kg017610
 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO)
 for <tor-talk@lists.torproject.org>; Fri, 13 May 2016 22:39:03 +0300
To: tor-talk@lists.torproject.org
References: <57333AF1.30203@ut.ee>
From: me@beroal.in.ua
Message-ID: <4771e7c2-18e6-02ba-9750-b141084fa078@beroal.in.ua>
Date: Fri, 13 May 2016 22:39:02 +0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
 Thunderbird/45.0
MIME-Version: 1.0
In-Reply-To: <57333AF1.30203@ut.ee>
Subject: Re: [tor-talk] Security Analysis of Instant Messenger TorChat
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

"TorChat  processes  contact  requests  and  updates  the  contact list  
without asking  the  user's  consent." "An  attacker  can exploit  this  
to add arbitrary contacts to the victim's contact list. . ." OMG, does 
any IM client allow this?

On 11.05.16 17:00, Arnis wrote:
> FYI:
> http://kodu.ut.ee/~arnis/torchat_thesis.pdf
>
> Abstract
> TorChat is a peer-to-peer instant messenger built on top of the Tor 
> network that not only provides authentication and end-to-end 
> encryption, but also allows the communication parties to stay 
> anonymous. In addition, it prevents third parties from even learning 
> that communication is taking place.
> The aim of this thesis is to document the protocol used by TorChat and 
> to analyze the security of TorChat and its reference implementation. 
> The work shows that although the design of TorChat is sound, its 
> implementation has several flaws, which make TorChat users vulnerable 
> to impersonation, communication confirmation and denial-of-service 
> attacks.
>
> P.S. Fix not available. The author of TorChat, lacks the resources to 
> fix the flaws.

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

