Project

General

Profile

Bug #11541

OMEMO support in Tails

Added by Kurtis over 2 years ago. Updated 8 days ago.

Status:
Confirmed
Priority:
Low
Assignee:
-
Category:
-
Target version:
-
Start date:
06/21/2016
Due date:
% Done:

0%

QA Check:
Feature Branch:
Type of work:
Code
Blueprint:
Starter:
Affected tool:
Instant Messaging

Description

The OMEMO encryption /oˈmiːmoʊ/ (OMEMO Multi-End Message and Object Encryption) gives you all the advantages you would expect from a modern-day encryption protocol like Future and Forward Secrecy and deniability while allowing you to keep the benefits of message synchronization and offline delivery.

OMEMO not only gives you a better encryption features than OpenPGP and OTR but is also much easier to setup. OMEMO is the encryption you can actually use in your daily life. Turn it on once and forget you ever did.

OMEMO uses the Signal Protocal ratchet to establish secure sessions between every combination of devices for you and your contact. Those sessions are then being used to communicate secure keys to all devices. OMEMO will generate a new key for every message. That key is used to encrypt your message with AES-GCM. The long-lived Signal Protocal sessions in the background deal with the challenges of message reordering, message loss and accidental duplication.

Being built upon PEP (Personal Eventing Protocol) to announce the pre-keys used by Signal Protocal to establish new sessions, OMEMO requires little to no change to the existing XMPP server infrastructure.

https://conversations.im/omemo/

Tails could work upstream to help Pidgin impliment OMEMO by assisting with this ticket: https://developer.pidgin.im/ticket/16801

Alternatively, Tails could include Gajim https://packages.debian.org/jessie/net/gajim and Kalkin's Gajim OMEMO plugin.

OTR is the current default chat encryption option on Tails. OTR is 10 years old and was never designed for modern day instant messaging.


Related issues

Related to Tails - Feature #7868: Use gajim instead of pidgin (more secure OTR chat) Rejected 09/01/2014
Related to Tails - Bug #8573: Hopefully replace Pidgin some day In Progress 01/07/2015
Related to Tails - Feature #14568: Additional Software Packages Confirmed 12/11/2013 06/26/2018

History

#1 Updated by DrWhax over 2 years ago

This ticket isn't interesting for us unless we can implement it by simply doing: apt-get install $package-name.

Don't expect help from us on this unless we can implement it, sorry!

#2 Updated by intrigeri over 2 years ago

  • Status changed from New to Rejected

I say let's reopen and track this here once there's an implementation available (in Debian) that doesn't require us to ship yet another IM client. In the meantime, there's nothing we can do about it, sorry!

#3 Updated by sajolida about 2 years ago

  • Related to Feature #7868: Use gajim instead of pidgin (more secure OTR chat) added

#4 Updated by sajolida about 2 years ago

  • Related to Bug #8573: Hopefully replace Pidgin some day added

#5 Updated by Kurtis about 2 years ago

Gajim's omemo plugin was put into the Debian sid repository a few weeks ago: https://packages.debian.org/sid/gajim-omemo I'm assuming it could be backported.

Pidgin might as well change their name to Ostrich, because their head is in the sand when it comes to adding support for OMEMO. https://developer.pidgin.im/ticket/16801

#6 Updated by intrigeri almost 2 years ago

https://current.workingdirectory.net/posts/2017/encrypted-mucs/ suggests that this needs polishing as the current UX is quite poor.

#7 Updated by Kurtis almost 2 years ago

Thanks for the link. I hadn't read that before.

Just got news that people are working to add OMEMO support to Pidgin: https://developer.pidgin.im/ticket/16801#comment:27 I'll try to dig some more to find more details.

I know that there is a chance that Tails could one day use Tor Messenger based on this: https://labs.riseup.net/code/issues/8577

Here's a ticket for TorMessenger OMEMO support: https://trac.torproject.org/projects/tor/ticket/17457

Here's a ticket for TorMessenger's upstream InstantBird OMEMO support: https://bugzilla.mozilla.org/show_bug.cgi?id=1237416

#8 Updated by Kurtis over 1 year ago

Quick update: Two people that are working to add OMEMO support to Pidgin just posted at https://developer.pidgin.im/ticket/16801

If anyone wants to check out the OMEMO+XMPP+Pidgin alpha git repo that one of the devs posted, you can check it out here: https://git.imp.fu-berlin.de/mancho/libpurple-omemo-plugin

#9 Updated by Kurtis over 1 year ago

Lurch is an alpha release plugin for libpurple that enables OMEMO encryption: https://github.com/gkdr/lurch

#10 Updated by Kurtis 10 months ago

Can you please un-Reject this issue? OMEMO is the future. The future shouldn't be rejected, it should be embraced.

#11 Updated by Kurtis 10 months ago

I know you guys are looking to move away from Pidgin, but I just created this an issue with Lurch asking them to make a debian repo. https://github.com/gkdr/lurch/issues/73

#12 Updated by Kurtis 10 months ago

I should have said "make a debian package" not "make a debian repo". my bad.

#13 Updated by intrigeri 10 months ago

  • Status changed from Rejected to Confirmed
  • Priority changed from Normal to Low
  • Affected tool set to Instant Messaging

This is a valid feature request. I think it'll be addressed either as part of #8573 or thanks to the upcoming changes to the Additional Software Package feature (which will soon become much more usable, better integrated, and thus an option for everyone who wants their preferred IM protocol/client, because we can't possibly ship them all).

#14 Updated by intrigeri 10 months ago

#16 Updated by u 2 months ago

And our additional software feature will be in Tails 3.9, allowing anybody to install such things themselves now as long as they are available in Debian :)

#17 Updated by u 2 months ago

But I'm unsure if this addresses the problem you are raising entirely?

#18 Updated by intrigeri 8 days ago

Friends of mine have extensively tested OMEMO and they report that:

  • If different clients are used, with different implementation status of some tech details, one can easily lose messages without knowing they lost it.
  • Encrypted groups don't work well, especially (or only) when different clients are used.

Sorry I have nothing more specific such as links to bug reports, but I do trust these friends to have tested this extensively, in practical use cases, for a non-trivial duration.

Also available in: Atom PDF