Announcement

Collapse
No announcement yet.

GNU's Ring Continues Trying To Be Like Skype/WhatsApp For FLOSS/Privacy-Minded Fans

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #11
    Originally posted by OneTimeShot View Post
    “Tox does not use TLS for encryption. It uses NaCL library. So I would expect Tox to be more secure. TLS had a lot of problems over the years.”


    I seriously doubt doubt that follows - you are comparing the protocol in every web browser with random crypto in a project that no one has heard about. Maybe no one has looked?!?
    To my knowledge NaCL is a high quality library and has good reputation. However it's in no way comparable to TLS. NaCL only provides basic crypto building blocks, while TLS is a full protocol, providing combined authentication, encryption, data integrity, cypher negotiation, certificate chain verification, forward secrecy (with PFS cypher suites, the only ones allowed by Ring) etc.
    Last edited by wagaf; 06 February 2018, 08:34 AM.

    Comment


    • #12
      Originally posted by wagaf View Post
      Hi I'm a Ring developper


      The password is actually used to protect access to the account private key that allows to sign new device public keys or to revoke a device public key.
      It's now possible to create an account without a password (for when you trust the platform to protect access to the private key, or if the account is simply not so important). But asking the password only on first use would be like if your OS asked to create a root password at the first sudo command !


      File transfer is one of the new features we presented at FOSDEM ! :-) Should be rolling out to every platforms during the next few weeks.


      It's actually possible to use a hostname when entering a username (like name@domain). Without any hostname, the global blockchain is used.
      And people still register on Twitter or Gmail even if they have 1 billion+ registered users.


      It's a work in progress but the idea is that we start a blockchain (mining the first N blocks), giving us enough ether to offer free names to everyone, and progressively invite members of the community to participate to the blockchain so people can mine their own token with their hardware if they wish to.


      A turn server is used to relay the connection for the worst case scenario where no peer-to-peer connection is possible (both peers in different private networks). In all cases peers establish an end-to-end DTLS connection, ether on the p2p link or over the TURN server, so the turn server is only used in last ressort and would never have access to unencrypted media.



      X.509 certificates allow to use TLS libraries to authenticate users/devices in a robust, standard, and powerful way.

      A new Ring account generates a self-signed certificate by default, and adding contacts means doing key pinning (managing a whitelist of accepted user certificates).
      An organisation could also use its CA to sign members certificates. The CA can be configured in Ring to authenticate users as being part of the organisation using the certificate chain.
      The same mechanism is used for devices (attached to an account), which are authenticated using the certificate chain.


      OpenDHT doesn't collects nor save any metadata. Unlike Bittorrent, data stored on the DHT is encrypted. However, unlike Tor, there is no active mechanism to hide the IP address of members of the distributed network.

      Would be happy to answer any question..
      Just want to say thank you for the great program you are developing.

      On to the questions: will you ever be able to develop a sort of off-line messaging/off-line sync for text and media? I think one of the outmost important features of Wazzap is exactly that: companies making group chat and leaving vocal messages in the group (with read receipts!).

      Apart from that, with a little-bit of cleanups and rough-outs i think Ring is production ready!

      Comment


      • #13
        Originally posted by wagaf View Post
        Hi I'm a Ring developper
        Hi, Thanks for answering my questions. I'm sorry if I was a little rude.

        Originally posted by wagaf View Post
        ... But asking the password only on first use would be like if your OS asked to create a root password at the first sudo command !
        I do understand your argument but I still disagree a little. When an attacker has access to my filesystem, he usually can modify it anyway and install a keylogger or similar. He anyways can steal the device key which is unencrypted AFAIK. (At least I never had to enter the password when opening the app). When my mom gets asked for a password, she uses that one password everywhere. So when she links her account, everyone has the chance to bruteforce her "everywhere" password. (Which is additionally secured by the PIN which is a good thing, but still.) BTW root doesn't have a password on my system. I just guess 95% of all Whatsapp users couldn't care less if their root CA is a little less protected. But when they register a service with a password and username but are unable to recover their account just with password and username, thats really weird. At least add a big "skip" button.

        Originally posted by wagaf View Post
        File transfer is one of the new features we presented at FOSDEM ! :-) Should be rolling out to every platforms during the next few weeks.
        Sweet! Is that with in-line photo and video viewer?


        Originally posted by wagaf View Post
        It's actually possible to use a hostname when entering a username (like name@domain).
        But everyone can register [email protected] right?

        Originally posted by wagaf View Post
        And people still register on Twitter or Gmail even if they have 1 billion+ registered users.
        Touché. But they are already big, so nobody argues about them. I'd still prefer some pet-name system where the same name can be used multiple times and its used like "the carol my brother knows".

        Originally posted by wagaf View Post
        A turn server...
        I know how it works, I just want to be sure it's not used all the time. I once tried ring with a friend (disabling turn) and we both had to enable UPNP to get a connection. AFAIK one open port (maybe zero and a STUN-peer) should suffice if the hole punching is good. I mean the DHT connection seems to work without UPNP. And most people won't have UPNP enabled, especially on mobile. So I just want to know when all my traffic is routed over your server. (I know this is an advanced feature most people don't care about.)

        Originally posted by wagaf View Post
        X.509 certificates ...
        I just remember they had their fair share of problems in many implementations. Compared to a Wireguard-like trust model it is 100x more complex and thus error-prone.

        Originally posted by wagaf View Post
        OpenDHT doesn't collects nor save any metadata.
        Jami facilitates share, freely and privately.

        I know content is encrypted. But can I passively monitor the DHT and see who (of course only the pubkey) is communicating with who?

        TLS vs NaCL
        TLS like X.509 had a lot of problems in the past. I'd trust something like the Noise protocol (used by WhatsApp and Wireguard) a lot more then an old behemoth. You are right that NaCL and TLS are not really comparable. Tox (Crypto) has a lot less attack surface then complete TLS implementations. But chances are high, they did something wrong as well (because crypto is hard). I understand why you used TLS, because of the legacy of ring, Sip compatibility and AFAIK Noise wasn't around when you started...

        Thanks for your time! And thanks for working on the App. Since you are the only contender still in the ring, all my hopes are on you that I can Video-Chat with my son this summer when I'm on a bussiness trip without asking someone else for their WhatsApp ;-)


        *edit*
        I want to point out again how important naming is. WhatsApp became big, because everyone was forced to use an identifier that is globally unique and everyone has in his phone book anyways. Easily finding your friends is one of *the* most important things a modern messenger has to do. So I think it has to be simpler then mail address let alone globally unique identifier. Maybe publish your pubkey under a hashed phone number. Easily fakeable, I know. Then ask your already known friends for what they know about your phonebook. Maybe with those fancy new zero-knowledge-proof wizardry that is possible in a privacy friendly way.
        Last edited by Mathias; 06 February 2018, 05:42 PM.

        Comment


        • #14
          do i hear blockchain? where do i put my money?

          Comment


          • #15
            To all:

            Is Ring more secure than Linphone? In what ways are these two programs different?

            Is Ring the most secure of this type of Skype alternatives? And, does it offer a decent speed (i.e. video frame rate and sound quality)?

            Thank you, in advance.

            Comment


            • #16
              Originally posted by Fernando Negro View Post
              Is Ring more secure than Linphone? In what ways are these two programs different?
              Linphone is a SIP client. So you still need a central SIP server to connect your calls. AFAIK Linphone can do End-to-End encryption, so the content can be just as well protected as with ring. However, it is quite easy to configure Linphone in a way that calls are totally unencrypted. It also depends what features your SIP provider supports. The SIP provider can always see your metadata. Most SIP providers allow to call normal landline (and mobile) phones (usually for a fee).

              Ring on the other hand is a distributed system. So theoretically there is no central server collecting your Metadata. Also all Ring content is always encrypted without any unencrypted fallback. So Ring should be more secure then Linphone. But I'm not sure (I asked above) if its possible for everyone to passively collect some metadata about you and your calls. Note that Ring also includes a complete SIP client. If you use that, everything that applies to Linphone also applies to Ring.

              Originally posted by Fernando Negro View Post
              Is Ring the most secure of this type of Skype alternatives?
              Hard to say. At least in the "entirely decentralized" department, it is probably the best one. But if you don't care about decentralization, there are probably better alternatives.

              Originally posted by Fernando Negro View Post
              And, does it offer a decent speed (i.e. video frame rate and sound quality)?
              As far as I can tell, sound is pretty good. But Video is only decent.

              Comment


              • #17
                Hey add me on ring my username is Spacefish and my id d65dcb6369d244c0e6b4f776526aa0cf433bb17d

                Comment


                • #18
                  GNU Ring is the one to use, then.

                  Thank you very much for your explanation, Mathias.

                  Comment

                  Working...
                  X