otrv4
HiddenVM
otrv4 | HiddenVM | |
---|---|---|
6 | 14 | |
191 | 2,221 | |
0.5% | - | |
0.0 | 7.7 | |
over 1 year ago | 8 days ago | |
Shell | ||
- | GNU General Public License v3.0 only |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
otrv4
- OTR Version 4
-
Off-the-Record Messaging
I may have missed something here, but the write-up seems to be missing the main problem with OTR, which is that both parties need to be online at the same time to do the key-exchange to set up the session - at least in OTRv3 (https://otr.cypherpunks.ca/Protocol-v3-4.0.0.html)
This is why the Double Ratchet Algorithm was created (back in 2013!) where you prepublish a pool of one-time-keys which can be used to establish sessions without you having to be online - as well as defining how to ratchet the message keys forwards both by new DH exchanges and simple hash ratchets (hence the name Double Ratchet).
OTRv3 has the sole advantage that you can trivially tunnel it over any existing synchronous transport (e.g. an IRC DM), given it doesn't have the concept of setting up sessions asynchronously. However, this is a bit of a moot point these days, given modern messaging systems like Matrix, XMPP and Signal natively support the Double Ratchet via Olm, OMEMO & libsignalprotocol respectively - so OTRv3 really is a bit of a historical curiosity at this point.
Meanwhile OTRv4 does introduce the idea of offline conversation initialisation (https://github.com/otrv4/otrv4/blob/master/otrv4.md#offline-...), but it doesn't seem to have got much traction, relative to the fairly ubiquitous Double Ratchet. (Has anyone seen it in the wild? It looks like coy.im might speak it? https://github.com/otrv4 seems fairly dead :/)
Finally, lots of E2EE research is going into efficient shared ratchets for group communication rather than 1:1 sessions - such as MLS (https://datatracker.ietf.org/wg/mls/about/), DMLS (https://matrix.uhoreg.ca/mls/decentralised.html) and DCGKA (https://www.cylab.cmu.edu/news/2021/11/23-group-messaging.ht...).
-
A Stick Figure Guide to the Advanced Encryption Standard (AES)
AES gets all the marketing glory. You ask the company how are they doing security? Marketing person says: "It's secure we're using AES.". AES is often the only technical word they use when they say it's secure in product brochures because they know this is going to satisfy a clueless CISO with a purchasing budget to cover their behind.
But fast forward from 2009 take a look at OTR and their decision[1] to switch from AES to ChaCha20 (see https://github.com/otrv4/otrv4/blob/master/architecture-deci...) - the whole document is very interesting and pretty brief to highlight why AES might not be the best choice:
> We use ChaCha20 as the encryption stream cipher because it is faster than AES in software-only implementations, it is not sensitive to timing attacks and has undergone rigorous analysis ([3], [4] and [5]). We chose this over AES as future advances in cryptanalysis might uncover security issues with it, its performance on platforms that lack dedicated hardware is slow, and many AES implementations are vulnerable to cache-collision timing attacks [[6]].
But AES is so much faster because some SSD's can offload it to hardware right? See:
256-bit AES encryption broken in SandForce SSD controllers: https://techreport.com/news/23096/256-bit-aes-encryption-bro...
Self-encrypting SSDs can easily be cracked: https://portswigger.net/daily-swig/self-encrypting-ssds-can-...
Crucial and Samsung SSDs' Encryption Is Easily Bypassed: https://www.tomshardware.com/news/crucial-samsung-ssd-encryp...
...
So it seems to me that if I have a large number of architectures and devices my software might be running on which is outside my control then the ability to predict how my crypto implementation will affect the performance of my device is a good enough reason alone to not use AES. But I might be wrong maybe others can throw in some thoughts here.
- Off-the-Record Messaging Protocol version 4 draft
-
Why Jabber reigns across the Russian cybercrime underground
OTRv3 is definitely not considered secure now, there is an unimplemented (and possibly unfinished) OTRv4 that updates the crypto though:
https://github.com/otrv4/otrv4
-
Is there a good reason not to replace PGP with Cryptocurrency based cryptography?
So you shouldn't be using Cryptocurrency based communication or PGP at all. You should be using modern deniable protocols like The Signal Protocol (in Signal), OTRv4 (work in progress, no implementations yet), OMEMO (e.g. ChatSecure), and MEGOLM (used by Element).
HiddenVM
- HiddenVM – Use any desktop OS without leaving a trace
- A virtual machine ***within*** tails
- Veracrypt, hidden OS, Linux alternative
-
what is the best version for tails in a windows 11
Wait, OP, I really don't recommend you try Whonix inside of Tails. This will bring a Tor Over Tor scenario if you don't specially configure Whonix in a way that prevents this. There have been projects such as HiddenVM that have tried to make this work, but Whonix developers say that there won't be any support for this setup. TAILS most likely won't have any support for this either. Whonix already has live mode on the VM level, and if you want a host-level live system consider Kicksecure Host Live Mode. Whonix is also in the middle of developing a Whonix Live Host System as well.
-
TAILS 5.0 cannot run appimages from separate media
crosspost for reference: https://github.com/aforensics/HiddenVM/issues/23
-
Run Virtual Box
Yes it is. Look into HiddenVM. https://github.com/aforensics/HiddenVM
- Digital War Against Putin -- Automated Google Reviews with Python
-
Virtualbox WITHIN Tails?
Well what a goddamn surprise. I happen to be fiddling around with the exact same thing as I'm snowed in today! Like others have said, this is not recommended if you have a serious threat model. But if you have a couple free USB sticks and like tinkering with this stuff, check out https://github.com/aforensics/HiddenVM
-
Whats a feature that you guys would want in future tails versions?
It is possible to do it safely using this : HiddenVM
-
Whonix in Tails
Check out this project on GitHub. You run Whonix on Tails (Amnesic Live Mode) from a Hidden Volume using Veracrypt : HiddenVM
What are some alternatives?
end-to-end - End-To-End is a crypto library to encrypt, decrypt, digital sign, and verify signed messages (implementing OpenPGP)
Whonix - Whonix is an operating system focused on anonymity, privacy and security. It's based on the Tor anonymity network, Debian GNU/Linux and security by isolation. DNS leaks are impossible, and not even malware with root privileges can find out the user's real IP. https://www.whonix.org
Xabber - Open-source XMPP client for Android
BrowserBox - Install and run Firefox on Debian unattended in a virtual machine or on a computer.
ChatSecure-iOS - ChatSecure is a free and open source encrypted chat client for iOS that supports OTR and OMEMO encryption over XMPP.
go-incognito - Go Incognito: A Guide to Security, Privacy, & Anonymity
dohot - DoHoT: making practical use of DNS over HTTPS over Tor
mbp-tails - How to get Tails working on T2 Apple device (e.g. 2019 MacBook Pro) without needing external keyboard/mouse.
awesome-malware-analysis - Defund the Police.
bento - Packer templates for building minimal Vagrant baseboxes for multiple platforms
whoami-project - Whoami provides enhanced privacy, anonymity for Debian and Arch based linux distributions
merOS-virt - Build and Interact with a Set of Virtual Machines