[Proposal] Get an OTRv4 client into Tails
Dear, Tails project,
This is sort of a consequence of some emails exchanged with @intrigeri and @sajolida
As OTRv4 development in it's C library will release its first version around November of this year, we were thinking on creating a native OTRv4 client that sort of replaced the otr plugin over Pidgin (as Pidgin potentially have many security issues, as discussed here #8573 ). This native client can be integrated into Tails, if it is wanted ;). Following is the proposal and start of discussion of some properties it might give:
As Tails has an specific security mindset and after reviewing some of the instant messaging issues over here, these are the steps that we'll like to take into consideration:
- It should work over Tor. As OTRv4 gives strong deniability properties, this step first requires to cryptographically analize if the deniability properties of OTR work over an anonymity network, and the other way around. This is an ongoing research. If all goes well, it will be nice to check if OTRv4 can work over other protocols like Ricochet or Cwtch.
- Should it work over XMPP? To make a clear decision around this, the results of #17821 (closed) can help.
- How will account creation be handled? I like the Wire approach that allows email or phone number.
- The code should be audited.
- Should work over TLS 1.3
- Should be on Debian.
- A way to create 'temporary' accounts can be thought of: a way to create a random account that is not linked to any identity and, when the client is closed, all the associated data (keys, logs, etc.) will get wiped out. An 'amnesic mode'.
- The 'persistent accounts' will have their persistent data (keys, etc.) securely encrypted.
- Might be written in either Golang or Rust.
These are only the first thoughts and it will be good to hear the thoughts of the Tails community! So feel free to chime on some of the points here if they sound nice ;)