What is Reddit's opinion of
Ricochet?
From 3.5 billion Reddit comments
35 reviews of this app found across Reddit:
Meta-data resistant services are a key next step to avoiding this sort of thing.
For example, the cwtch project [1] builds on top of and improves the Richochet protocol [2] to provide group chats that are resistant to metadata analysis.
It does this through untrusted group host servers running over TOR services.
I prefer Ricochet: https://ricochet.im/ :)
Unlike Signal and Riot, Ricochet is a different approach to instant messaging that doesn’t trust anyone in protecting your privacy.
- Eliminate metadata. Nobody knows who you are, who you talk to, or what you say.
- Stay anonymous. Share what you want, without sharing your identity and location.
- Nobody in the middle. There are no servers to monitor, censor, or hack.
- Safe by default. Security isn’t secure until it’s automatic and easy to use.
Truly would be a best case scenario if this is the cause. It always seems like when something funky happens to the tor network, we always read about police raiding hidden servers a few weeks or months later. Can you post the announcement you saw? I can't find it on https://ricochet.im/
Let's not get ahead of ourselves. So far Wickr has only published an encryption protocol on GitHub, Wickr-Crypto-C, and it is only used in their enterprise software product, Wickr Professional. In February, Wickr's CEO Joel Wallenstrom said that Wickr Messenger will switch to the same protocol at some point in the future. That hasn't happened yet, and there is no indication that they will open source anything else about their products (the rest of the client application source code or the servers).
>I've been a loyal Signal user for a while but the need for a number has been making things increasingly difficult. Conversations has been my back up for a bit but doesn't seem to be catching on with everyone else.
Signal's developers have said that they will add the ability to register with different kinds of identifiers at some point. It might just take time as other issues have higher priority. It’s good to keep in mind that the Signal dev team is very small and funded by grants and donations alone. In the meantime, think of Signal as an easy way to send end-to-end encrypted messages to people who you would otherwise contact via unencrypted SMS/MMS.
If you really need anonymity, though, consider using Ricochet instead of Conversations (or Signal after they've added alternative identifiers, for that matter). Ricochet hides metadata by using the Tor network and each endpoint is a hidden service.
Edit: Added some points.
>And uses a closed server.
Let me clarify this a bit. It's highly unlikely anyone of us is going to run our own Telegram server. Because we'd have to ask every friend to connect to our server instead. And it's always going to be the case 99.9999% of users will have to "trust" the owner of the server. So it might as well be Telegram that provides the server infrastructure. And at that point it doesn't matter if the service is open source. Because even if they had a cute, polished, does-not-spy-on-you code on GitHub, there is 0% guarantee the version that's actually running on Telegram's server is the same.
The way to guarantee Telegram's server does what it's supposed to, is to prevent it from eavesdropping on content and on metadata.
Regarding content, the clients and protocol design suck. You can't end-to-end encrypt everything. So by definition you should not use Telegram. As for metadata, you can configure Telegram to use a SOCKS5-proxy and route it through e.g. Tor. But since you can't really register without giving your phone number, you can't have anonymity with the service. So another reason not to use it.
With Signal we have reproducible builds and we can trust everything is always end-to-end encrypted. We also have proof how little they log. So it's better than Telegram. For anonymous communication, seriously consider using Ricochet.
I would check out Ricochet, it uses Tor hidden services and is a great solution as long as both parties are online simultaneously.
If you need to communicate asynchronously, Bitmessage is the simplest solution. It operates like P2P email, with every user receiving a copy of every message, but only the recipient having the keys to decrypt it, so in theory it’s difficult for an observer to trace whom a message is sent to.
It’s important to note that unfortunately, neither of these tools have received a security audit, and have only been receiving minimal updates and support recently, so don’t use them if your life depends on it.
Ricochet if you can handle text only and no group chat.
Note that this is a Tor subreddit, not a general privacy subreddit. Sidebar:
> /r/Tor is not for general news about privacy or security.
Namecoin fans are probably more likely to be fans of Ricochet: https://ricochet.im/ . Ricochet is decentralized (other than the centralized parts of Tor itself), while Tor Messenger has centralized servers that can collect metadata. "We kill people based on metadata." Not to say that Tor Messenger is useless; if for some reason you absolutely need to communicate with someone on a centralized service, Tor Messenger can be useful. But the design that Ricochet uses is definitely safer, assuming that you can get your friends to use it.
Side note: if someone is interested in adding Namecoin identity support to Ricochet, that would be a worthwhile project -- ping me on IRC.
it has the next features:
- Open source. All Cryptocat software is published transparently.
- Encrypted by default. Every message is encrypted, always.
- Forward secure. Chats are safe even if your keys are stolen.
- Multiple devices. Devices receive messages even when offline.
- File sharing. Securely share files with friends.
- Ricochet (it's running always over Tor network and it has a decentralized architecture). Ricochet Security Assessment, in this security assessment it was found certain vulnerabilities but were fixed by Ricochet developers.
> Bitmessage looks to be too heavy for this project, which is intended to be very light and so very verifiable.
What about TOR hidden services?
You can interact with the TOR client in plain TCP and it takes care of encrypting and routing your traffic. people can connect to your .onion address and receive the messages you want to send them. You can use the same RSA key as the TOR client does for the hidden service, which means people can verify that the message they get was generated by the person that is also in charge of the hidden service. An application that uses a very similar approach is Ricochet
https://ricochet.im is is probably the best option, it routes everything through tor and doesn't store data by design. No registration required either.
If you use onetimesecret you probably want to be behind tor for best practice.
Sounds like what you're looking for (an anonymous messenger optimized for Tor) is https://ricochet.im/
... unfortunately the project hasn't had an update since 2016. Other IMs can use Tor but they are not optimized and may leak your IP. You could use any IM behind Whonix to mitigate this, if needed.
I would recommend Richochet at https://ricochet.im
"Ricochet uses the Tor network to reach your contacts without relying on messaging servers. It creates a hidden service, which is used to rendezvous with your contacts without revealing your location or IP address.
Instead of a username, you get a unique address that looks like ricochet:rs7ce36jsj24ogfw. Other Ricochet users can use this address to send a contact request - asking to be added to your contacts list.
You can see when your contacts are online, and send them messages (and soon, files!). Your list of contacts is only known to your computer - never exposed to servers or network traffic monitoring.
Everything is encrypted end-to-end, so only the intended recipient can decrypt it, and anonymized, so nobody knows where it’s going and where it came from."
I just came across Ricochet which I saw someone mention in an older thread. Anyone know if your messages & chats are wiped once you close the app? Or are they still there when you re-open?
But it's not whatever. PGP is Whatever. Signal is perfectly usable. It's also the case that Signal can never be quite as fast as Telegram because in group messages, each member gets a copy of the message. User-side key management is always less convenient. Your argument can be reduced to the standard "widely developed incremental security is better if everyone uses the product". I disagree. When you lock your threat model to say, a nation state attacker / organized crime compromising Telegram's server-side logs, the incremental security did not help at all. If you decide to lock your threat model to hacker at a coffee shop, sure, Telegram's "good enough", but this is real world and there are real threats and people get jailed for content and killed based on metadata. Signal is not the ideal solution (I'd prefer everyone used Ricochet) but that's a slow transition and people need much more in-depth education to understand the technical problem of how surveillance works).
I used to use Pidgin + OTR all the time, but have since migrated to using a combination of Signal (for convience and friends/family) and Ricochet (https://ricochet.im/) for when I need very secure comms.
Adium and Pidgin both use TLS to connect to the server. If you're using your own e.g. XMPP server, it's mostly private but you need to buy a certificate or edit all Pidgin clients so that they trust it.
The standard approach is to use third party XMPP servers. To hide metadata about your IP you need to register and connect through Tor, without ever making an error. A good way to ensure you always use Tor is to use a hidden service XMPP server: https://gist.github.com/dllud/a46d4a555e31dfeff6ad41dcf20729ac
Note that the server can still see what you're typing and eventually deanonymize you based on content. That's why you should always use OTR-plugin that end-to-end encrypts your communication.
OTR uses slightly outdated encryption algoritms so you should probably use something modern like https://ricochet.im
Always verify fingerprints /Ricochet IDs before communicating over end-to-end encryption. Finally, bear in mind if your computer gets hacked, end-to-end encryption on networked TCB doesn't work. If that's something you need to worry about, TFC is the only tool that can help you.
- Encrypted
- Uses Tor
- No metadata
- No middle servers
- Do what you want with the source code
- BETTER than relying on PGP's "web of trust" which only makes it easier to map out who is talking to whom.
maybe you tell us more for what you want to use this messenger
always a very good recommendation is Ricochet. More in general to a lot of software try to go with free open source software (FOSS).
Actually the reason why of this thread is I'm actually doing a thesis about "Trust and privacy by for-profit companies." I'm trying to find out if we can finally trust these mainstream apps and companies with our privacy. Given that it ain't that easy to convince most people to use privacy respecting replacements, can we finally rest and join our friends and families and easily communicate with them with what they are used to? Which are the mainstream apps? Can we, privacy conscious people, be finally rested and finally chill out and communicate with them using what most of them use? Which are the mainstream apps and products such as Apple products, Whatsapp, Viber, etc. I'm really looking forward to talk to someone about this, doesn't matter if you're an expert or not. Everyone counts and would contribute a lot to my thesis. Better yet if a group chat can happen. I propose two of what I believe are the best apps that can be trusted with privacy: Ricochet and Ring. The latter is a Skype replacement. That's also where group chat can happen. Pretty sure it's as capable for IMs of group chat as Viber, which is 200 people. It's also fully distributed, peer to peer. Here's my Ricochet ID: ricochet:cw5svohnysx6nxlv Here's my Ring ID: d8b24c46e3c3a57841521622f8ba5d1240b000a3 See you guys! ;)
> cant prove that someone was actuly talking with that ip or just sending peer lists over DHT.
Would you happen to have a link for this? I had a brief look at the source, and I think this is the case, but I'm really not much of a C developer, so I can't be certain without taking a bit more time to understand toxcore.
> Still not as good as bitmessage though but much more user friendly.
I see Tox and BitMessage as serving fundamentally diferrent use-cases. BitMessage is for async communication, i.e. where you would have previously used email, whereas Tox is for instant messaging.
You might be interested in another program I mentioned above, Ricochet, which manages to achieve metadata-free instant messaging.
I just came across another solution, which is maybe a more direct answer:
https://cwtch.im/ seems quite interesting. It is in active development (as opposed to, say, ricochet.im, which also looked nice but is kinda dead).
However it has a huge drawback: the setup is quite technical and thus way less accessible to a wide public (essential for protests) than Briar. So I reckon it's more of a promising project to keep an eye on.
You might want to look at Whonix Chat suggestions. I've been using XMPP for a long while now but like most instant chat options it leaks metadata. If you'd like to prevent that you might look into Ricochet IM. Here's the how it works section of Ricochet: > Ricochet uses the Tor network to reach your contacts without relying on messaging servers. It creates a hidden service, which is used to rendezvous with your contacts without revealing your location or IP address. Instead of a username, you get a unique address that looks like ricochet:rs7ce36jsj24ogfw. Other Ricochet users can use this address to send a contact request - asking to be added to your contacts list. You can see when your contacts are online, and send them messages (and soon, files!). Your list of contacts is only known to your computer - never exposed to servers or network traffic monitoring. Everything is encrypted end-to-end, so only the intended recipient can decrypt it, and anonymized, so nobody knows where it’s going and where it came from. For more information, you can read about Tor and learn more about Ricochet’s design.
Bitmessage has been stale for ages now. The design does not scale up and the spam protections have been broken years ago. If you want a messaging system that requires no trust but is secure, look at something like ricochet instead. It rides on top of the tor network instead of implementing its own cryptographic routines.
My concerns are:
1) If your application is compromised, so is the onion service, if they share the keys.
2) If your application and tor share the key, a signature for one may be valid for the other. Or if you've appropriate domain separation, there may still be some non-trivial relationship between the two uses. Unless you're willing to go through the mathematics to determine if and how the key sharing is safe, you should just use an independent key. AFAICT it should be fine if you're using the appropriate domain separation, but (1) still holds as these would be related keys.
3) You don't need any cryptography here. You can just connect in the backwards direction and forward a random token, binding the two connections together. This is used in ricochet.im, an onion service based direct/p2p chat client.
4) If you assign a Diffie-Hellman identity to each party, then you may use 3DH - aka. triple DH - to mutually authenticate both sides interactively to derive a session key, which you may then use to symmetrically authenticate many messages. (Cheaper than signatures. Only valid for the session, not forever.)
I think you missed my point. You can serve a signing public key from the onion service and use this keypair for signing without taking the risks of messing with tor's keys and potentially introducing unforeseen vulnerabilities in either your application or the onion service itself. Ricochet.im uses a connection in the backwards direction to send a random string for a very simple challenge. This works too, is interactive, and doesn't require any cryptography in your code.
Asking anonymity concerned pros to utilize a compromised platform like discord is wishful thinking.
You will have better luck with an email address and sharing a public pgp key. Ricochet is an option too. That way no one has to compromise their anonymity.
A while ago I learned it was last updated on Nov 7, 2016 (v1.1.4) and also last audited Feb 15, 2016 (v1.2). Is it still worth recommending?
Here is the post for archival purposes:
Author: Sycoskater
Content:
>I am currently in a very bad financial situation and need some serious & professional advice regarding trading (specifically the Bitcoin Cash market).
>Am willing to pay at LEAST $500 (or more) for anyone who can help me.
>If you are a professional & experienced trader, please contact me here:
>ricochet:qtuwqyqojjm4qt73
>Please refrain from contacting me if you are not a professional/experienced trader!
>Thank you!
There is actually a great P2P alternative called https://ricochet.im that is qpp% decentralised and open source but makes it impossible to determine the IP of the person you are chatting with because it acts as a tor hidden service :) check it out
Signal's developers have said that they will add the ability to register with different kinds of identifiers at some point. It might just take time as other issues have higher priority. It’s good to keep in mind that the Signal dev team is very small and funded by grants and donations alone. In the meantime, think of Signal as an easy way to send end-to-end encrypted messages to people who you would otherwise contact via unencrypted SMS/MMS.
If you really need anonymity, though, consider using Ricochet instead of Telegram. Even after Signal's developers have added the ability to register with alternative identifiers and/or set usernames, you should still consider using Ricochet. It's end-to-end encrypted and hides your metadata by having each endpoint be a Tor hidden service. The only downside is that it is currently only available for Windows, Mac and Linux.
No. Even the Tor guys have been fighting the great firewall of china for years and will probably never truly win. And, unlike Tox, they actively try to hide their traffic instead of just encrypting it.
Tor is currently your best bet. Look into https://ricochet.im/
If you have serious privacy concerns like you're saying, and you're publishing it for free, would you perhaps be opposed to someone else publishing it to Google Play on your behalf instead? I am sure any number of developers out there would be open to contacting you anonymously via Ricochet(Please, for your safety, use Tor and an encrypted messenger.), and arrange for the transfer of the app.
OR, maybe even better, license the app and all of the assets under the most permissive license you can and put it on github or notabug via Tor from a fresh account. At the top of the readme.md, inform people of your fears of personal repercussions and encourage them to publish the app themselves. Then not only will it go to the Play Store, it'll be embedded in the next POC||GTFO to demonstrate some obscure form of steganography.