Implement Omemo / Axolotl #376
Comments
|
It's on the roadmap! 🎉 |
Any update on this matter? Even though AxolotlKit is not redistributable in the App Store, why not make it possible to sideload the app for the more tech-savvy people? |
|
I am also waiting very eagerly that Conversations will get another app which supports OMEMO/Axolotl over XMPP. Any news about this for chatsecure/ZOM (esp. for iOS) as the last official announcement is from october 2015 |
|
This work is semi-permanently on hold because of the license conflict. Moxie said that the public specification for Axolotl is incomplete, so it will be impossible for us to produce an alternative implementation that isn't a derivative work of one of the GPL libraries. |
|
Can you explain? Isn't this thing here GPL? And why can't you use their axolotl implementation? |
|
Okay. I read above that AppStore does not allow GPL.. Sorry for the noise |
|
Thanks for clarification, Chris! @chrisballinger Do you think there will be a breakthrough in porting OMEMO to any iOS App in the next....months? Or should we lay it to the graves? btw: What I don't understand: e.g. Whattsapp also uses Axolotl encryption of TextSecure/Signal/OpenWhisperSystem, which also should be licensed under GPL, but is allowed in the AppleStore? |
|
@therob84 It thinks WhatsApp does not encrypt end-to-end when chatting with iOS users |
|
OK, for Whattsapp this could be true.
But what's about Signal/OpenWhisperSystem in general, which I think uses
E2E encryption at iOS?
https://whispersystems.org/blog/the-new-signal/
It is stated for iOS that also group messages are E2Eenc, which means
they have to use Axolotl, right? (Is here a difference in XMPP and
non-XMPP in this legal-stuff?)
|
|
Open Whisper Systems owns the full copyright on AxolotlKit so they can relicense it for distribution on the App Store for their own apps. They are currently licensing libaxolotl-java to WhatsApp for the Android version, but for whatever reason haven't yet done the same for WhatsApp iOS and AxolotlKit. I've been told there are no near-term plans to license AxolotlKit to other apps. However, there may be a light at the end of the tunnel: https://github.com/SilentCircle/libsalamander It appears that the Silent Circle team has implemented their own version of Axolotl using only the public specification and (presumably) avoided any reverse engineering of the GPL code. It is licensed Apache 2.0 so it could be used without issue on the App Store. I'm not sure if the key exchange is compatible with libaxolotl-java, among other things, so there is a chance it may not be compatible with Conversations current implementation of OMEMO. |
|
Thanks Chris for your kind and detailed reply. |
|
@chrisballinger: Can you provide us with any progress or promising news as an easter surprise about the OMEMO-topic in ChatSecure for iOS or about libsalamander? As I can't convince quite some people to use ChatSecure without supporting OMEMO under iOS, I find it a more and more urgent issue...Would be glad to read arguments for holding up hope.... |
|
Damn the licensing.. |
|
@dxerw .... can you comment on this in any way? Is it connnected with libsalamander? Would be great, but I have not enough information on this to be near-term-optimist....... |
|
@therob84 It is literally impossible to make something compatible with the current OMEMO spec due to Open Whisper System's decision about licensing SignalProtocolKit. Even if we use another library implementing the Axolotl ratchet, the details of each implementation's protocol and handshake are different and incompatible. |
|
I just had an absolutely crazy idea that could potentially get around this issue. Legally it will probably not hold up in court, so this is more of a thought experiment. The main issue with distributing other people's GPL code on the App Store is GPL section 6 which says "You may not impose any further restrictions on the recipients' exercise of the rights granted herein". The App Store imposes further restrictions regardless of a developer wants them in their release. The only way to distribute this code without violating the GPL via Apple's restrictions would be to download an external JavaScript AxolotlV3 library on first launch and execute it via JavaScriptCore. The source code distribution would be a free download from an external server containing no restrictions on use. Regardless how the "linking" step is interpreted when running GPL code in a JavaScript interpreter that bridges to Obj-C, it will be the end user doing the linking after the original App Store binary distribution has occurred. The resulting combination cannot be redistributed, but that will fall on the end user and not the app distributor. This would be similar to how proprietary programs can be used with GPL plugins as long as they are distributed separately and linked by the end user. |
|
thanks @chrisballinger for your statement. I still hope the best and very welcome the (just) started inter-app-discussion about OMEMO (https://github.com/anurodhp/Monal/issues/9) ... triggering long enaugh from all sides finally lead to the long needed (public visibly) teamwork between you all, |
|
@chrisballinger I don't see why your "crazy idea" is all that crazy. I think it circumvents the legal incompatibility rather cleverly. Also, Moxie has noted that the Signal Protocol itself is okay to implement (no patent claims, etc.): Older versions of the protocol (as Axolotl Ratchet) were under the public domain: There is one other double-ratchet described here: |
|
It seems like our funder will not allow us to implement any of these. On Thu, May 12, 2016 at 12:33 PM, the-solipsist notifications@github.com
|
|
@chrisballinger: what? I can't beleive that your funder want to miss the (in my eyes) most promising development of the last time in pushing XMPP forward for wide-spread using in terms of security...? So there is no light at the end of the tunnel to give me a chance to use XMPP with my iOS friends? |
|
Just got back from vacation! Expect to see some good progress soon On Tue, Aug 30, 2016 at 5:16 PM, Asara notifications@github.com wrote:
|
|
Should we expect an update this month? :) |
|
Yesterday we decrypted our first OMEMO message from Conversations. Encryption is pretty close as well, and if all goes to plan we should be able to send our first encrypted message later today. Took a long time to develop all the individual pieces in a modular, reusable, well documented way, and it feels great to see them fall into place. The big blocker for release is properly choosing and displaying the crypto state (plaintext/OTR/OMEMO), and fingerprint / device management UI. There is also a concern about security risks associated with stale devices brought up in the OMEMO security audit, so we need to work with @iNPUTmice for a shared solution on that. |
|
Really really awsome your work! |
|
hey @chrisballinger ... how your hard work is going these days? Still satisfied with the results? |
|
Everything works as far as the OMEMO encryption itself, but we are currently fixing things we broke before we release a beta, and polishing some new UI. Aiming for a beta release next week? |
|
@chrisballinger ... As I hoped at least YOU got my intention exactly right and you found worth to spent this 20 seconds for a fast and constructive note here - thanks, very friendly!! P.S.:...On both your twitter streams I couldn't find anything with similar news content, Daniel, which is the reason why I repeatedly misused this issue tracker...just in lack of appropriate other media. Or would you suggest to "Shut up if you can't contribute anything to the project" (which I can't at this stage, unfortunately)? (rhetorical question!) |
|
@therob84 unfortunately I don't update social media very often. I think it's okay to poke us occasionally, just don't go overboard. Estimating how long software will take is one of the unsolved problems of software development: https://www.quora.com/Why-are-software-development-task-estimations-regularly-off-by-a-factor-of-2-3 |
|
@chrisballinger I use LibreSignal and it is no longer being updated/expires in a couple of days, and as such the next best solution is XMPP + OMEMO. Once this is complete, we will have the best solution, and you are appreciated greatly. Thanks for the awesome work. |
|
This is all about ChatSecure for iOS right? So ChatSecure for Android is dead and will never support OMEMO? |
|
On Android, I would not immediately see a benefit of competing with Conversations, with which ChatSecure-iOS will ideally be fully compatible.. |
|
@dreamflasher: @chrisballinger blogged about this a year ago. https://chatsecure.org/blog/chatsecure-conversations-zom/ |
|
Exactly, that was a year ago, that's why I am asking, a year is a long time, anything can change :) |
|
ChatSecure Android is deprecated and there are no plans to change that. The code lives on as Zom Android but it might not be your flavor. I was originally thinking of skinning Conversations to make a new ChatSecure Android, but we don't have the resources to keep it up to date with the latest upstream, and it wouldn't really offer much beyond a different skin. |
|
Thank you @chrisballinger -- I am interested in an alternative for Conversations because it is currently too difficult to use for non-tech people. The biggest hurdly is the installation, people are not willing to spend the money in the playstore for an app that nobody of their peers except me is using, and then downloading the f-droid apk, changing the settings to allow external apk, that's all too difficult. |
|
so basically your friends dont want to spend 3 dollar/euro once to chat with you? thats a really good reason to develop a whole client that does nothing different but not costing 3 dollar/euro. i will start to develop this for you today ! |
What if these friends don't own a payment card or don't want to feed it's detailts to Google (or anywhere else by that matter) or happen to be without any financial support and need this 3€ to food? |
|
@lovetox That's the developer speaking. Well, yes exactly, nobody would spend 3 dollar if there are hundreds of free clients. Clients all their friends are using. The question I need to answer them is: "Why can't you just use Whatsapp, Facebook or Telegram as everyone else? They are all encrypted now too!" Paying 3$ means friction. Friction that will slow down the spread of Conversations. |
|
If I were Daniel I'd make Conversations free to download but include more in-app purchases and enable them for users who downloaded the app before a certain date. However it's his app and he can do whatever works best for him. That said, I believe that Zom Android will get OMEMO support at some point in 2017. |
|
One problem is there: countries where Google payment services are not
available.
|
|
I'd say this issue is resolved! Stay tuned for the 4.0 release. |
|
That's really great news! |
|
Thank you so much! |
|
Chatsecure is not listed as fully supported in this chart: Is this information out of date or what is missing in chatsecure? Does omemo work for a group chat? |
|
having the OMEMO list changed was requested in Oct. 2019 |
|
I'm not sure what should be done. Opening a new issue to request updating the page? |
|
@tuxayo Group OMEMO is supported >2 years, what do you mean? |
and others
It would be so great if ChatSecure supported Conversation's Omemo protocol for multi-party, multi-device OTR.
The text was updated successfully, but these errors were encountered: