Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

About website: why there's no .onion version of Ricochet website? #7

Open
ghost opened this issue Jan 7, 2017 · 6 comments
Open

About website: why there's no .onion version of Ricochet website? #7

ghost opened this issue Jan 7, 2017 · 6 comments

Comments

@ghost
Copy link

ghost commented Jan 7, 2017

Ricochet - Anonymous instant messaging for real privacy

I think Ricochet.im need a .onion version of the webpage.
Other open-source project like Privoxy have Clearnet and Onion access.
@ghost ghost mentioned this issue Jan 7, 2017
Closed
@special
Copy link
Member

special commented Jan 7, 2017

Yes, we do need one. My main concern is avoiding any risk of people downloading Ricochet binaries from fake .onion addresses.

We could just publish the .onion address on ricochet.im, in the application, and a few other places. This means relying on people to get it from a trusted source, but that's about as good as most things have right now.

The alternative would be getting an EV SSL certificate for the .onion address, similar to facebook and blockchain.info. That's >$200/yr, and would require registering a legal entity to represent Ricochet.

I'll play with setting the simple version up at some point.

@ghost
Copy link
Author

ghost commented Jan 13, 2017

You don't need SSL cert for .onion; the connection is already encrypted.

  1. All you have to do is create a GPG|PGP key with your dereference email address(dummy is ok: [email protected]).
  2. Publish your "public key" to keyservers(pgp.mit.edu).
  3. Then, "sign your text and publish it" to ricochet.im website and Github. This can't be tampered.

@ghost
Copy link
Author

ghost commented Jan 13, 2017

take a look how Privoxy support dual website: https://www.privoxy.org/ (onion link is below)

@jpt
Copy link

jpt commented Jan 17, 2017
edited
Loading

@githubbantor SSL cert would be EV (extended verification) SSL cert, which establishes trust; a lawyer needs to verify the address of the domain holder, so you can reasonably expect you're not being duped into a fake site if there is an EV SSL cert for a company with a name like Ricochet, Inc, or whatever.

On the other hand, it usually doesnt take much effort or money to register a company with the same name as another company in a different US state, so maybe this would ultimately create a new problem by solving another? Or is that a crazy thing that would never happen?

I would guess @special's first suggestion, of publishing the address in a few places (app, website, Wikipedia, on a verified Twitter account, etc) is the one that would be more acceptable to the community anyway, but that's just a hunch.

@ghost
Copy link
Author

ghost commented Jan 3, 2018

@special @s-rah https://github.com/privacytoolsIO/privacytools.io/issues/96#issuecomment-354923533

@jpt
Copy link

jpt commented Jan 3, 2018
edited
Loading

if this gets done, it'd make sense to include a disclaimer on the onion site to the effect of 'tor-over-tor is a bad idea, so feel free to download ricochet over tor, but don't make a habit of using ricochet itself over tor'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@special @jpt