Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implement Omemo / Axolotl #376

Closed
ghost opened this issue Sep 15, 2015 · 76 comments
Closed

Implement Omemo / Axolotl #376

ghost opened this issue Sep 15, 2015 · 76 comments
Labels
Milestone

Comments

@ghost
Copy link

@ghost ghost commented Sep 15, 2015

It would be so great if ChatSecure supported Conversation's Omemo protocol for multi-party, multi-device OTR.

@chrisballinger chrisballinger changed the title Implement Omemo Implement Omemo / Axolotl Sep 15, 2015
@chrisballinger
Copy link
Member

@chrisballinger chrisballinger commented Sep 15, 2015

It's on the roadmap! 🎉

@tristan-k
Copy link

@tristan-k tristan-k commented Jan 22, 2016

Soon we will be implementing OMEMO Encryption in ChatSecure iOS, and immediately contributing our OMEMO XEP code upstream to XMPPFramework so that other apps can benefit. We plan to utilize the pre-existing Objective-C library AxolotlKit, written by Frederic Jacobs, that has been used in production since the release of Open Whisper System’s Signal v2.0 for iOS. Unfortunately AxolotlKit is still currently GPL (and therefore not redistributable to the App Store) so this work is on hold until we can negotiate a change to an App Store-comptible copyleft license like LGPLv2 or MPL 2.0 from Fred and Moxie.

Written by Chris Ballinger — OCTOBER 02, 2015

Any update on this matter? Even though AxolotlKit is not redistributable in the App Store, why not make it possible to sideload the app for the more tech-savvy people?

@therob84
Copy link

@therob84 therob84 commented Feb 8, 2016

I am also waiting very eagerly that Conversations will get another app which supports OMEMO/Axolotl over XMPP.

Any news about this for chatsecure/ZOM (esp. for iOS) as the last official announcement is from october 2015

@chrisballinger
Copy link
Member

@chrisballinger chrisballinger commented Feb 8, 2016

This work is semi-permanently on hold because of the license conflict. Moxie said that the public specification for Axolotl is incomplete, so it will be impossible for us to produce an alternative implementation that isn't a derivative work of one of the GPL libraries.

@amenk
Copy link

@amenk amenk commented Feb 8, 2016

Can you explain? Isn't this thing here GPL? And why can't you use their axolotl implementation?

@amenk
Copy link

@amenk amenk commented Feb 8, 2016

Okay. I read above that AppStore does not allow GPL.. Sorry for the noise

@therob84
Copy link

@therob84 therob84 commented Feb 9, 2016

Thanks for clarification, Chris!
Although I like the idea that AppleIstore is/do not allowed to use GPL software, in this special case it is a pain, that the great OMEMO (Axolotl) protocol cannot be ported to any of the iOS Apps.....and thus is been hindered to become a more widespread alternative for XMPP...at least for iPhone users...which I unfortunately have in my circle of friends...

@chrisballinger Do you think there will be a breakthrough in porting OMEMO to any iOS App in the next....months? Or should we lay it to the graves?

btw: What I don't understand: e.g. Whattsapp also uses Axolotl encryption of TextSecure/Signal/OpenWhisperSystem, which also should be licensed under GPL, but is allowed in the AppleStore?
Where is the difference? Here are some more infos about, but not that I do understand it in detail :-/

@amenk
Copy link

@amenk amenk commented Feb 9, 2016

@therob84 It thinks WhatsApp does not encrypt end-to-end when chatting with iOS users
https://www.quora.com/Is-WhatsApp-encrypted-for-iPhone

@therob84
Copy link

@therob84 therob84 commented Feb 9, 2016

@chrisballinger
Copy link
Member

@chrisballinger chrisballinger commented Feb 9, 2016

Open Whisper Systems owns the full copyright on AxolotlKit so they can relicense it for distribution on the App Store for their own apps. They are currently licensing libaxolotl-java to WhatsApp for the Android version, but for whatever reason haven't yet done the same for WhatsApp iOS and AxolotlKit. I've been told there are no near-term plans to license AxolotlKit to other apps.

However, there may be a light at the end of the tunnel: https://github.com/SilentCircle/libsalamander

It appears that the Silent Circle team has implemented their own version of Axolotl using only the public specification and (presumably) avoided any reverse engineering of the GPL code. It is licensed Apache 2.0 so it could be used without issue on the App Store. I'm not sure if the key exchange is compatible with libaxolotl-java, among other things, so there is a chance it may not be compatible with Conversations current implementation of OMEMO.

@therob84
Copy link

@therob84 therob84 commented Feb 9, 2016

Thanks Chris for your kind and detailed reply.
So for non-programming users do you see anything which could be done to accelerate this process?

@therob84
Copy link

@therob84 therob84 commented Mar 24, 2016

@chrisballinger: Can you provide us with any progress or promising news as an easter surprise about the OMEMO-topic in ChatSecure for iOS or about libsalamander?

As I can't convince quite some people to use ChatSecure without supporting OMEMO under iOS, I find it a more and more urgent issue...Would be glad to read arguments for holding up hope....
Have nice eastern, cheers!

@dxerw
Copy link

@dxerw dxerw commented Mar 30, 2016

Damn the licensing..

@therob84
Copy link

@therob84 therob84 commented Apr 3, 2016

@dxerw .... can you comment on this in any way? Is it connnected with libsalamander?
Does it bring us nearer to OMEMO@iOS while beeing compatibel witht OMEMO@Conversations@Android?

Would be great, but I have not enough information on this to be near-term-optimist.......

@chrisballinger
Copy link
Member

@chrisballinger chrisballinger commented Apr 10, 2016

@therob84 It is literally impossible to make something compatible with the current OMEMO spec due to Open Whisper System's decision about licensing SignalProtocolKit. Even if we use another library implementing the Axolotl ratchet, the details of each implementation's protocol and handshake are different and incompatible.

@chrisballinger
Copy link
Member

@chrisballinger chrisballinger commented Apr 10, 2016

I just had an absolutely crazy idea that could potentially get around this issue. Legally it will probably not hold up in court, so this is more of a thought experiment.

The main issue with distributing other people's GPL code on the App Store is GPL section 6 which says "You may not impose any further restrictions on the recipients' exercise of the rights granted herein". The App Store imposes further restrictions regardless of a developer wants them in their release.

The only way to distribute this code without violating the GPL via Apple's restrictions would be to download an external JavaScript AxolotlV3 library on first launch and execute it via JavaScriptCore. The source code distribution would be a free download from an external server containing no restrictions on use. Regardless how the "linking" step is interpreted when running GPL code in a JavaScript interpreter that bridges to Obj-C, it will be the end user doing the linking after the original App Store binary distribution has occurred. The resulting combination cannot be redistributed, but that will fall on the end user and not the app distributor.

This would be similar to how proprietary programs can be used with GPL plugins as long as they are distributed separately and linked by the end user.

@therob84
Copy link

@therob84 therob84 commented Apr 11, 2016

thanks @chrisballinger for your statement.

I still hope the best and very welcome the (just) started inter-app-discussion about OMEMO (anurodhp/Monal#9) ... triggering long enaugh from all sides finally lead to the long needed (public visibly) teamwork between you all,
@chrisballinger (ChatSecure),
@iNPUTmice (Conversations),
@anurodhp (Monal) .....
Keep on this track!

@the-solipsist
Copy link

@the-solipsist the-solipsist commented May 12, 2016

@chrisballinger I don't see why your "crazy idea" is all that crazy. I think it circumvents the legal incompatibility rather cleverly.

Also, Moxie has noted that the Signal Protocol itself is okay to implement (no patent claims, etc.):
https://twitter.com/moxie/status/730289041493483520

Older versions of the protocol (as Axolotl Ratchet) were under the public domain:
https://github.com/trevp/double_ratchet/wiki#ipr

There is one other double-ratchet described here:
https://crypto.cat/security.html

@chrisballinger
Copy link
Member

@chrisballinger chrisballinger commented May 12, 2016

It seems like our funder will not allow us to implement any of these.

On Thu, May 12, 2016 at 12:33 PM, the-solipsist notifications@github.com
wrote:

@chrisballinger https://github.com/chrisballinger I don't see why your
"crazy idea" is all that crazy. I think it circumvents the legal
incompatibility rather cleverly.


You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub
#376 (comment)

@therob84
Copy link

@therob84 therob84 commented May 12, 2016

@chrisballinger: what? I can't beleive that your funder want to miss the (in my eyes) most promising development of the last time in pushing XMPP forward for wide-spread using in terms of security...?
You are just joking, right?!

So there is no light at the end of the tunnel to give me a chance to use XMPP with my iOS friends?
...Very sad....
But thanks for beeing clear about that...

@dreamflasher
Copy link

@dreamflasher dreamflasher commented Aug 26, 2016

Hi Chris, how is it going with the application integration? Thanks for an update! :)

@Asara
Copy link

@Asara Asara commented Aug 31, 2016

I am also curious about omemo integration. Chatsecure's lack of it is essentially the only reason for not migrating from Signal.

@chrisballinger
Copy link
Member

@chrisballinger chrisballinger commented Sep 9, 2016

Just got back from vacation! Expect to see some good progress soon

On Tue, Aug 30, 2016 at 5:16 PM, Asara notifications@github.com wrote:

I am also curious about omemo integration. Chatsecure's lack of it is
essentially the only reason for not migrating from Signal.


You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
#376 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/AAfqHwKARfGzcXxDaaX_fF7YdE2J-LqSks5qlMf7gaJpZM4F9dxj
.

@jsmith000
Copy link

@jsmith000 jsmith000 commented Oct 6, 2016

Should we expect an update this month? :)

@chrisballinger
Copy link
Member

@chrisballinger chrisballinger commented Oct 6, 2016

Yesterday we decrypted our first OMEMO message from Conversations. Encryption is pretty close as well, and if all goes to plan we should be able to send our first encrypted message later today. Took a long time to develop all the individual pieces in a modular, reusable, well documented way, and it feels great to see them fall into place.

The big blocker for release is properly choosing and displaying the crypto state (plaintext/OTR/OMEMO), and fingerprint / device management UI. There is also a concern about security risks associated with stale devices brought up in the OMEMO security audit, so we need to work with @iNPUTmice for a shared solution on that.

@therob84
Copy link

@therob84 therob84 commented Oct 6, 2016

Really really awsome your work!
Good that you stayed in contact with @iNPUTmice
https://github.com/iNPUTmice and Anu Pokharel here and in monal-forum.
Keep on this great work! I hope it will help spread omemo into the
world. Thanks for letting us know your progress!

@therob84
Copy link

@therob84 therob84 commented Nov 1, 2016

hey @chrisballinger ... how your hard work is going these days? Still satisfied with the results?
I guess you know a lot of people are eager to read some news.....maybe also a ROUGH release date for ChatSecure with OMEMO? Best regards, Robert

@chrisballinger
Copy link
Member

@chrisballinger chrisballinger commented Nov 1, 2016

Everything works as far as the OMEMO encryption itself, but we are currently fixing things we broke before we release a beta, and polishing some new UI.

Aiming for a beta release next week?

@therob84
Copy link

@therob84 therob84 commented Nov 1, 2016

@chrisballinger ... As I hoped at least YOU got my intention exactly right and you found worth to spent this 20 seconds for a fast and constructive note here - thanks, very friendly!!

P.S.:...On both your twitter streams I couldn't find anything with similar news content, Daniel, which is the reason why I repeatedly misused this issue tracker...just in lack of appropriate other media. Or would you suggest to "Shut up if you can't contribute anything to the project" (which I can't at this stage, unfortunately)? (rhetorical question!)

@chrisballinger
Copy link
Member

@chrisballinger chrisballinger commented Nov 1, 2016

@therob84 unfortunately I don't update social media very often. I think it's okay to poke us occasionally, just don't go overboard.

Estimating how long software will take is one of the unsolved problems of software development: https://www.quora.com/Why-are-software-development-task-estimations-regularly-off-by-a-factor-of-2-3

@Asara
Copy link

@Asara Asara commented Nov 3, 2016

@chrisballinger
Thanks for the update. I personally don't have an iOS device but am eagerly waiting for OMEMO support. Currently there is no good alternative for Signal because of the lack of OMEMO.

I use LibreSignal and it is no longer being updated/expires in a couple of days, and as such the next best solution is XMPP + OMEMO. Once this is complete, we will have the best solution, and you are appreciated greatly.

Thanks for the awesome work.

@dreamflasher
Copy link

@dreamflasher dreamflasher commented Nov 4, 2016

This is all about ChatSecure for iOS right? So ChatSecure for Android is dead and will never support OMEMO?

@joostrijneveld
Copy link

@joostrijneveld joostrijneveld commented Nov 4, 2016

On Android, I would not immediately see a benefit of competing with Conversations, with which ChatSecure-iOS will ideally be fully compatible..

@hex-m
Copy link

@hex-m hex-m commented Nov 4, 2016

@dreamflasher
Copy link

@dreamflasher dreamflasher commented Nov 4, 2016

Exactly, that was a year ago, that's why I am asking, a year is a long time, anything can change :)

@chrisballinger
Copy link
Member

@chrisballinger chrisballinger commented Nov 4, 2016

ChatSecure Android is deprecated and there are no plans to change that. The code lives on as Zom Android but it might not be your flavor. I was originally thinking of skinning Conversations to make a new ChatSecure Android, but we don't have the resources to keep it up to date with the latest upstream, and it wouldn't really offer much beyond a different skin.

@dreamflasher
Copy link

@dreamflasher dreamflasher commented Nov 5, 2016

Thank you @chrisballinger -- I am interested in an alternative for Conversations because it is currently too difficult to use for non-tech people. The biggest hurdly is the installation, people are not willing to spend the money in the playstore for an app that nobody of their peers except me is using, and then downloading the f-droid apk, changing the settings to allow external apk, that's all too difficult.

@lovetox
Copy link

@lovetox lovetox commented Nov 5, 2016

so basically your friends dont want to spend 3 dollar/euro once to chat with you?

thats a really good reason to develop a whole client that does nothing different but not costing 3 dollar/euro. i will start to develop this for you today !

@Mikaela
Copy link

@Mikaela Mikaela commented Nov 5, 2016

so basically your friends dont want to spend 3 dollar/euro once to chat with you?

What if these friends don't own a payment card or don't want to feed it's detailts to Google (or anywhere else by that matter) or happen to be without any financial support and need this 3€ to food?

@dreamflasher
Copy link

@dreamflasher dreamflasher commented Nov 5, 2016

@lovetox That's the developer speaking. Well, yes exactly, nobody would spend 3 dollar if there are hundreds of free clients. Clients all their friends are using. The question I need to answer them is: "Why can't you just use Whatsapp, Facebook or Telegram as everyone else? They are all encrypted now too!" Paying 3$ means friction. Friction that will slow down the spread of Conversations.

@chrisballinger
Copy link
Member

@chrisballinger chrisballinger commented Nov 5, 2016

If I were Daniel I'd make Conversations free to download but include more in-app purchases and enable them for users who downloaded the app before a certain date. However it's his app and he can do whatever works best for him.

That said, I believe that Zom Android will get OMEMO support at some point in 2017.

@amenk
Copy link

@amenk amenk commented Nov 5, 2016

@chrisballinger
Copy link
Member

@chrisballinger chrisballinger commented Dec 7, 2016

I'd say this issue is resolved! Stay tuned for the 4.0 release.

@vanitasvitae
Copy link

@vanitasvitae vanitasvitae commented Dec 7, 2016

That's really great news!

@Asara
Copy link

@Asara Asara commented Dec 7, 2016

Thank you so much!

@AtosNicoS
Copy link

@AtosNicoS AtosNicoS commented Nov 29, 2018

Chatsecure is not listed as fully supported in this chart:
http://omemo.top

Is this information out of date or what is missing in chatsecure? Does omemo work for a group chat?

@hermann-san
Copy link

@hermann-san hermann-san commented Jan 15, 2020

having the OMEMO list changed was requested in Oct. 2019
bascht/omemo-top#189

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
You can’t perform that action at this time.