Ricochet 1.1.4 fixes some common bugs and usability issues, updates Tor and other important dependencies, contains new and updated translations, and has other minor fixes. All users should update.
You didn't miss 1.1.3 -- it was used to solve a packaging problem, but wasn't ready for a full release. The changelog below includes all changes since version 1.1.2.
I apologize that this isn't the exciting-new-features release we've all been waiting for. Ricochet's development is volunteer-based, and in particular I haven't been able to dedicate as much energy to it as I've wanted to. There's a lot of interest and activity happening right now, and I think there will be some more interesting progress soon.
- Added translations for Albanian, Chinese (Hong Kong), Estonian, Italian (Italy), Norwegian Bokmål, and Portuguese (Portugal)
- Updated translations for Danish, German, Russian, Czech, and Turkish
- Use a software-only render to hopefully fix graphical and text issues (#367)
- Fix parsing of links containing certain sequences (#403, #372, no security impact)
- Fix 'dead keys' and other compose/ibus input methods with Linux binaries (#60)
- Fix Tor configuration with HTTP proxies (#418)
- Fix copying links with right click (#429)
- Use combined chat window by default (#355)
- Use an external tor instance when
- Fix visual bugs with window resizing during network setup
- Properly display the "X is already your contact" error (#439)
- Revise language selection UI to fit all of our languages (#473)
- Store identity keys in ricochet.json when Tor is new enough (#227)
- Disable ASAN by default for release builds (#341)
- Attempt to disable use of RWX memory for improved security
- Display configuration parsing errors correctly
- Add support for OpenSSL 1.1 (#444)
- Updated builds with Qt 5.6.2, OpenSSL 1.0.2j, and Tor 0.2.8.9
- Windows builds can now be cross-compiled with MinGW
- Re-issued macOS build as 220.127.116.11 to fix #480 (thanks @taoeffect!)
This release is possible thanks to contributions from:
Adalid Claure, basil sabee, Besnik, botherder, bungabunga, Chi-Hsun Tsai, Clon, git_in_my_anus, Grant Jacobson, Greg Slepak, HostFat, icesquare, Jacob Appelbaum, Joe Gallo, Jesper Hess Nielsen, Matt Traudt, Miguel de Moura, Mingye Wang, nomeutente, Per Peterson, Robin Burchell, Sam Schlinkert, Sascha Steinbiss, TolgaAydin, tran161, vaba, Ximin Luo, Zero King, anyone we forgot to mention, and everyone who reports bugs or supports the project.
Ricochet 1.1.2 fixes a vulnerability which could lead to user-assisted network deanonymization, improves contact connection reliability, and fixes a common stability issue.
We're also proud to release the results of an audit by NCC Group through the Open Technology Fund. The report validates Ricochet's security and provides a great outline of areas to improve in the near future.
By sending a nickname with some HTML tags in a contact request, an attacker could cause Ricochet to make network requests without Tor after the request is accepted, which would reveal the user's IP address. The malicious nickname is clearly displayed, and no network activity takes place unless the request is accepted. We've addressed this vulnerability by sanitizing nicknames in all cases before display, rejecting contact requests with suspicious nicknames, and blocking any network requests at that layer.
Thanks to the incredible Sarah Jamie Lewis (@s-rah) for originally discovering this issue.
- Block all network requests to guard against potential deanonymization issues (#303)
- Reject contact requests with nicknames containing suspicious characters
- Sanitize nicknames before use in UI labels
- Fix a common crash when restarting an outbound connection attempt
- Fix a bug which caused connection attempts to contacts to stall until restarted (#295)
- Added translations for Hebrew, Slovenian, and Chinese
- Updated translations
- Updated to Qt 5.5.1, OpenSSL 1.0.1r, and Tor 0.2.7.6
- OS X builds now use AddressSanitizer for hardening
This release is made possible by contributions from:
Billy Burrows, John Brooks, Robin Burchell, Jeff Burdges, Colin Childs, Gabe Edwards, Patrick Gray, Kacper Kołodziej, Sarah Jamie Lewis, all of our translators, NCC Group and the Open Tech Fund, and many others.
Ricochet 1.1.1 comes with fixes for a variety of bugs, software updates, and several minor new features.
- Optionally play sounds when messages are received or contacts come online (#37, by qsodev)
- Language can now be changed in preferences (#172, patch by qsodev)
- Add Polish translation (by Kacper Kołodziej)
- Use a custom scrollbar to avoid buggy scrolling behavior
- Show the number of unread messages in the dock on OS X
- Improve UI icon quality
- Avoid bouncing the OS X dock icon indefinitely
- Fix clipboard behavior in some X11 environments
- Update to Qt 5.5.0, including fixes for a variety of text display issues
- Translation updates and fixes for many languages
- Use compiler hardening flags when available (by Isis Lovecruft)
- Add experimental apparmor and minijail sandboxing policies (by Jacob Appelbaum)
- Accept public keys generated by vanity address tools (#186, by Gabe Edwards)
- Fix a case where contacts would be stuck in the 'Rejected' category until manually removed
- Treat all random number generator failures as fatal (#164, #89, reported by mik235)
- Update Tor to 0.2.6.10, including a fix for a hidden service reliability issue
- Update OpenSSL to 1.0.1p
This release is made possible by contributions from:
Adeor, Gabe Edwards, I3rixon, Isis Lovecruft, Jacob Appelbaum, John Brooks, Jordi, Kacper Kołodziej, Michael Samuel, Millak, Peter Ludikovsky, Robin Burchell, Roger Dingledine, Sarah Jamie Lewis, ShionRyuu, corvinux, gus, ivopetkov, mijnheer, mik235, mkn, participante0, qsodev, rawtaz, reviewjolla, strel, tknv, and many others.
This major release switches to a safer and more extensible protocol, adds a brand new icon and 11 new language translations, and includes many UI fixes as well as security updates for Tor and OpenSSL.
Important note about old versions
This version is not "backwards compatible" with contacts that run Ricochet 1.0.4 or older. Your contacts must also update in order to chat again. You will keep your existing address and contacts.
To get everyone updated quickly, people running an older version will see an automatic message one time from their updated contacts. We intend to keep compatibility in the future, and to not need to resort to this method again.
This release fixes two issues in Tor, which allow an attacker to crash the tor client and force Ricochet offline. There is no possibility of exploitation or code execution through these bugs.
Blueprint for Free Speech generously sponsored the protocol changes, and is doing fantastic work for freedom of expression and whistleblowers.
This update was possible thanks to help and contributions from:
Robin Burchell, Patrick Gray, Suelette Dreyfus, Lawrence Eastland, HD Moore, The Grugq, Kevin Littlejohn, Jan Noertemann, Gabe Edwards, ivopetkovcz, Einfach, Mikkel Kroman, mijnheer, Meternalf, reviewjolla, rike, Creaprog, CrumpyGat, Jordi, franck99, Daniel James Smith, esqfax, swperman, vla8752, qualte, strel, rawtaz, taskmaster, cbolat, basarancaner, l3rixon, nergal, weedpatch2, yawnbox, and other anonymous contributors.
- Implement a new protocol, intended to improve safety and extensibility
- Brand new application icon (#11), contributed by Lawrence Eastland
- Add Bulgarian, Czech, German, Finnish, Tagalog, French, Dutch, Russian, Swedish, Turkish, and Ukranian translations
- Show a timestamp in chat when more than an hour has passed since the last message. Patch from Jan Noertemann and Robin Burchell
- Improve contact preferences UI design and behavior (#18)
- Refresh contact list UI design
- Make sure chat windows are always opened fully on screen (#85). Patch from Jan Noertemann.
- Fix windows not always flashing for new messages on Windows (#114). Patch from Jan Noertemann.
- Fix network setup getting stuck when tor fails to launch
- Correctly display newlines in chat messages (regression from 1.0.1)
- Remove the unnecessary hidden service self-test at startup (#26)
- Windows builds now use MinGW for better automation and compatibility
- Update to Qt 5.4.1, OpenSSL 1.0.1m, and Tor 0.2.6.7
This is a bugfix-only release for a handful of annoying or common problems, while work continues on protocol and design improvements. The next two months will be exciting: we're moving towards improved security, several much-needed features, and better support behind the project.
Thanks as always to everyone reporting bugs, making suggestions, contributing translations, and spreading the word about Ricochet.
Downloads and PGP signatures are available from https://ricochet.im/releases/1.0.4/
- Fixed a bug which caused the chat window to move erratically in some cases when receiving messages or scrolling (#76)
- Fixed "Configuration is already in use" errors appearing on startup after unexpected system reboots (#73)
- Improved documentation on building from source (#56, #57)
- Fixed Tor errors after moving Ricochet configuration between folders or computers (#59)
- Improved text input focus in "single window" mode
- Updated Spanish translation from strel
- Updated Brazilian Portuguese translation from swperman
- Updated Danish translation from @mkroman
- Updated OpenSSL to 1.0.1i
The Tor Project released today a security announcement regarding an anonymity attack carried out on users of hidden services, presumably by the authors of a withdrawn research talk.
I've written an explanation of what this means for users of Ricochet and similar programs, and the steps we'll be taking in the future to mitigate similar problems. This release includes a new version of Tor, which will help reduce the impact of these attacks in the future.
This release also moves configuration to a more flexible and reliable system (existing configuration is migrated automatically), adds a "single window" mode that combines the contact list and chat windows, includes new translations, and more.
Downloads and PGP signatures are also available from https://ricochet.im/releases/1.0.3/
- Updated tor to 0.2.4.23
- Migrated configuration to a more useful and robust system (#21)
- OS X bundles are now signed to remove Gatekeeper warnings
- Added optional 'single window' mode (#19)
- Added options to skip the "Open Browser" security nagging dialog
- The contact list shows the number of unread messages
- Added Danish translation by Mikkel Kroman
- Added Portuguese (Brazil) translation by swperman
- Fixed Windows installer on 32bit systems (also in 18.104.22.168)
- Fixed loading old platform-location configuration files (1.0.2 regression)
Formerly known as Torsion, now Ricochet. Along with changing the name, this release includes mostly minor fixes and packaging improvements. More substantial changes will be coming soon.
Existing configurations should continue to work after upgrading, including connections to contacts. If installing to a new directory, copy the
config.torsion folder to keep your identity and contacts.
Downloads and signatures are available from https://ricochet.im/releases/1.0.2/
- Renamed to Ricochet. Contact addresses now begin with
- Added Spanish translation, contributed by strel via Transifex
- Fix some characters like " being displayed incorrectly in chat messages (#36)
- OS X now supports automatic GPU switching
Torsion will be renamed in the next release; suggestions are welcome. Contact addresses and configuration will remain compatible.
Thanks to Antaon, HostFat, GIANNAT, and Anton for their contributions to this release, and to many others for reporting issues and sharing their thoughts.
- Updated to OpenSSL 1.0.1g for Windows and Linux static builds
- Added Italian translation, contributed by HostFat and GIANNAT via Transifex
- Added static Linux build, which can run without dependencies on most distributions
- URLs in chat are highlighted and can be copied or opened in the default browser (with a warning)
- Polished add contact UI to make usage clearer and explain validation problems
- Fixed display of hidden service state in Tor preferences
- Fixed rendering issues with message text on some platforms
- Fixed crash when pressing 'Remove' in contact preferences with nothing selected
- Fixed compatibility with older versions of OS X
- Improved debugging when bundled Tor fails to start
Torsion.exe - OS X:
Torsion.dmg - Linux (static):
First "real-world" release of an anonymous and decentralized instant messaging client for Tor.
See the README for more information.
torsion-1.0.0+git10-debian-static.tar.bz2 is an experimental statically linked build for Debian 7 (Wheezy).