Corresponding ticket: [[!tails_ticket 8573]]
It would be nice to replace Pidgin with another secure IM client. Unfortunately no good alternative seems to exist today. To be able to decide, if another IM client would be a suitable replacement this document should list the requirements a client needs to fulfill to fit the bill.
The document can also list candidate clients together with some indication where they are lacking (and where they shine).
**Note**: this is a work in progress. See [[!tails_ticket 11686]]
and its blockers for the next steps.
**Note**: the key words "MUST", "MUST NOT", "REQUIRED", "SHALL",
"SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
## General requirements
### Use cases
The client SHOULD support the following use cases:
1. Contributing to Free Software projects that use IRC chatrooms (and won't switch to anything else any time soon)
2. Contributing to Free Software projects that use XMPP chatrooms
3. One-to-one chat that is compatible with currently widespread practice. That basically means XMPP + OTR, nowadays.
4. Participation in public chatrooms for Tails user support.
The client MAY support the following use cases:
* One-to-one chat that protects metadata end-to-end (that is: "who is chatting with whom")
The client must be internationalized, ideally already translated in many languages - if not, adding new languages should be easy.
The client must have a easy to use GUI that makes it hard for users to use the client in an insecure way.
The client must support connections using TLS.
### Support for Tor
The client must support Tor and must not leak any private data (hostname, username, local IP, ...) at the application level.
### Support for OTR
The client must support OTR and should make it easy to enforce usage of OTR for all conversations or only for specific contacts.
Ideally, some usability study for the OTR user interface has been done.
TODO: Pidgin already has an apparmor profile; should we require that a replacement also comes with an apparmor profile?
The client MUST NOT save logs of conversations.
Suggested by sajolida on <https://mailman.boum.org/pipermail/tails-dev/2016-January/010123.html>:
* private group chat
* search and archive past public communications
## XMPP (Jabber)
*( Here is a [list](https://developer.pidgin.im/wiki/SupportedXEPs) of XMPP extensions supported by Pidgin )*
The client must support XMPP conference rooms [(XEP-0045)](https://xmpp.org/extensions/xep-0045.html).
The client must support SASL authentication.
# Candidate alternatives
* CoyIM only supports XMPP.
* CoyIM [is in Debian](https://tracker.debian.org/pkg/coyim)
* Support for multi-user chatrooms (MUC) is [in
progress](https://github.com/coyim/coyim/projects/2) and lacks some
important features such as having a persistent list of rooms
persistently saved in the configuration
* Supports Tor, TLS, OTR
* Supports creation of random accounts.
* Supports importing accounts from Pidgin.
* No logging, no clickable links.
* Not audited.
* Test results in Tails: [[!tails_ticket 8574]]
* implemented in GTK+/Vala
* supports XMPP and OMEMO; OTR support is
[not high on the todo list](https://github.com/dino/dino/issues/97)
* is [[!debpts dino-im desc="in Debian"]] Buster
* the Debian maintainer wants to add an AppArmor profile and got in
touch with intrigeri about it
XMPP client in Debian with plugins for OTR and [OMEMO](https://en.wikipedia.org/wiki/OMEMO) (Signal-like, [XEP-0384](http://xmpp.org/extensions/xep-0384.html)) but no IRC. Tickets were created and rejected some time ago
([[!tails_ticket 7868]] and [[!tails_ticket 11541]]) but might be worth
reconsidering after updating this blueprint ([[!tails_ticket 11686]]).
People from Security-in-a-Box have used it successfully in Tails.
Gajim ships with a plugin called "plugin installer" which allows a user to download new plugins. This sounds suspicious for security, because plugins are pieces of code running with full privilege. The implementation in Debian use unverified TLS connection, which is very very open to MITM. The development version has switched to verified HTTPS connection and is trying to make it more robust.
However, I think that Tails should not ship this plugin at all: it allows a user to download code without needing sudo. We could work debian-side to separate gajim-plugininstaller in a separate package so that Tails can choose not to install it?
## No longer viable
### Tor Messenger ([[!tails_ticket 8577]])
Tor Messenger is no more: https://blog.torproject.org/sunsetting-tor-messenger
* Documentation, downloads and tickets in Tor's [Trac](https://trac.torproject.org/projects/tor/wiki/doc/TorMessenger)
* Satisfies all our requirements (listed above, as of commit
`8e3157d5f4cd7894bca21adf6b95a6b49d9beb01`) except the TODO about
StartTLS (I bet it has the code for it though, since Thunderbird
supports it, but I in the GUI there is only "Enable SSL" as options
for IRC and XMPP).
* The GUI is very similar to Pidgin's, which might be a bonus point
since we are looking for a "Pidgin replacement".
* It has support for "temporary XMPP accounts" that require no
registration (no user input!) which would be useful for our support
channel (see [[!tails_ticket 11307]]).
* Tor Messenger provides Linux packages but is not in Debian :(
* FWIW: Tor Messenger got 30K USD funding in 2017!
* FWIW: anonym has been happy using it exclusively for chatting since
* _Instantbird_ (on which _Tor Messenger_ is based) is dead upstream
and is meant to be
[replaced by future improvements in _Thunderbird_'s chat features](http://blog.queze.net/post/2017/10/18/Thunderbird-is-the-next-version-of-Instantbird)
(although _Thunderbird_'s future is unclear as well). To follow
along, subscribe to the [[!mozbug 1409891 desc="meta tracking bug"]]
and the ones it depends on. The _Tor Messenger_ developers
and create a _Tor Communicator_ bundle based on _Thunderbird_, that
would handle both email and chat.