-
Notifications
You must be signed in to change notification settings - Fork 88
FAQ
###Why Pidgin? It's a security nightmare.
By far the most popular question and comment. Yes, libpurple has had vulnerabilities.
The reasons Pidgin is used:
- It is the only one that comes with usable API to automate message input and output from NH.py via IPC.
- It comes pre-installed with Tails live OS.
- It supports OTR that helps obfuscate use of TFC from IM-server.
The reason vulnerabilities in Pidgin do not matter:
The networked computer (NH) that Pidgin is running on never has access to private keys or plaintext messages. NH is not part of the trusted computing base (TCB), it's part of the network relaying ciphertexts. The same way compromising the software email-server uses to route end-to-end encrypted PGP-emails, compromise of NH relaying ciphertexts doesn't compromise security of TFC.
###Why Python?
TFC attempts to be as easy to audit as possible. Python also ensures re-distribution of the program is always done as source code (yes, they might be bytecode, but the decomplication is trivial). Cython is also audited and found well written and secure.
###Why data diodes instead of cutting opposing Tx-Rx pair from serial cables?
Limiting the direction of data flow with just one Tx-Rx pair and GND wire is certainly possible. It is however hard to guarantee firmware doesn't allow malicious remapping of pins that reverse signal direction. Data diode limits direction of data flow with laws of physics.
###End-to-end encrypted apps are better because it's easier to get people use them. Why advocate something this complex?
End-to-end encryption on a networked system might be more usable and it does increase security of all users in relative sense. But absolutely speaking, unless it actually stops the adversary, the benefit is very small. Making things more secure is trivially easy. Making things secure enough is insanely hard. TFC aims to do that. More security always creates more rules, layers and inconvenience, and while TFC is a step back in convenience and not a guaranteed solution, it at least gives the users a fighting chance. That being said, TFC is for everyone who consider it necessary to assess their threat model: adversaries doing CNE. Under such threat model, TFC is the easiest tool to use.
###Why not offer TFC as a product users can buy?
Computers, accessories and components ordered from manufacturers or subcontractors, or the finished products shipped to customers or retailers made by a theoretical company might be subjected to interdiction by intelligence establishments. Additionally, a company selling the products might be coerced by the government to add a backdoor under the pretext of national security. Security-wise, it's better to distribute TFC design to users who can buy inconspicuous, commercial off-the-shelf hardware of their own choosing, and build the data diodes and HWRNG themselves. An ideal finished product is a well written software and a guide on how to setup hardware, install TFC and use it securely.