Ricochet (software)

Ricochet
Developer(s)	Blueprint for Free Speech
Initial release	June 2014
Stable release	1.1.4 [ needs update ] (fork took over development, now at 3.0.15) / 7 November 2016
Repository	github.com/blueprint-freespeech/refresh-site ;
Written in	C++
Operating system	Windows, OS X, Linux, FreeBSD
License	BSD-3-Clause
Website	www.ricochetrefresh.net

Last updated October 06, 2024

Ricochet or Ricochet IM is a free software, multi-platform, instant messaging software project originally developed by John Brooks^[5] and later adopted as the official instant messaging client project of the Invisible.im group.^[6] A goal of the Invisible.im group is to help people maintain privacy by developing a "metadata free" instant messaging client.^[7]

History

Originally called Torsion IM, Ricochet was renamed in June 2014.^[1] Ricochet is a modern alternative to TorChat,^[8] which hasn't been updated in several years, and to Tor Messenger, which is discontinued.^[9] On September 17, 2014, it was announced that the Invisible.im group would be working with Brooks on further development of Ricochet in a Wired article by Kim Zetter.^[5] Zetter also wrote that Ricochet's future plans included a protocol redesign and file-transfer capabilities.^[5] The protocol redesign was implemented in April 2015.^[10]

In February 2016, Ricochet's developers made public a security audit that had been sponsored by the Open Technology Fund and carried out by the NCC Group in November 2015.^[11] The results of the audit were "reasonably positive".^[12] The audit identified "multiple areas of improvement" and one vulnerability that could be used to deanonymize users.^[11] According to Brooks, the vulnerability has been fixed as of 2016.^[13]

Technology

Ricochet is a decentralized instant messenger, meaning there is no server to connect to and share metadata with.^[8] Further, using Tor, Ricochet starts a Tor hidden service locally on a person's computer and can communicate only with other Ricochet users who are also running their own Ricochet-created Tor hidden services. This way, Ricochet communication never leaves the Tor network. A user screen name (example: ricochet:hslmfsg47dmcqctb) is auto-generated upon first starting Ricochet; the first half of the screen name is the word "ricochet", with the second half being the address of the Tor hidden service. Before two Ricochet users can talk, at least one of them must privately or publicly share their unique screen name in some way.

Privacy benefits

Ricochet does not reveal user IP addresses or physical locations because it uses Tor.^[5]
Message content is cryptographically authenticated and private.^[11]
There is no need to register anywhere in order to use Ricochet, particularly with a fixed server.^[8]
Contact list information is stored locally, and it would be very difficult for passive surveillance techniques to determine whom the user is chatting with.^[5]
Ricochet does not save chat history. When the user closes a conversation, the chat log is not recoverable.
The use of Tor hidden services prevents network traffic from ever leaving the Tor network, thereby preserving anonymity and complicating passive network surveillance.^[5]^[8]
Ricochet is a portable application, users do not need to install any software to use Ricochet. Ricochet connects to the Tor network automatically.^[8]

Correlation attack

From 2019 to 2021, Ricochet was used by the admins (as well as an undercover investigator) of the child porn onion site Boystown. To identify the perpetrators, German police used a correlation analysis attack. By sending Ricochet messages to perpetrators and monitoring several hundred Tor nodes for simultaneous traffic of the correct size, authorities were able to identify intermediate Tor nodes and then also the perpetrator's entry nodes, revealing the perpetrators' IP addresses.^[14]

Related Research Articles

ICQ was a cross-platform instant messaging (IM) and VoIP client. The name ICQ derives from the English phrase "I Seek You". Originally developed by the Israeli company Mirabilis in 1996, the client was bought by AOL in 1998, and then by Mail.Ru Group in 2010.

<span class="mw-page-title-main">Instant messaging</span> Form of computer communication over the internet or locally

Instant messaging (IM) technology is a type of synchronous computer-mediated communication involving the immediate (real-time) transmission of messages between two or more parties over the Internet or another computer network. Originally involving simple text message exchanges, modern IM applications and services tend to also feature the exchange of multimedia, emojis, file transfer, VoIP, and video chat capabilities.

<span class="mw-page-title-main">Pidgin (software)</span> Open-source multi-platform instant messaging client

Pidgin is a free and open-source multi-platform instant messaging client, based on a library named libpurple that has support for many instant messaging protocols, allowing the user to simultaneously log in to various services from a single application, with a single interface for both popular and obsolete protocols, thus avoiding the hassle of having to deal with new software for each device and protocol.

Yahoo! Messenger was an advertisement-supported instant messaging client and associated protocol provided by Yahoo!. Yahoo! Messenger was provided free of charge and could be downloaded and used with a generic "Yahoo ID" which also allowed access to other Yahoo! services, such as Yahoo! Mail. The service also offered VoIP, file transfers, webcam hosting, a text messaging service, and chat rooms in various categories.

An anonymous P2P communication system is a peer-to-peer distributed application in which the nodes, which are used to share resources, or participants are anonymous or pseudonymous. Anonymity of participants is usually achieved by special routing overlay networks that hide the physical location of each node from other participants.

The Invisible Internet Project (I2P) is an anonymous network layer that allows for censorship-resistant, peer-to-peer communication. Anonymous connections are achieved by encrypting the user's traffic, and sending it through a volunteer-run network of roughly 55,000 computers distributed around the world. Given the high number of possible paths the traffic can transit, a third party watching a full connection is unlikely. The software that implements this layer is called an "I2P router", and a computer running I2P is called an "I2P node". I2P is free and open sourced, and is published under multiple licenses.

The landscape for instant messaging involves cross-platform instant messaging clients that can handle one or multiple protocols. Clients that use the same protocol can typically federate and talk to one another. The following table compares general and technical information for cross-platform instant messaging clients in active development, each of which have their own article that provide further information.

BitlBee is a cross-platform IRC instant messaging gateway, licensed under the terms of the GNU General Public License.

The following is a comparison of instant messaging protocols. It contains basic general information about the protocols.

TorChat was a peer-to-peer anonymous instant messenger that used Tor onion services as its underlying network. It provided cryptographically secure text messaging and file transfers. The characteristics of Tor's onion services ensure that all traffic between the clients is encrypted and that it is very difficult to tell who is communicating with whom and where a given client is physically located.

Tor is a free overlay network for enabling anonymous communication. Built on free and open-source software and more than seven thousand volunteer-operated relays worldwide, users can have their Internet traffic routed via a random path through the network.

ChatSecure is a messaging application for iOS which allows OTR and OMEMO encryption for the XMPP protocol. ChatSecure is free and open source software available under the GPL-3.0-or-later license.

<span class="mw-page-title-main">Tox (protocol)</span> Distributed protocol for telephony and instant messaging

Tox is a peer-to-peer instant-messaging and video-calling protocol that offers end-to-end encryption. The stated goal of the project is to provide secure yet easily accessible communication for everyone. A reference implementation of the protocol is published as free and open-source software under the terms of the GNU GPL-3.0-or-later.

TextSecure was an encrypted messaging application for Android that was developed from 2010 to 2015. It was a predecessor to Signal and the first application to use the Signal Protocol, which has since been implemented into WhatsApp and other applications. TextSecure used end-to-end encryption to secure the transmission of text messages, group messages, attachments and media messages to other TextSecure users.

Threema is a paid cross-platform encrypted instant messaging app developed by Threema GmbH in Switzerland and launched in 2012. The service operates on a decentralized architecture and offers end-to-end encryption. Users can make voice and video calls, send photos, files, and voice notes, share locations, and make groups. Unlike many other popular secure messaging apps, Threema does not require phone numbers or email addresses for registration, only a one-time purchase that can be paid via an app store or anonymously with Bitcoin or cash.

Matrix is an open standard and communication protocol for real-time communication. It aims to make real-time communication work seamlessly between different service providers, in the way that standard Simple Mail Transfer Protocol email currently does for store-and-forward email service, by allowing users with accounts at one communications service provider to communicate with users of a different service provider via online chat, voice over IP, and videotelephony. It therefore serves a similar purpose to protocols like XMPP, but is not based on any existing communication protocol.

<span class="mw-page-title-main">Signal Protocol</span> Non-federated cryptographic protocol

The Signal Protocol is a non-federated cryptographic protocol that provides end-to-end encryption for voice and instant messaging conversations. The protocol was developed by Open Whisper Systems in 2013 and was introduced in the open-source TextSecure app, which later became Signal. Several closed-source applications have implemented the protocol, such as WhatsApp, which is said to encrypt the conversations of "more than a billion people worldwide" or Google who provides end-to-end encryption by default to all RCS-based conversations between users of their Google Messages app for one-to-one conversations. Facebook Messenger also say they offer the protocol for optional Secret Conversations, as does Skype for its Private Conversations.

Boystown was a child pornography website run through the Tor network as an onion service. It launched in June 2019 and was shut down by authorities in April 2021. Four German administrators of the site confessed and were sentenced to long prison sentences in December 2022.

Conversations is a free software, instant messaging client application software for Android. It is largely based on recognized open standards such as the Extensible Messaging and Presence Protocol (XMPP) and Transport Layer Security (TLS).

References

1 2 Brooks, John. "The name 'Torsion' is not ideal". GitHub. Archived from the original on 7 December 2018. Retrieved 13 January 2016.
↑ https://github.com/ricochet-im/ricochet/releases.{{cite web}}: Missing or empty |title= (help)
↑ "Release 1.1.4". 7 November 2016. Retrieved 15 March 2018.
↑ Brooks, John. "Ricochet / LICENSE". GitHub. Archived from the original on 7 September 2021. Retrieved 7 September 2021.
1 2 3 4 5 6 Zetter, Kim (17 September 2014). "Middle-School Dropout Codes Clever Chat Program That Foils NSA Spying". Wired. Condé Nast. Retrieved 2 November 2014.
↑ Invisible.im Team (17 September 2014). "2014-09-17: Update from the Invisible.im Team". invisible.im (Press release). Archived from the original on 9 January 2016. Retrieved 13 January 2016.
↑ ricochet-im. "ricochet-im/ricochet". GitHub. Archived from the original on 27 October 2014. Retrieved 2 November 2014.
1 2 3 4 5 Hacker10 (23 March 2014). "Tor proxy anonymous Instant Messenger". hacker10.com (Blog). Archived from the original on 11 July 2021. Retrieved 13 January 2016.{{cite web}}: CS1 maint: numeric names: authors list (link)
↑ sukhbir. "Tor Messenger Beta Chat over Tor easily" (Blog). Tor Project. Archived from the original on 30 October 2015. Retrieved 13 January 2016.
↑ Brooks, John (11 April 2015). "Ricochet 1.1.0". GitHub. Archived from the original on 19 July 2020. Retrieved 13 January 2016.
1 2 3 Hertz, Jesse; Jara-Ettinger, Patricio; Manning, Mark (15 February 2016). "Ricochet Security Assessment" (PDF). NCC Group. Archived (PDF) from the original on 13 January 2021. Retrieved 17 February 2016.
↑ Baraniuk, Chris (19 February 2016). "Tor: 'Mystery' spike in hidden addresses". BBC News. BBC. Archived from the original on 21 February 2016. Retrieved 19 February 2016.
↑ Cox, Joseph (17 February 2016). "'Ricochet', the Messenger That Beats Metadata, Passes Security Audit". Motherboard. Vice Media LLC. Archived from the original on 23 January 2017. Retrieved 17 February 2016.
↑ Dölle, Mirko (2024-09-19). "Boystown investigations: Catching criminals on the darknet with a stopwatch". heise online. Retrieved 2024-10-05.

External links

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[github-issue20-1] 1 2 Brooks, John. "The name 'Torsion' is not ideal". GitHub. Archived from the original on 7 December 2018. Retrieved 13 January 2016.

[wikidata-c9fe15bca23050b1dc954d9c349d1ead6126d00c-v18-2] ttps://github.com/ricochet-im/ricochet/releases.{{cite web}}: Missing or empty |title= (help)

[wikidata-ea74b3e961ead6a02b8688ec9a554d2bf80a3dce-v18-3] "Release 1.1.4". 7 November 2016. Retrieved 15 March 2018.

[4] Brooks, John. "Ricochet / LICENSE". GitHub. Archived from the original on 7 September 2021. Retrieved 7 September 2021.

[WIRED-1-5] 1 2 3 4 5 6 Zetter, Kim (17 September 2014). "Middle-School Dropout Codes Clever Chat Program That Foils NSA Spying". Wired. Condé Nast. Retrieved 2 November 2014.

[INVISIBLE-1-6] Invisible.im Team (17 September 2014). "2014-09-17: Update from the Invisible.im Team". invisible.im (Press release). Archived from the original on 9 January 2016. Retrieved 13 January 2016.

[GITHUB-1-7] ricochet-im. "ricochet-im/ricochet". GitHub. Archived from the original on 27 October 2014. Retrieved 2 November 2014.

[Hacker10-1-8] 1 2 3 4 5 Hacker10 (23 March 2014). "Tor proxy anonymous Instant Messenger". hacker10.com (Blog). Archived from the original on 11 July 2021. Retrieved 13 January 2016.{{cite web}}: CS1 maint: numeric names: authors list (link)

[Tor_Messenger-9] sukhbir. "Tor Messenger Beta Chat over Tor easily" (Blog). Tor Project. Archived from the original on 30 October 2015. Retrieved 13 January 2016.

[10] Brooks, John (11 April 2015). "Ricochet 1.1.0". GitHub. Archived from the original on 19 July 2020. Retrieved 13 January 2016.

[NCC-Group-2016-01-11] 1 2 3 Hertz, Jesse; Jara-Ettinger, Patricio; Manning, Mark (15 February 2016). "Ricochet Security Assessment" (PDF). NCC Group. Archived (PDF) from the original on 13 January 2021. Retrieved 17 February 2016.

[12] Baraniuk, Chris (19 February 2016). "Tor: 'Mystery' spike in hidden addresses". BBC News. BBC. Archived from the original on 21 February 2016. Retrieved 19 February 2016.

[13] Cox, Joseph (17 February 2016). "'Ricochet', the Messenger That Beats Metadata, Passes Security Audit". Motherboard. Vice Media LLC. Archived from the original on 23 January 2017. Retrieved 17 February 2016.

[:1x-14] Dölle, Mirko (2024-09-19). "Boystown investigations: Catching criminals on the darknet with a stopwatch". heise online. Retrieved 2024-10-05.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]