coyim - a safe and secure chat client

Overview

CoyIM - a safe and secure chat client

Build Status Coverage Status

CoyIM is a new client for the XMPP protocol. It is built upon https://github.com/agl/xmpp-client and https://github.com/coyim/otr3. It adds a graphical user interface and implies safe and secure options by default. Our ambition is that it should be possible for even the most high-risk people on the planet to safely use CoyIM, without having to make any configuration changes.

To do this, CoyIM has OTR enabled and uses Tor by default. Besides that, it will only use the Tor Onion Service for a known server and also uses TLS and TLS certificates to verify the connection - no configuration required. The implementation is written in the Go language, to avoid many common types of vulnerabilities that come from using unsafe languages.

Security warning

CoyIM is currently under active development. There have been no security audits of the code, and you should currently not use this for anything sensitive.

Getting started

Using CoyIM is very simple: you just need to download the executable file from the project's home page and then run it.

When you first launch CoyIM, a wizard will appear. If you already have a Jabber client installed and configured for OTR encryption in your computer, you can use this wizard to import your account settings as well as your OTR keys, and your contacts' fingerprints. By importing them, you won't have to do anything else to use CoyIM just as you used your former client.

If you don't import your account settings, keys and fingerprints through the wizard that opens at the first launch, you can still import them by going to Accounts -> Import at a later stage.

If the client you have been using so far is Pidgin, you will find the files you need to import in the .purple directory in your home.

If you want to know more about the features you will and will not find in CoyIM, read this page.

Building CoyIM

Please note: Important requirements for building CoyIM are also git and golang (at least version 1.11).

The GUI version requires GTK+ >= 3.12, which installation depends on your OS:

Ubuntu:

sudo apt-get install gtk+3.0 libgtk-3-dev

MacOS:

brew install gnome-icon-theme
brew install gtk+3 gtk-mac-integration

Then install CoyIM:

export GTK_VERSION=$(pkg-config --modversion gtk+-3.0 | tr . _ | cut -d '_' -f 1-2)
go get -u -tags "gtk_${GTK_VERSION}" github.com/coyim/coyim

Contributing to CoyIM

We have instructions to help you get started contributing to CoyIM.

Reproducibility

CoyIM supports reproducible builds for Linux on AMD64. See REPRODUCIBILITY for instructions on how to build or verify these builds.

Comments
  • Add in-band password change.

    Add in-band password change.

    Users should be able to change password for their accounts. This is part of XEP-0077 and support on a majority of servers.

    https://xmpp.org/extensions/xep-0077.html#registrar-formtypes-changepassword

    feature basic im feature 
    opened by xSmurf 43
  • Display notification when someone gets to be an admin (10.6)

    Display notification when someone gets to be an admin (10.6)

    All other people that are currently in a room should see a notification when someone is added as admin. This should be visible in the conversation view, but also be updated in the roster. The message might look something like this: "user1 gave admin status to user2", or something like that. If a reason is given, that should also be displayed.

    Note: Please see the reference on https://xmpp.org/extensions/xep-0045.html

    MUC MUC - Room Owner Capabilities Functionality Priority: Now Estimate - small State: Done 
    opened by Cris2760 38
  • CoyIM in buster freeze up

    CoyIM in buster freeze up

    Whonix 15 going to be released soon based on Debian Buster. Im testing CoyIM and i discovered its not connecting either its freeze up on registration or shutdown itself.

    steps to reproduce very easy just try to make it work/connect normally and it just wont continue. Terminal log:

    [email protected]:~$ coyim 
    
    (CoyIM:3353): dbind-WARNING **: 17:17:40.507: Error retrieving accessibility bus address: org.freedesktop.DBus.Error.ServiceUnknown: The name org.a11y.Bus was not provided by any .service files
    panic: runtime error: invalid memory address or nil pointer dereference
    [signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x8c6487]
    
    goroutine 9 [running]:
    github.com/twstrike/coyim/gui.requestAndRenderRegistrationForm(0xc000026640, 0x19, 0xc00006a0c0, 0xd77bb0, 0xde9460, 0xc0000948a0, 0x0, 0x0)
    	github.com/twstrike/coyim/gui/registration.go:83 +0x1a7
    github.com/twstrike/coyim/gui.(*gtkUI).showServerSelectionWindow.func1.2(0xc000068180, 0xc00006a0c0, 0xc000182750, 0xdf9540, 0xc00001f5b0, 0xc0001aa0c0)
    	github.com/twstrike/coyim/gui/account.go:170 +0x7f
    created by github.com/twstrike/coyim/gui.(*gtkUI).showServerSelectionWindow.func1
    	github.com/twstrike/coyim/gui/account.go:169 +0x6c6
    [email protected]:~$ 
    

    Screenshot where it freeze:

    coyimissue

    opened by TNTBOMBOM 35
  • Make OTR mandatory

    Make OTR mandatory

    In a discussion @brl proposed that OTR should be mandatory in CoyIM - we shouldn't even have the option to turn it off. Thinking about it, I like it more and more. Thoughts/comments/discussion here, please!

    security feature distinguishing feature 
    opened by olabini 26
  • TLS Certificate verification

    TLS Certificate verification

    Including possibility of manually trusting a cert. These are the specific pieces of functionality I think we need:

    • [x] Trusting the certificate temporarily
    • [x] Setting for manual approval of everything
    • [x] Show connection info per account, right click or something
    • [x] Look at parents of certs
    • [x] Save more than one valid cert
    • [x] Pin certs
    • [x] Recognize the google situation
    • [x] Edit list of saved certs
    • [x] Certs are saved per account
    feature 
    opened by olabini 26
  • Importing Pidgin configuration is broken.

    Importing Pidgin configuration is broken.

    As a user, when I get prompted to import user data and I see my accounts listed which I want to import and I click on adding these accounts, nothing happens.

    I was expecting that these accounts would be imported as I clearly added them explicitly.

    This happens on Coy 0.3.1. I run: Ubuntu 14.04.4 LTS \n \l ii pidgin 1:2.10.9-0ubuntu3.2 amd64 graphical multi-protocol instant messaging client for X

    bug 
    opened by filternetz 22
  • Destroy a room (10.9)

    Destroy a room (10.9)

    This functionality allows an owner to destroy a room they are in. The destruction can take an optional reason, an optional alternative room, and an optional password for this alternative room.

    After the destruction, the room view should display in the same way as described as in #657 - except there should be an option for the owner to have the room view window be closed directly after the destruction.

    If the destruction fails, a notification should be shown to the owner - probably not in the conversation view, but somewhere else.

    (should we have a different functionality for destroying a room you're not currently in? Is that even possible?)

    Note: Please see the reference on https://xmpp.org/extensions/xep-0045.html

    MUC MUC - Room Owner Capabilities Functionality Priority: Now Estimate - medium State: Done 
    opened by Cris2760 19
  • Display notification when someone gets to be a moderator (9.6)

    Display notification when someone gets to be a moderator (9.6)

    When a person has their role changed to being a moderator, a notification should be displayed to any other user in the conversation view. This should include who changed the status, what the new status is, and the optional reason.

    Note: Please see the reference on https://xmpp.org/extensions/xep-0045.html

    MUC MUC - Admin Capabilities Functionality Priority: Now Estimate - small State: Done 
    opened by Cris2760 19
  • Accounts dont show up after i close and open CoyIM

    Accounts dont show up after i close and open CoyIM

    Hello,so i add all my 3 XMPP Accounts,i close and then open CoyIM and only 1 is left when i reopen it.The really weird thing is that in my accounts.json all my accounts are there,and if i try to readd it i get that this account is already added but i cant see/connect to it.

    Any tips?

    Thank you!

    opened by AlexIsNice 19
  • Grant admin status to a person that doesn't have it (10.6) (Optionally provide reason notified of success or failure of the admin grant)

    Grant admin status to a person that doesn't have it (10.6) (Optionally provide reason notified of success or failure of the admin grant)

    An administrator or owner can add administrator privileges to a person, changing their affiliation to "administrator". For now, for ease of development, we should give access to this functionality from the user panel in the roster. We should also consider how to do it for a user who is not actively in a room. For now, this could be a standalone dialog.

    When adding administrator privileges. you should be able to provide an optional reason for it.

    Note: Please see the reference on https://xmpp.org/extensions/xep-0045.html

    MUC MUC - Room Owner Capabilities Functionality Priority: Now Estimate - medium State: Test 
    opened by Cris2760 17
  • Create a configured room (10.1.3)

    Create a configured room (10.1.3)

    A room can have a lot of configuration options to set. Exactly what these are depends on the server and how it's configured - you will basically get a form to fill in. However, most other clients will show the form directly. This isn't necessarily great for usability, so for this story I think we should break up the different configuration options into different areas, or tabs, or something else that helps the user. We should show the most important or most common options first, and then the more advanced or weird ones. We also need to provide some kind of explanations and help for these.

    This story also needs to include validations of all the options and helpful feedback if you don't give the right values.

    Basically, this story extends the simple creation of a room, allowing you to add configuration options. We should probably not add a new menu option to access this, but instead allow you to add configuration options from the basic room creation dialog.

    Note: Please see the reference on https://xmpp.org/extensions/xep-0045.html

    MUC MUC - Room Creation Functionality Priority: Now Estimate - large State: Done 
    opened by Cris2760 16
  • Set up our own Homebrew tap

    Set up our own Homebrew tap

    For now, we can't publish a Cask in the main Homebrew repository. This is partly because of #853. So in the meantime, we should consider creating our own Tap, as outlined in https://docs.brew.sh/How-to-Create-and-Maintain-a-Tap

    For more information about Homebrew, see #178 and #241

    distribution release engineering os x 
    opened by olabiniV2 0
  • Investigate signing of OS X binaries again

    Investigate signing of OS X binaries again

    It seems like signing DMG's is a requirement for Homebrew these days, and it might also be necessary for ARM Mac's - which we also need to build for. For more information about the Homebrew side, #178 can be referenced. For the thoughts on signing, #703 and #241 are useful.

    distribution security feature release engineering os x Improvements Estimate - medium CI 
    opened by olabiniV2 0
  • RFC 9266: Channel Bindings for TLS 1.3 support

    RFC 9266: Channel Bindings for TLS 1.3 support

    Can you add the support of RFC 9266: Channel Bindings for TLS 1.3?

    • https://datatracker.ietf.org/doc/html/rfc9266

    Little details, to know easily:

    • tls-unique for TLS =< 1.2
    • tls-exporter for TLS = 1.3

    Thanks in advance.

    Linked to:

    • https://github.com/coyim/coyim/issues/536
    • https://github.com/coyim/coyim/commit/872cc35d7f7ed80c143fb931915e6415512dc9a1
    • https://github.com/coyim/coyim/commit/a91ae187324ecf7f4e2d6ed16337484c45eab57d
    • https://github.com/coyim/coyim/pull/845
    opened by Neustradamus 1
  • Support tls-exporter channel binding on TLS >= 1.3

    Support tls-exporter channel binding on TLS >= 1.3

    RFC 9266 will change the default channel binding type for TLS 1.3 (previously no channel bindings were defined and -PLUS SCRAM mechanisms were not available over TLS 1.3). This patch sets the new tls-exporter channel binding if the TLS version is >= 1.3 and uses the old tls-unique binding otherwise.

    opened by SamWhited 3
  • Specification of app features for comparison with other security focused messengers

    Specification of app features for comparison with other security focused messengers

    Here is the full list of uncompleted questions in this comparison, which currently does not include CoyIM. I was able to fill out some of them already. It would be great to hear from you guys and get some answers.

    About the app Price: free Repository: GitHub Software license: GPLv3 Availability: GitHub Client is available since: 2015? Comes without proprietary libraries:

    Platforms Available on Android: No Available on iOS: No Available on Windows: Yes Available on macOS: Yes Available on Linux: Yes Available via web client: No

    Privacy / Security / Anonymity Encryption protocol / library: OTR 3 Cryptographic primitives: End-to-end encryption: Yes End-to-end encrypted 2-user chat: Yes End-to-end encrypted group chat: E2EE is turned on by default: Local message encryption: Perfect forward secrecy is enforced: Certificate pinning is used: Directory service can be modified to enable a MITM attack: Contact verification possible: Contact can be added without needing to trust a directory server: Notification if contact's fingerprint changes: Contact's fingerprints can be verified manually: Yes Avoids / Protects metadata during use: Yes via onion routing Native Tor support: Yes (if installed) Last security audit: - Tracker integration (Exodus): No mobile app Use without phone number possible: Yes Use without Google Play Services possible: No mobile app Reasonably useful without sharing the contact list: Yes

    Ecosystem and developers Centralized / Federated / Decentralized: Federated Infrastructure hosting: Distributed server Open Source server: Transparency / Financing (Including donations): Transparency report: Legal jurisdiction: Jurisdiction of the devs/company: Funding:

    Functionality Visible if contacts are online: Audio-/Video-chats: Group chats: Voice messages: File exchange: Yes Read receipts: Editing sent messages: Self-destructing messages: Deleting sent messages locally: Deleting sent messages for both (2 user chat): Synchronization between multiple devices:

    Backup Storage location: Automated: Encrypted:

    opened by ghost 0
  • Reduce usage of untyped interface{} and casting

    Reduce usage of untyped interface{} and casting

    We have a large amount of places - especially in interactions with other parts of Coy - where the GUI uses the interface{} type and then casts it in different ways. Sometimes, we also use more specific types, but then do type-switches anyway. We should try to rely more on the compiler to help us give advice when we're doing things that are problematic by reducing use of type switches.

    There are two big areas where we should be extra careful with this. The first one is with all the MUC message code. Here, we wanted to separate the implementation of the data-types from the session/muc/data package from the representation of messages and other actions. For this reason, type-switches are used a lot - and in some cases just regular switches but based on pseudo-types, such as IsOwner, etc. We should move to using the Visitor pattern for most of these places.

    The other place is where we are interacting with different parts of GTK that is untyped. For example, in the ListModel storage, and also using GLib properties. In this places, we should implement wrapping structures or methods, and reduce the place that calls the untyped functionality as much as possible.

    refactoring tech debt 
    opened by olabiniV2 0
Releases(v0.4.1)
Owner
CoyIM messenger client
CoyIM messenger client
DockerSlim (docker-slim): Don't change anything in your Docker container image and minify it by up to 30x (and for compiled languages even more) making it secure too! (free and open source)

Minify and Secure Docker containers (free and open source!) Don't change anything in your Docker container image and minify it by up to 30x making it

docker-slim 15.5k Nov 25, 2022
A simple, modern and secure encryption tool (and Go library) with small explicit keys, no config options, and UNIX-style composability.

age age is a simple, modern and secure file encryption tool, format, and library. It features small explicit keys, no config options, and UNIX-style c

Filippo Valsorda 12.1k Nov 22, 2022
SingularityCE is the Community Edition of Singularity, an open source container platform designed to be simple, fast, and secure.

SingularityCE Guidelines for Contributing Pull Request Template Project License Documentation Support Citation SingularityCE is the Community Edition

Sylabs Inc. 371 Nov 21, 2022
Windows 11 TPM 2.0 and Secure Boot Setup.exe/Registry bypass written in Go.

Win11-Patcher Windows 11 TPM 2.0 and Secure Boot Setup.exe bypass written in Go. Compiling Requires Go (no shit) Requires a version of 7zip that you c

Fire 28 Oct 16, 2022
XXTEA is a fast and secure encryption algorithm.

XXTEA Golang Introduction xxtea is a fast and secure encryption algorithm. This project is the Golang implementation of the xxtea encryption algorithm

yanheng 2 Aug 3, 2022
QR secrets is a cryptographically secure mechanism to store secret data with the highest levels of security and store it on physical paper.

QR Secrets QR secrets is a cryptographically secure mechanism to store secret data with the highest levels of security. Incorporating; AES256-GCM-HKDF

Go Compile 0 Jan 12, 2022
Secure software enclave for storage of sensitive information in memory.

MemGuard Software enclave for storage of sensitive information in memory. This package attempts to reduce the likelihood of sensitive data being expos

Awn 2.2k Nov 29, 2022
How to systematically secure anything: a repository about security engineering

How to Secure Anything Security engineering is the discipline of building secure systems. Its lessons are not just applicable to computer security. In

Veeral Patel 9.5k Nov 21, 2022
Secure Remote Password library for Go

go-srp NOTE: This is a port of node-srp to Go. I recommend reading their README for general information about the use of SRP. Installation go get gith

Kong 38 Aug 8, 2022
A Go Library For Generating Random, Rule Based Passwords. Many Random, Much Secure.

Can Haz Password? A Go library for generating random, rule based passwords. Many random, much secure. Features Randomized password length (bounded). T

null 7 Dec 6, 2021
Pokes users on Slack about outstanding risks found by Crowdstrike Spotlight or vmware Workspace ONE so they can secure their own endpoint.

?? security-slacker Pokes users on Slack about outstanding risks found by Crowdstrike Spotlight or vmware Workspace ONE so they can secure their own e

Niels Hofmans 20 Nov 9, 2022
Secure Boot certificates from the Framework Laptop

Framework Laptop UEFI Secure Boot Certificates Source: Extracted from a live machine (FRANBMCP08) Date: 2021-10-21 KEK (Key Exchange Key) This certifi

Dustin L. Howett 20 Nov 21, 2022
linenoise is a library that generates strings of random characters that can be used as reasonably secure passwords.

linenoise linenoise is a library that generates strings of random characters (herein called a "noise") that can be used as reasonably secure passwords

Mark Cornick 0 Aug 21, 2022
Safely wiping your secure data in Golang

Go Wiper You can use this tool like a library or a ready program. If you thought in some times about safely data erasing, you have a great open-source

null 3 Aug 22, 2022
step-ca is an online certificate authority for secure, automated certificate management.

??️ A private certificate authority (X.509 & SSH) & ACME server for secure automated certificate management, so you can use TLS everywhere & SSO for SSH.

Smallstep 4.9k Nov 25, 2022
Cossack Labs 1.1k Nov 25, 2022
Let's Encrypt client and ACME library written in Go

Let's Encrypt client and ACME library written in Go. Features ACME v2 RFC 8555 Register with CA Obtain certificates, both from scratch or with an exis

null 5.7k Nov 22, 2022
Let's Encrypt client and ACME library written in Go

Let's Encrypt client and ACME library written in Go. Features ACME v2 RFC 8555 Register with CA Obtain certificates, both from scratch or with an exis

null 5.7k Nov 28, 2022