Adium

Opened 9 years ago

Last modified 9 months ago

#559 new enhancement

GPG encryption

Reported by: adium-fg-164@baraddur.de Owned by:
Milestone: Good ideas for later Component: El Vision del Tick
Version: Severity: normal
Keywords: GPG, GnuPG, PGP, encryption Cc:
Patch Status:

Description (last modified by tick)

I would like to see end-to-end GnuPG(4*)-based encryption in Adium, compatible with other PSI/Jabber users. No sensible data should be passed over a unencrypted protocol. All IM-protocols are unencrypted. GnuPG for e-mail has a esthablished Web-Of-Trust which could be positivily adapted by the IM-protocol world.

There are 3 implementations to solve this problem:

  1. PSI(3*) and maybe other IM clients implement jep-27 (1*). "This document outlines the current usage of OpenPGP for messaging and presence."
  2. There is rfc-3923 (2*) which suggests: "End-to-End Signing and Object Encryption for the Extensible Messaging and Presence Protocol (XMPP)". (Afaik, it is not implemented)
  3. GAIM is using a gaim-only solution with a plugin.

Maybe I am wrong here so please tell my if need to contact the libgaim people.

[1] http://www.jabber.org/jeps/jep-0027.html

[2] http://www.ietf.org/rfc/rfc3923.txt

[3] http://psi.affinix.com/

[4] http://www.gnupg.org/

Change History (47)

comment:1 Changed 9 years ago by adamiser

  • Summary changed from adium to end-to-end GnuPG[4]-based encryption

comment:2 Changed 9 years ago by durin42

  • Milestone Adium X 0.90 (Old) deleted
  • priority changed from normal to low

maybe some day, this would be nice

comment:3 Changed 9 years ago by rzigweid@…

When I installed the PGP client for OS X, I noticed that it catches that one is using IM and says that it is starting an encrypted session. This is a feature that iChat uses too. From a birds eye view, it looks like the only thing that is missing is the ability to turn on the encryption for a chat session. I fully realize that this is a nieve and uninformed impression. There is more to it than that, but maybe less than originally was thought. I'd love to be able to plug this in. I choose Adium over iChat for a variety of reasons, but lacking the ability to encrypt seamelessly in AIM is a downer to me.

Remember, it's not paranoia if you know they are after you.

comment:4 Changed 9 years ago by dcclark

  • Keywords GPG GnuPG PGP encryption added

comment:5 Changed 8 years ago by cbarrett

This OTR page outlines reasons why simply encrypting the traffic is not sufficient.

That being said, a way to exchange (and verify) PGP signatures might be something worth looking into. Mostly as a way of establishing and proving identity.

I would be interested to know what the OTR team thinks of combining keyed encryption techniques with their wire protocol.

comment:6 Changed 8 years ago by tick

  • field_haspatch set to 0
  • Milestone set to Sometime after 1.0

comment:7 Changed 8 years ago by anonymous

i second this request as i have some chatpartners who uses otr and others who uses JEP-0027

comment:8 Changed 8 years ago by anonymous

i second this request as i have some chatpartners who uses otr and others who uses JEP-0027

comment:9 Changed 8 years ago by gaber@…

I belive in pgp in adium. :-)

comment:10 Changed 8 years ago by yetzt

i *really* want this.

comment:11 Changed 8 years ago by anonymous

I need that too. Started using gpg for my mails, so the next logical step would be encrypting IM. And since I have to take care of gpg certificates allready it would be great not to have to use some other kind of PK infrastructure for IM.

comment:12 follow-up: Changed 8 years ago by anonymous

The lack of this feature is the main showstopper why I cannot use Adium and have to use Psi instead, which integrates much worse with MacOS X.

comment:13 Changed 8 years ago by anonymous

i second that request too

comment:14 Changed 8 years ago by anonymous

me too....add it and i will try it out, if not i'm not downloading it

comment:15 Changed 8 years ago by jojoo

this is the only reason why i skipped to PSI. i really really want this

comment:16 Changed 8 years ago by cbarrett

I am confused as to what exactly PGP will give you that OTR cannot.

comment:17 Changed 8 years ago by Sebastian Steinmetz

PGP is more common? Encryption via Jabber is always GPG, not OTR. In fact, i know no one, who is actually using OTR.

I would be very glad, if this could be implemented in Adium!

comment:18 follow-up: Changed 8 years ago by nox

The most crucial thing Adium is lacking at the moment is in my opinion end-to-end encryption using GnuPG like Psi/Jabber.

Using PGP is the obvious choice of encryption-algorithm, GnuPG is the unofficial standard among PGP-users.
It's all good and well that Adium is extremely cute, but it would be superior if it was capable of gpg-crypto.

PGP has a way of establishing trust and identity-confirmation (just do a quick google on pgp trust)
It is widely used among PGP-users.

Using OTR for Adium would make people have to force other people to change or use other crypto in their clients as some of them already use GnuPG.

I'm all in favor of OTR, but I think that GnuPG-support should be implemented first. After that it would be great if OTR were to be implemented aswell.

comment:19 follow-up: Changed 8 years ago by nox

PS: I have no understanding to why this has a low priority-rating, it should be high.

comment:20 follow-ups: Changed 8 years ago by anonymous

It's low priority because OTR is implemented and serves this function for most people who need it.

comment:21 in reply to: ↑ 20 Changed 8 years ago by anonymous

I would love to be able to have GPG encrypted sessions with Adium users. I know that a number of my peers would like this as well.

comment:22 in reply to: ↑ 20 ; follow-up: Changed 8 years ago by anonymous

Replying to anonymous:

It's low priority because OTR is implemented and serves this function for most people who need it.

sorry, but I don't see this point either. gnupg is way better and more secure than otr. a lot of people are asking for this feature. so what is adium keeping from becoming perfect?

comment:23 follow-up: Changed 8 years ago by anonymous

A standard end-to-end-encryption based on gpg/pgp would be _the_ argument to use Aduim. The only other client I know has this ability is Psi, and that is nowhere near perfect in terms of UI and usability. I think it´s highly unhygienic to blow out unencrypted information over the net. Please set this priority higher!

comment:24 in reply to: ↑ 22 Changed 8 years ago by tick

  • Component changed from Core Adium to El Vision del Tick

Replying to anonymous:

Replying to anonymous:

It's low priority because OTR is implemented and serves this function for most people who need it.

sorry, but I don't see this point either. gnupg is way better and more secure than otr.

Do you have documentation to back this claim up?

comment:25 in reply to: ↑ 23 Changed 8 years ago by tick

Replying to anonymous:

I think it´s highly unhygienic to blow out unencrypted information over the net.

Can you please explain this?

comment:26 in reply to: ↑ 19 Changed 8 years ago by tick

Replying to nox:

PS: I have no understanding to why this has a low priority-rating, it should be high.

We have higher priority issues to deal with.

comment:27 in reply to: ↑ 12 Changed 8 years ago by tick

Replying to anonymous:

The lack of this feature is the main showstopper why I cannot use Adium and have to use Psi instead, which integrates much worse with MacOS X.

Fire also has GPG as far as I know.

comment:28 Changed 8 years ago by tick

  • Description modified (diff)

Fixing the description to not link to commits.

comment:29 Changed 8 years ago by tick

  • Summary changed from end-to-end GnuPG[4]-based encryption to GPG encryption

Fixing the summary as well. Most people know GnuPG is GPG, and if not they'll see this change anyhow.

comment:30 in reply to: ↑ 18 Changed 8 years ago by tick

Replying to nox:

Using OTR for Adium would make people have to force other people to change or use other crypto in their clients as some of them already use GnuPG.

I'm all in favor of OTR, but I think that GnuPG-support should be implemented first. After that it would be great if OTR were to be implemented aswell.

These two comments conflict. First you say that you dislike the fact that OTR forces folks to use OTR, but then you say that you are all in favor of OTR.

We already have OTR, so being in favor of one or the other doesn't really help in this situation.

comment:31 follow-up: Changed 8 years ago by cbarrett

OTR is a far superior encryption technique for Instant Messaging. See http://www.cypherpunks.ca/otr/#faqs for more details. GPG/PGP is great for Email and other things, but on IM, OTR is much better.

comment:32 in reply to: ↑ 31 Changed 8 years ago by tick

Replying to cbarrett:

OTR is a far superior encryption technique for Instant Messaging. See http://www.cypherpunks.ca/otr/#faqs for more details. GPG/PGP is great for Email and other things, but on IM, OTR is much better.

Specifically, this on looks useful: http://www.cypherpunks.ca/otr/otr-codecon.pdf

comment:33 follow-up: Changed 7 years ago by yetzt

still want this.

comment:34 in reply to: ↑ 33 Changed 7 years ago by tick

  • Patch Status set to None
  • pending set to 0

Replying to yetzt:

still want this.

Care to put more emphasis on it and offer a bounty?

http://trac.adiumx.com/wiki/Bounties

comment:35 Changed 7 years ago by moehnetiger

Would it be possible to add PGP/GPG support through a thrid party plug-in? I think that would be a good solution for this problem:

  • The Adium-Team could continue to focus on OTR (which is in my opinion the better encryption for IM).
  • And people who prefer GPG/PGP over OTR could just by installing a plug-in and would get their preferred encryption. (of course someone would still have to write the plugin first ;) )

comment:36 Changed 7 years ago by cbarrett

I believe it's possible to implement as a third party plugin. Adium and libpurple are both quite modular.

comment:37 Changed 7 years ago by adium

i second this request, too.
it's not that gpg support is "better" than "otr",
it's just for interoperability reasons.

dont replace otr with gpg - but having it as an additional option would be awsome.
one more step for adium world domination (okay - just for nerds, but anyway) :-)

*VOTE* :-)

comment:38 Changed 6 years ago by yetzt

ok, here is my inital bounty:

$20 for implementing this feature request.

please increase :)

comment:39 Changed 6 years ago by yetzt

comment:40 Changed 6 years ago by Benjamin Melançon

+$20

comment:41 Changed 6 years ago by djmori

comment:42 Changed 4 years ago by Robby

  • Owner anybody deleted

comment:43 Changed 3 years ago by gpgneeded

+$1000 bounty for implementing this feature

to claim payment contact me: ewmu (at) i.ua

Last edited 3 years ago by gpgneeded (previous) (diff)

comment:44 Changed 3 years ago by yusf

I'd really love this feature, especially if it get Windows and Linux counterparts.

comment:45 Changed 16 months ago by gpgneedtoo

+1000$

contact: parusk (at) lavabit.com

Last edited 16 months ago by gpgneedtoo (previous) (diff)

comment:46 Changed 16 months ago by gpgneedtoo

Last edited 16 months ago by gpgneedtoo (previous) (diff)

comment:47 Changed 9 months ago by mntmn

Hello. I started working on this. I have a very rough alpha prototype that can successfully chat via XEP-0027 with Psi or gajim. Please don't use it right now, because it cripples some other functionality (OTR and unencrypted chatting). I will clean it up (it has some really dirty parts) over the next days and then try to find out how I can make a plugin from it.

Anyway, here's my WIP repository: https://bitbucket.org/mntmn/adium-xep-0027

Note: See TracTickets for help on using tickets.