Although users are now saturated with options on mobile and desktop for encrypted messaging, very few of the tools available deal with the core problem of metadata. Even if the content of your messages is kept from prying eyes, it may still be possible for a resourceful attacker to see who you are, and who you’re talking to.
Now, one program designed to tackle that problem head-on has passed its first professional security audit, signaling that it is on the right track for wider use. Ricochet, which is available for Windows, Mac and Linux, announced the audit results on Monday.
“They had very positive things to say about code quality and security overall,” John Brooks, the program’s maintainer, told Motherboard in a chat using Ricochet. The audit was carried out by cybersecurity company NCC Group, and financed by the Open Technology Fund’s (OTF) 'Red Team Lab’project. Ultimately, the OTF is funded by US Congressional appropriations.
Mark Manning, a senior consultant who is based in NCC Group’s New York office, told Motherboard in an email that, “The report should reflect that while there are improvements that can be made, the Ricochet project (during the period that the audit was carried out) takes security seriously.”
“The concept with Ricochet is: how can we do messaging without any server in the middle—without trusting anything to forward your messages to your contacts”
One vulnerability was found that could deanonymize users, Brooks said, and that issue has been fixed with the latest release. This vulnerability was also independently found by a member of the Ricochet community, where users have been reviewing the code on their own for longer. Ricochet, in its current form, has been around since 2014.
What sets Ricochet apart from other messaging clients is its use of Tor hidden services.
“The concept with Ricochet is: how can we do messaging without any server in the middle—without trusting anything to forward your messages to your contacts,” Brooks said. “That turns out to be exactly one of the problems that hidden services can solve: to contact someone, without anybody in the middle knowing who you are or who you’re contacting.”
With a hidden service, a user’s traffic never leaves the Tor network, making it much harder for an attacker to see where traffic is going or coming from.
“Every Ricochet client hosts a hidden service, and that’s what you’re giving out with your Ricochet ID—it’s literally an .onion address. Anyone with that address can contact you,” Brooks continued. Ricochet also encrypts the contents of messages by default.
The funders behind the audit see Ricochet’s potential, especially in supporting activists and other groups at risk of surveillance.
“The Open Tech Fund supports technologies designed to protect human rights defenders, journalists, and political dissidents, among others, who are living in some of the world’s most oppressive places,” a spokesperson for Radio Free Asia, of which the Open Tech Fund is a part, told Motherboard in an email. “We support audits of Internet freedom projects in order to improve their security and reliability by finding and addressing vulnerabilities.”
“We’re interested in technologies that make up the growing Tor ecosystem, especially those developing novel censorship-resistant capabilities,” the spokesperson continued. “We view Ricochet as a tool pushing forth the development of Tor hidden services, a technology utilized by many sites—such as Facebook—to circumvent repressive censorship, particularly in authoritarian countries.”
But, even with the successful audit, that doesn’t necessarily mean users who rely on encrypted programs for highly sensitive work, or to ensure their freedom, should start using only Ricochet.
Brooks referred to the “Be Careful” statement on the project’s website, which reads that “Ricochet is an experiment. Security and anonymity are difficult topics, and you should carefully evaluate your risks and exposure with any software.”
As for what happens now, Brooks is looking to get funding for the development of Ricochet itself, and implement a file-sharing feature.
“It’ll be an exciting year,” he said.