Complementary security tools for CoyIM

Feb 18, 2022

The 0.4 version of CoyIM is ready to be released, and we are currently in the process of preparing everything for this to happen. And while we are very happy with this version of CoyIM, it is also worth remembering that CoyIM by itself can’t necessarily protect you against everything. We do the best we can, but there are always limits. In this article we want to talk about some complementary tools and techniques you can adopt in order to increase your general security, and specifically, make your usage of CoyIM even more secure. We usually talk about most of these ideas as security hygiene - things that most people simply should do, because no matter what your situation is, these tips will significantly increase your security, while having a very low cost in terms of time or complexity. Basically, just as you should use soap when washing your hands, and brush your teeth every day, you should apply these tips to your daily life. If you happen to be in a high risk group, these pieces of advice will set the baseline from where you can start adopting even stronger security measures. Even if you just apply two or three of these ideas, you will already have better security than almost everyone on the planet.

Let’s begin with Tor. In general, CoyIM will automatically use Tor if you have it installed, and it will give you instructions on how to install it, if it can’t detect an installation of Tor. And you can actually turn off this behavior and use CoyIM without Tor, it is strongly discouraged. Basically, Tor significantly improves the security of CoyIM. It does this in a few different ways. First, remember that with XMPP you will have one or several accounts on a server - or different servers. When you connect CoyIM it will connect to each one of the servers for the different accounts. All your communication will go through these servers where your accounts belong. But we still don’t want these servers to know more than necessary about us. So we use end-to-end encryption with OTR in order to make sure that the server can’t read any of the content in the messages we send.

But what about our information? Since the account is defined in the server, so you can’t hide the account name. For this reason it’s a good idea to not reveal any personal information in your account name. The server can also see your IP address when connecting, which means that they can connect your account name to a physical location in the world. This is not great. But if you only use Tor to connect to the server, the server will never actually see your real IP address. And if you’re only ever talk using end-to-end encryption, and the people you talk to are as careful, the server won’t really be able to find out anything useful. Tor basically helps guard your anonymity. This is important not just for your privacy. If you don’t have anonymity it also becomes easier for an adversary to identify you for targeted attacks. And this is where the other benefit of Tor comes in.

Fundamentally, when you connect to a server, the communication will always be encrypted with TLS. But Tor adds several more layers of encryption to the connection. If you are also using an onion service, this encryption is in place all the way from your machine to the server. Encryption is important to stop anyone from being able to read your communication, but it is also protects the integrity of your messages, which means that no-one can modify the communication. One of the main ways attackers can execute an attack is to inject into regular communication, protecting the integrity in several layers is important. Of course, all these benefits can also be helpful with other applications, so if you decide to use Tor, configure as much as possible of your computer to use it. That way, you reduce the risk of someone attacking other parts of your computer.

If you want to use Tor for other things you do, the most important one would probably be for your browsing. Most of us spend most of our lives browsing, and this behavior also means that we are connecting to many different services on the internet. Here is where Tor can be an additional help. But since this is such a specialized purpose, the Tor project has a browser specifically configured to work well with Tor. It’s called the Tor Browser Bundle, and it’s a good idea to use it for your browsing. Not only does it use Tor for all connections, it also contains a large number of other protections that help your security.

One of the most important security measures anyone can take is to encrypt their hard drives. These days, most mobile phones come with this protection enabled by default, but on computers this is still not the case. If someone steals your computer, they would have access to all the content on your computer by just connecting the hard drive to another computer, or booting the computer from some kind of removable media. You might think that your computer is protected because it asks for a username and password before you get in to it. But the truth is that this process is basically completely useless unless you also encrypt the content of the harddrive. This is the kind of protection that you can simply turn on and forget. The only difference will be that you need ta password to start up the computer - and you have to be extremely careful to never forget this password, since it is what opens up the computer. With this protection, all your data is secure - not just the configuration file for CoyIM. This is a great complement to the security that CoyIM gives you, since it reduces the risk of attack in a large number of ways.

Since we are talking about passwords, let’s move on to the next tool you should integrate in your life. The truth is, almost everyone have terrible passwords, and even worse practices. Most people use the same password everywhere, or use small variations between different services. But most people also know that this behavior is not safe. Research show that this is still one of the largest risks out there. And what’s worse, when someone manages to break your password, you will often not see the result - or you will see it long after the event. So you don’t get real feedback about how dangerous this practice is. In CoyIM, you will use passwords to connect to your different accounts, and you will also need a password for the configuration file if you choose to encrypt it (which we strongly recommend). You can choose to save the account passwords in the configuration file, if you want - so you only need to remember the main password for the configuration file. But even that might be a bit annoying. One more password to add to your life. And you should get in the habit of using good passwords everywhere. If you don’t, you are limiting the security you can get from all the other tools and techniques around you.

The good news is that this is an easy problem to solve. There exists free tools out there called password managers, that simply remembers passwords for you. Instead of remembering your own passwords, you put them in this program, and you can forget them. Or even better, when you need a password - for example to set up CoyIM for the first time - you ask your password manager to generate a new password for you. Then you simply copy this into CoyIM. The password manager will save it, and you will never even need to know it. The absolutely only password you will need to remember is the password to the manager itself. All other passwords you can store inside it. By using this approach, you can stop worrying about passwords as a problem. You can have different passwords for every single place. You can have stronger passwords everywhere, since you won’t have to remember them. It really is a fantastic tool that drastically reduces your exposure. And there exists many different ones out there. We would recommend starting with an open source version such as KeePassXC. But many others are good as well. Our only caveat is that you should avoid the ones that store your passwords centrally in some way. It’s significantly safer to store your passwords locally.

If you’ve gotten this far, you’re off to a great start. In our opinion, Tor, encrypted hard drives and a password manager are the most important complementary tools and techniques for CoyIM. But you can go further if you want. For example, if you are using an encypted chat client, doesn’t it make sense to also use encrypted email? In general, encrypted email isn’t necessary as secure as encrypted chat, but it’s still a huge step up. And in the same way as we are protecting confidentiality, encrypted email can also be important to protect the integrity of emails. And in this day and age where viruses are often distributed using email attachment, ensuring the integrity of the attachments using encrypted email is not a bad idea.

And what if you find ourself in a situation that requires a higher level of security? What if you want to make sure everything you do goes through Tor? What if you want to simplify the setup of all these things? One place for that would be the operating system Tails. You can put it on an USB drive, and boot from it. It will make sure everything goes through Tor, and it already comes configured with a large amount of different security tools. And CoyIM runs great on Tails. In fact, one of the authors of this article uses CoyIM on Tails every single day.

Finally, when talking about good security practices, now that you have CoyIM to help you with secure messaging, you should be careful about using other kinds of messaging. And this is especially true for phones. Because of how mobile technology works, there are some risks that mobile messenger clients simply can’t protect against. This is why CoyIM was designed for desktops and nothing else. So be careful with mobile messengers in the future.

As you can see, CoyIM is part of an ecosystem of tools and techniques. And while using CoyIM on its own is already a good improvement in security, when combined with other tools, you have the possibility of radically increasing your security with very low effort. The new 0.4 release of CoyIM will be another step forward for security. Take the chance to try these tools as you try the new version of CoyIM!