As we have talked about in previous posts here, we are very close to releasing version 0.4 of CoyIM. This is a very large release that contains a lot of improvements and new features. And while we are very happy about all these changes, it’s also important to keep in mind the reasons why CoyIM was created in the first place. These reasons are still as valid today - especially since we are not really seeing other tools taking inspiration from our choices here. And at the end of the day, for us to have secure tools, things have to change in many ways. In this and previous posts, we want to detail some of the reasons why we felt that it was necessary to create CoyIM. In this article we will specifically cover the subject of security by default.
There are many applications out there that have support for security in various ways. Browsers allow you to connect securely to websites. Email clients allow you to encrypt emails. Operating systems allow you to encrypt your hard drives. But in general, these kinds of decisions are not the default. When you install a new version of Windows, the hard drive will not be encrypted. If you open up your email client and send an email, chances are good that it won’t be encrypted. If you open a browser and type in an address, it will be secure by default. But a few years ago, this wasn’t the case - then, the basic connection would be unencrypted and you had to specifically ask for it to be secure. There are many reasons for all these situations - but the end result is the same: you are not protected by default.
And what about the chat clients that CoyIM was created as an alternative to? Sadly, the situation was often very much the same. You could turn on security features of various kinds. You could install plugins to give you access to extra functionality. You could install other programs and then configure the combination to protect you. But you had to do all of this manually, and you had to know exactly what to do to configure these improvements. To a large degree, when you started these chat programs, you would start out with the least secure version of the configuration.
As we talked about before, there are many reasons why this happened. Mostly, the real answer is that these programs were general purpose programs that were not particularly interested in making things as secure as possible - especially if that had the impact of making things slightly more complicated for users. This is an understandable point of view. Anything that drives away users can be a real problem for reaching larger numbers of adoption. But at the same time, even for general purpose programs, we believe this is the wrong path. It will always be the developers of a product that knows best the kinds of choices you can make to improve the security. Putting that responsibility on the user means that you invert this relationship. The person who knows less about the security choices in your product will have to improve the situation - from the outside. All the while, every application out there is a target for attack. Anything you install on your computer can be used to attack you in some way. If you open up an image someone sent you, it is possible that the file contains an attack against the program you use to display the image. And so on. This means that when creating an application - any kind of application - you really have a responsibility to your users to think about security from the start. Otherwise, you will be creating a new attack surface that will make your users less secure when installing it.
For us, when developing CoyIM, this meant having security by default. There are a hundred places in the program where it would have been possible to make different security choices. In all of these places, we always made the choice we believed was the one that would protect our users better. In some cases, we exposed this choice as configuration, so it would be possible for the user to change this option. But we always made it so that the user would have to choose to decrease their security, not choose to increase it. In many cases, we also decided to not even expose the option to the user. Many studies have shown that giving options for everything in a program does not lead to a good user experience for most people. So, often we decided to just make the choice and always have it be there. Only when we could see there could exist good reasons for changing a security decision did we expose this as an option.
What kind of security choices are we talking about? Well, the simplest one is probably that we include end-to-end encryption by default, and for every person you add as a contact, CoyIM will require that end-to-end encryption is started before sending any kind of message. This means that it is impossible for a user to send a message without encryption, unless they change the configuration. Of course, if they try to talk to someone that doesn’t have encryption at all, they won’t be able to send a message to this person. But this choice means that at least, we won’t expose someones information unless they make absolutely sure this is what they want.
When an account is added in some way, it will always be configured to use Tor. Of course, not everyone wants to use Tor, or they might want to configure their own proxy which is more appropriate for their environment. For us, Tor is the conservative and more secure choice. But if the user feels they know better, they can change this choice.
Most applications support TLS, but almost none expose the possibility of pinning certificates. This is really an additional security on top of the regular TLS protections, which make sure that you can control whenever a certificate changes in various ways. For really high security settings, you might want the option to manually inspect a new certificate before using it. So CoyIM makes this the default, and allows you to set a policy for how to manage certificates going forward.
Another example is how most applications assume that local storage is trusted. Basically, the idea is that you can just store private keys and sensitive configuration in plain text, because if someone has access to your hard drive, you’re lost anyway. But there are many shades of nuance here, which this reductive idea doesn’t take into account. First, not everyone will have encrypted hard drives. And it’s much easier to see a possibility where an attacker copies a hard drive, rather than putting malicious things on the hard drive. But if you say that you’ve already lost if someone can read your hard drives, that means you’re conflating the two possibilities. So, for this reason, CoyIM always gives you the option of securely encrypting your configuration file. It does this in a way which is compatible with password managers. It uses a method which means that even bad passwords will give decent protection. And everything sensitive of any kind is stored inside this configuration file, minimizing the risk of any kind of information leak.
As we mentioned, there are many kinds of features like this in CoyIM. Describing them all doesn’t make sense - but hopefully this overview gives you a feeling for the kinds of protections that CoyIM will give you which no other client will. The point of security by default is that it will always be easier for a user to decrease their security than to make their own choices on how to increase their security. So an application should start out in the most secure mode, and then allow the user the levers necessary to customize this behavior. If more applications were built from the ground up using this philosophy, we believe that the technological world would be significantly less vulnerable.