Frequently asked questions

Does Tor have to be running in order to use CoyIM?

No, Tor is not necessary to use CoyIM. However, it is strongly recommended, since the security features of CoyIM are greatly improved by Tor, both in terms of encryption and anonymity. Remember that CoyIM will automatically detect Tor if you have it installed, and it will also use the Tor connection from the Tor Browser Bundle if you have the Tor Browser running when running CoyIM.

If you absolutely have to turn off Tor support, the easiest way to do that is to edit your account information (Accounts -> account name -> Edit…), click “Display all settings”, clicking the “Proxies” tab and then removing the entry “tor-auto://”. If you ever want to turn it on again, you can go in to the same place, click “Add…” and use the “Automatic Tor” option. No other setting is necessary.

What does it mean that CoyIM is not yet audited?

As part of the development of any kind of application or tool, it is normal to do a security audit. When it comes to applications that are especially focused on security and privacy, this is even more important. The goal of a security audit is for a third-party person or organization to review the source code, looking for any kind of vulnerability or other security problem.

CoyIM as a full product has not been audited yet. The reason for this is primarily the size of the project, and the ongoing development. An audit would be quite time consuming, and it would also stop development. We would prefer to do this kind of audit when development has stabilized a bit.

However, the library that CoyIM uses for end-to-end encryption (OTR3) received an audit in 2019-2020, which showed only minor issues - all which were resolved and had the resolutions reviewed by the auditors. That gives us a strong sense of certainty that the encryption component of the application does protect its users the way it is supposed to.

The fact that CoyIM as an application has not been audited is something that is worth keeping in mind. If you have other alternatives when doing something extremely sensitive, you should do a threat model and try to understand whether CoyIM or the alternatives will protect you better. However, just by virtue of implementation choices, CoyIM will be more secure than most alternatives, since vulnerabilities such as buffer overflows are not possible.

Where can I learn more about how it works?

Here are some useful resources to learn more about the technology that CoyIM uses:

Here are some useful resources to learn more about security:

I forgot my configuration password, can I recover it?

Sadly no. The password for your configuration file is directly used to generate the encryption parameters that store the configuration file in a safe way. For this reason you will not be able to recover a lost password. Any other choice would not be secure, since if you can recover the password, someone else could also recover it.

We recommend the use of a password manager such as KeePassXC to store all your passwords in a safe way. That way, you reduce the risk of losing access to your configuration.

Will you implement feature X?

We often get requests to implement various features in CoyIM. And while we understand that most of these requests would be useful to many of our users, we will often say no, since most features would decrease the security of the application. Please take a look at the documentation about what features we won’t have for a more in-depth explanation of this issue.

If you do want to propose a feature, you can do so in our issue tracker here. Before submitting a new issue, we recommend that you do a quick search among previous issues to see if your request have been discussed before.

Will you create a mobile CoyIM?

We regularly get the request to make CoyIM run on mobile devices. For several technical reasons, this is not really possible. The features of CoyIM and the way they are implemented and the philosophy of the product are all incompatible with a mobile device implementation. So, we will not create such an application.

We do believe that some of the ideas behind CoyIM might be useful in a mobile setting, but that would involve a completely new project, designed from the ground up for the mobile environment. It might happen in the future, but we do not have any immediate plans for it.

How strong should my password be for the configuration file?

When you choose to encrypt your CoyIM configuration file, we will ask you to choose a password for this. The password will be run through an algorithm called SCrypt which will spend a lot of processor time to generate an encryption key, that will then be used to actually encrypt the file. This is a powerful technique which means that anyone trying to brute-force the password will have to use the same process to test whether the password is correct. In practice, testing one password against a CoyIM configuration file can take between 0.5 to 3 seconds, depending on your computer. This means that trying even just a few hundred passwords would take a long time for an attacker. So, the answer to this question is that the password doesn’t have to be extremely strong. It should not be “1234”, but it doesn’t have to be “pPfxIutXV3qUFt7kzbxAiAuhXYgNzrAgpToElLUamz8Q5fYFKhXYd57DI3ckX2Cktv2MeQ” either.

Is it really safe to store passwords in the configuration file?

Yes, it should be completely safe. We encrypt the configuration file using a standard method which protect the information in it significantly better than other applications out there. This does assume that you have not turned off the option to encrypt the configuration file.

Will you support OMEMO?

We get this question quite often, and for the reasons outlined here we don’t believe that supporting any other encryption protocol is a good idea for CoyIM. If you are interested in reading more about our perspective specifically about OMEMO, you can find several issues in our issue tracker about it here.

Where is the configuration file located?

Your configuration file will be stored in different locations depending on the operating system. It will also have different names depending on whether it is encrypted or not. All of the below examples will assume that your username is “testuser”.

OS Encrypted Not encypted
Linux /home/testuser/.config/coyim/accounts.json.enc /home/testuser/.config/coyim/accounts.json
macOS /Users/testuser/.config/coyim/accounts.json.enc /Users/testuser/.config/coyim/accounts.json
Windows C:\Users\testuser\AppData\Roaming\coyim\accounts.json.enc C:\Users\testuser\AppData\Roaming\coyim\accounts.json