Security by default
Many chat applications out there have a large amount of possible configurations and settings that you can tweak to get good security. But these are almost never turned on by default. Instead, you need to search for them - or know what they should be. In some cases you might need to install a plugin to get that extra security. In most cases, this is for good reasons, because some of theses configurations come with associated usability problems. But at the same time, it’s a tough situation for people that need that extra security - but doesn’t have the knowledge to configure it properly to begin with. These settings can be complicated to get right.
So CoyIM was designed to be different. The whole project started with the idea that security and privacy should not be optional. It should not be an add-on, something that you might configure later. Instead, security should be built in from scratch. It should be turned on, so that when you start the application you will automatically be as protected as we can make you. And if it’s not possible to turn on a specific protection, we will warn about it.
CoyIM includes many large and small features like this. The choice of implementation language of Golang was done to reduce the likelihood of catastrophic vulnerabilities. We use Tor immediately, if we can. The setting to require encryption with everyone you talk to is turned on by default. You will be warned if you haven’t verified a contact. And many more things are happening under the covers - things you might not even know is necessary. For example, XMPP has something called “resources”. This is a part of your account address, when you are connected. The idea is that you can actually connect to the same account from more than one place at the same time. So the resource is added to the account address to uniquely identify your connection. Sadly, the default behavior for many chat applications is to leak information through this setting. For example, I have seen people create completely anonymous accounts with made-up names and only connected to using Tor. But the application they used set the resource to something like “John Smith’s Mac Book Air”, revealing the real name and hardware of the person in question. All that work to create anonymity completely destroyed. And these people might not even be aware of the problem. This is what happens when you use software that doesn’t make security and privacy a first class concern. In CoyIM, we simply generate a completely random identifier for the resource. This might leak that you are using CoyIM as a chat application, but no other information will escape through this medium.
Another very common problem has to do with file transfer. Imagine that you are using one of the many chat applications out there that support end-to-end encryption. You turn on this end-to-end encryption, and you’re chatting with your contact. And then, at some point, you need to send a very sensitive document to the other person. So you use the feature to transfer a file through the chat application. The assumption of most people is that since the chat itself is encrypted, the file will be sent encrypted as well. But that is not what happans. Instead, the transfer will be done completely in the open, even if OTR is used. And the application won’t even warn you… If you want to know how CoyIM handles this issue, you can read more about our encrypted file transfer here.
CoyIM is different. There are hundreds of small and large features that are all designed to protect you, while still providing good support for practical chat features. Your security and privacy are paramount, and they will always come first.