tipwire

Warning! Experimental! Do not use TipWire if secrecy is crucial to you. Please do use it a lot for private chit-chat and such - in order to increase the amount of encrypted background noise in nature. There's safety in numbers ;)

You can see a demo, read a post of mine about it, and see/leave criticism below.

---

TipWire enables two way communication between a source (an unskilled user) and a desk (person or group well known to and trusted by the source).

The identity of the source can't be authenticated, but if the user invents and memorizes a pass phrase

• A long term conversation can be maintained (anonymous accountability)
• In some scenarios - the source and the desk can verify the user's authenticity out of bound (e.g. face to face)

Possible use cases for a desk:

• Group coordination in a temporary physical location (convention, protest tent site) where people can authenticate each other face to face.
• Coordination with customers (e.g. for sending passwords or API keys)
• Chit chat with friends and family (did I mention passwords? ;) ).
• A blog looking for anonymous tips, gossip, etc. (in this case the source would need some privacy skills - e.g. how to use tor, and anyway - for such an application - the desk should prefer installing DeadDrop if possible).

Implementation

Tipwire is a combination of

• A branch of this repository

• An etherpad-lite server with [at least] the following plugins (developed especially for TipWire)

  • push2delete plugin (thanks to Marcel Klehr)
  • hide referrer plugin (thanks to John McLear)

  See more etherpad configuration tips here.

• The ability of "desk members" (in the demo - that's me) to decrypt gpg mail

Criticism (so far)

Feel free to comment via the demo form.

• Although we don't track or log IP numbers (neither at the contact form, nor at the etherpad), this requires the source to trust the desk about this.
  • The fact that the desk should be trusted not to actively track down the source goes without saying. This may not be true for the demo instance (unless you happen to know me and trust me), but if - for example - you install an instance, people who trust you can assume you're not tracking them down. The real concern is traffic analysis by third parties, which is why using tor and acquiring privacy skills is recommended throughout the gui. People who can't use tor (due to lack of skills or other reasons) can still use TipWire, bearing in mind that adversaries may discover the fact that they're using it, but not what is being said. This can be suitable for many applications (e.g. group coordination where membership is not a secret or a support hotline).
• "Out of the box" etherpad-lite has a referrer leak issue.
  • hide referrer plugin fixes this (thanks, John).
• The system counts on people to invent and memorize long pass-phrases. Experience shows this is not practical.
  • Fixed. If the user leaves the pad-id fields blank - a random pad-id is generated.

To do

• Better user-experience for sources (GUI, help text, initial pad text, etc.).
• Redo the Hebrew skin (still "stuck" in master branch), do other languages.
• Translate WinoCaptcha input files to Hebrew and other languages.
• Easier deployment (make it easier to open a new desk).
• Switch from cgi to something more modern (pybottle?). Should probably be done at the master branch.