Anonymous peer-to-peer instant messaging
Ricochet 1.1.4 fixes some common bugs and usability issues, updates Tor and other important dependencies, contains new and updated translations, and has other minor fixes. All users should update.
You didn't miss 1.1.3 -- it was used to solve a packaging problem, but wasn't ready for a full release. The changelog below includes all changes since version 1.1.2.
I apologize that this isn't the exciting-new-features release we've all been waiting for. Ricochet's development is volunteer-based, and in particular I haven't been able to dedicate as much energy to it as I've wanted to. There's a lot of interest and activity happening right now, and I think there will be some more interesting progress soon.
TOR_CONTROL_{HOST,PORT,PASSWD}
is setThis release is possible thanks to contributions from:
Adalid Claure, basil sabee, Besnik, botherder, bungabunga, Chi-Hsun Tsai, Clon, git_in_my_anus, Grant Jacobson, Greg Slepak, HostFat, icesquare, Jacob Appelbaum, Joe Gallo, Jesper Hess Nielsen, Matt Traudt, Miguel de Moura, Mingye Wang, nomeutente, Per Peterson, Robin Burchell, Sam Schlinkert, Sascha Steinbiss, TolgaAydin, tran161, vaba, Ximin Luo, Zero King, anyone we forgot to mention, and everyone who reports bugs or supports the project.
Ricochet 1.1.2 fixes a vulnerability which could lead to user-assisted network deanonymization, improves contact connection reliability, and fixes a common stability issue.
We're also proud to release the results of an audit by NCC Group through the Open Technology Fund. The report validates Ricochet's security and provides a great outline of areas to improve in the near future.
By sending a nickname with some HTML tags in a contact request, an attacker could cause Ricochet to make network requests without Tor after the request is accepted, which would reveal the user's IP address. The malicious nickname is clearly displayed, and no network activity takes place unless the request is accepted. We've addressed this vulnerability by sanitizing nicknames in all cases before display, rejecting contact requests with suspicious nicknames, and blocking any network requests at that layer.
Thanks to the incredible Sarah Jamie Lewis (@s-rah) for originally discovering this issue.
This release is made possible by contributions from:
Billy Burrows, John Brooks, Robin Burchell, Jeff Burdges, Colin Childs, Gabe Edwards, Patrick Gray, Kacper Kołodziej, Sarah Jamie Lewis, all of our translators, NCC Group and the Open Tech Fund, and many others.
Ricochet 1.1.1 comes with fixes for a variety of bugs, software updates, and several minor new features.
Downloads:
Other downloads and PGP signatures are available at https://ricochet.im/releases/1.1.1/. As always, you can share any bugs, ideas, and thoughts through GitHub or privately.
This release is made possible by contributions from:
Adeor, Gabe Edwards, I3rixon, Isis Lovecruft, Jacob Appelbaum, John Brooks, Jordi, Kacper Kołodziej, Michael Samuel, Millak, Peter Ludikovsky, Robin Burchell, Roger Dingledine, Sarah Jamie Lewis, ShionRyuu, corvinux, gus, ivopetkov, mijnheer, mik235, mkn, participante0, qsodev, rawtaz, reviewjolla, strel, tknv, and many others.
This major release switches to a safer and more extensible protocol, adds a brand new icon and 11 new language translations, and includes many UI fixes as well as security updates for Tor and OpenSSL.
Downloads:
Other downloads and PGP signatures are available at https://ricochet.im/releases/1.1.0/. As always, you can share any bugs, ideas, and thoughts through GitHub or privately.
This version is not "backwards compatible" with contacts that run Ricochet 1.0.4 or older. Your contacts must also update in order to chat again. You will keep your existing address and contacts.
To get everyone updated quickly, people running an older version will see an automatic message one time from their updated contacts. We intend to keep compatibility in the future, and to not need to resort to this method again.
This release fixes two issues in Tor, which allow an attacker to crash the tor client and force Ricochet offline. There is no possibility of exploitation or code execution through these bugs.
Blueprint for Free Speech generously sponsored the protocol changes, and is doing fantastic work for freedom of expression and whistleblowers.
This update was possible thanks to help and contributions from:
Robin Burchell, Patrick Gray, Suelette Dreyfus, Lawrence Eastland, HD Moore, The Grugq, Kevin Littlejohn, Jan Noertemann, Gabe Edwards, ivopetkovcz, Einfach, Mikkel Kroman, mijnheer, Meternalf, reviewjolla, rike, Creaprog, CrumpyGat, Jordi, franck99, Daniel James Smith, esqfax, swperman, vla8752, qualte, strel, rawtaz, taskmaster, cbolat, basarancaner, l3rixon, nergal, weedpatch2, yawnbox, and other anonymous contributors.
This is a bugfix-only release for a handful of annoying or common problems, while work continues on protocol and design improvements. The next two months will be exciting: we're moving towards improved security, several much-needed features, and better support behind the project.
Thanks as always to everyone reporting bugs, making suggestions, contributing translations, and spreading the word about Ricochet.
Downloads and PGP signatures are available from https://ricochet.im/releases/1.0.4/
The Tor Project released today a security announcement regarding an anonymity attack carried out on users of hidden services, presumably by the authors of a withdrawn research talk.
I've written an explanation of what this means for users of Ricochet and similar programs, and the steps we'll be taking in the future to mitigate similar problems. This release includes a new version of Tor, which will help reduce the impact of these attacks in the future.
This release also moves configuration to a more flexible and reliable system (existing configuration is migrated automatically), adds a "single window" mode that combines the contact list and chat windows, includes new translations, and more.
Downloads and PGP signatures are also available from https://ricochet.im/releases/1.0.3/
Formerly known as Torsion, now Ricochet. Along with changing the name, this release includes mostly minor fixes and packaging improvements. More substantial changes will be coming soon.
Existing configurations should continue to work after upgrading, including connections to contacts. If installing to a new directory, copy the config
or config.torsion
folder to keep your identity and contacts.
Thanks to @obvio171 for the Ricochet name, strel for Spanish translations, and many others for name suggestions, bug reports, and their thoughts.
Downloads and signatures are available from https://ricochet.im/releases/1.0.2/
ricochet:
Torsion will be renamed in the next release; suggestions are welcome. Contact addresses and configuration will remain compatible.
Thanks to Antaon, HostFat, GIANNAT, and Anton for their contributions to this release, and to many others for reporting issues and sharing their thoughts.
Windows: Torsion.exe
- OS X: Torsion.dmg
- Linux (static): torsion-1.0.1-static.tar.bz2
First "real-world" release of an anonymous and decentralized instant messaging client for Tor.
See the README for more information.
torsion-1.0.0+git10-debian-static.tar.bz2
is an experimental statically linked build for Debian 7 (Wheezy).