ChatSecure v4.3.6

ChatSecure v4.3.6

This maintenance release contains an important update to the certificate pinning alert dialog. After updating to v4.3.6 you may see an alert asking you to re-verify your server’s SSL/TLS certificate.

Previously, the dialog would display ✅ Valid if the certificate was valid for any domain. Additionally, it was then pinning the certificate to the connected domain (e.g. xmpp.example.com from the SRV records), and not to the JID domain (e.g. example.com).

If you are not automatically prompted to re-verify, you should manually re-verify your server’s certificates by going into Settings -> Pinned Certificates, delete the existing entries, and then reconnect.

Special thanks to Michel Le Bihan, for uncovering the flaw and quickly proposing a fix.

Release Notes

• Fix security issue in certificate pinning alert dialog, where any valid certificate would show as valid
• Fix crash when rapidly scrolling through chat history
• Fix issue where chat history is temporarily blank after sending a message
• Swift 4.2 / Xcode 10.1
• Updated 3rd party dependencies
• Other minor bug fixes
• Full release notes
• Changelog

Download the latest ChatSecure version here:

ChatSecure v4.3.0 - OMEMO Group Chat Preview

ChatSecure v4.3.0 - OMEMO Group Chat Preview

Chat history now automatically synchronizes between your devices - including OMEMO chats! This includes any device using a modern XMPP client that supports Message Archive Management (aka MAM or XEP-0313). There still may be some rough edges with some configurations (like duplicate messages), but if your server supports MAM, you should be good to go. You’ll also notice that your active group chats are synchronized between devices via support for Group Chat Bookmarks (XEP-0048).

Another big change is preliminary support for OMEMO Group Chats. This still needs some testing and isn’t yet recommended for general use. If you’d like to try it, you must first enable it via the Advanced section of the Settings screen, and then also enable it individually for each group chat in the Members screen. Regardless of the settings you will still be able to receive incoming group OMEMO messages.

Up next will be a performance and stability release focusing on MAM and OMEMO groups.

Contributing

Thank you to all of the monthly supporters!

Not a supporter yet? It’s easy! You can start supporting development directly in the app. Sustainable open source starts with you! ❤️

Download the latest ChatSecure version here:

Release Notes

• Message Archive Management (XEP-0313) - one-to-one and group chat history is now synchronized between multiple devices, if supported by your server.
• Group Chat Bookmarks (XEP-0048) - Group chats are now bookmarked on your server to allow persistence between devices / installs.
• OMEMO Group Chat Encryption Preview - This is not yet recommended for general use and is for advanced users only. Must be globally enabled in Advanced Settings as well as individually for each group chat.
• Improvements to general group chat user experience
• Bug fixes and performance improvements
• Full release notes
• Changelog

ChatSecure v4.2.0 - Group Chat

ChatSecure v4.2.0 - Group Chat

First of all, thank you to all of the monthly supporters! Your contributions have been a great motivator to keep the release cycle moving along at a regular pace, from master branch, to TestFlight, to App Store. Not a supporter yet? It’s easy! You can start supporting development directly in the app. Remember, sustainable open source starts with you! ❤️

This version contains numerous improvements to the existing group chat functionality: unencrypted media transfers (XEP-0363), brand new participant list, and enhanced stability and reliability. There is still a lot of work to be done, but it has stabilized enough for a general release. It was designed with small, private groups in mind, so it hasn’t been tested with very large groups, and “anonymous” groups are currently unsupported.

Up next is support for XEP-0313: Message Archive Management, which will allow you to use the same account on multiple devices, and is a prerequisite for OMEMO group chats.

Download the latest ChatSecure version here:

Release Notes

• Improved group chat reliability
• Media sharing in group chats (unencrypted only)
• Redesigned group participants view
• Improve performance of chat view. Thanks @stigger!
• Bug fixes and refactoring
• Tor 0.3.0.11
• Full release notes
• Changelog

ChatSecure v4.1.0 - Media Messaging

ChatSecure v4.1.0 - Media Messaging

This release contains major improvements to how media messages are handled. We’ve added support for both XEP-0363: HTTP Upload and the aesgcm:// scheme, allowing for mobile-friendly asynchronous end-to-end encrypted file transfers.

Previously we used a rather obscure protocol called OTRDATA that utilized OTR TLVs to send arbitrary data through existing OTR sessions. It worked reasonably well… sometimes. It was subject to throttling by XMPP servers, had a lot of encoding overhead, and wouldn’t work unless both parties were online and were in an active OTR session.

This new file transfer mechanism was designed to work well with OMEMO, and should handle multiple devices and group chats once that work is completed. To see if your server supports XEP-0363, check the “Server Information” section of your account details. If not, contact your server administrator or in the meantime test it out on a server from this list.

Up next will be improvements to group chat, multi-device conversation history, and better reliability of push notifications. If you like what we’re doing, don’t forget that sustainable open source starts with you! Thank you so much to everyone who has pledged their support! ❤️

Download the latest ChatSecure version here:

What’s new in 4.1.0

• XEP-0363: HTTP Upload support for much faster and reliable media messaging. [1]
• XEP-0352: Client State Indication. Helps reduce network usage when running in the background.
• End-to-end encryption for file transfers in OMEMO or OTR sessions [2].
• Inline media previews for incoming URLs. (Optional)
• Bug fixes and refactoring.
• Tor 0.3.0.9

Caveats

• Your server administrator must enable support for XEP-0363. See mod_http_upload for Prosody [3] and ejabberd [4] for more details.
• Encrypted file transfer is required in OMEMO/OTR, but has limited compatibility for receiving clients. Users on the other end will receive aesgcm:// links [2].
• Inline media previews are enabled by default, but can be disabled on a per-account basis. This feature should be disabled if you have extreme privacy concerns or do not trust your contacts. This setting is always disabled for Tor accounts.
• Known bug related to adding friends and setting up the first OMEMO session. These will be addressed in a future release.

References

1. https://xmpp.org/extensions/xep-0363.html
2. https://github.com/iNPUTmice/ImageDownloader
3. https://modules.prosody.im/mod_http_upload.html
4. https://docs.ejabberd.im/admin/configuration/#mod-http-upload
5. https://xmpp.org/extensions/xep-0352.html

Changelog: https://github.com/chatsecure/chatsecure-ios/compare/v4.0.9…v4.1.0

ChatSecure v4.0.9 - Sustainable Open Source Starts With You

ChatSecure v4.0.9 - Sustainable Open Source Starts With You

The v4.0.9 release marks the beginning of a fundraising experiment to measure the long term viability of user-driven open source privacy software development. ChatSecure has been around for over five(!) years now, and grown from a small hobby project to a full time mission to prevent the centralization of communication.

This growth wouldn’t have been possible without the generous funding and support of organizations like The Guardian Project, OpenITP, and the Open Technology Fund along the way. The open source privacy software scene would not be nearly as vibrant without grant funding, and many projects you’ve heard of receive large amounts of funding from similar sources.

Unfortunately there are large risks with this funding model:

• Funders generally do not support ongoing software maintenance. Grants require specific milestones and deliverables.
• The grant cycle can be very long. It can take over a year and multiple iterations between a concept and secured funding.
• Even after multiple rounds of negotiation, funders may ultimately decide not to fund your vision.
• Fundraising is a full time job. For a small team, that means less time can be spent on improving the product.
• There’s also the elephant in the room. Although “Internet freedom” appropriations may be safe for now, a large chunk of this funding pool could also quickly dry up, leaving many projects scrambling to keep the lights on.

Other funding models don’t work well either for tools in this space. Venture capital is incapable of funding “privacy software” products without eventually introducing something to monetize you by violating your privacy. The upfront cost of paid App Store builds prevents vulnerable users without reliable access to payment services from downloading the app. Services like Patreon may work for some projects, but most rarely receive enough funds to actually pay anyone for development. Offering white labels and consulting services can also work to fund core development, but it doesn’t scale well and can take a considerable amount of time.

❤️ This Is For You

You, the user, are the reason this project exists. We’ve now put the power of direct funding in your hands. There are quite a few of you now, and if a relatively small fraction of you can contribute a few bucks a month, you will prove that open source privacy software development can be sustainable.

You can now show your continued support directly within the app. The current options are ☕️ $2.99/mo, 🍺 $5.99/mo, and 🎁 $19.99/mo. Hopefully these are enough choices for now, and we’re welcome to any feedback or suggestions. If you’re already a supporter, or don’t have the spare cash right now, you can help in other ways like improving a translation, submitting a bug report, or simply spreading the word.

Thank you so much for your support!

Download the latest ChatSecure version here: