more md formatting

This commit is contained in:
anarsec 2023-07-08 20:49:47 +00:00
parent b6bbc36b6f
commit 11986c34cb
No known key found for this signature in database
10 changed files with 237 additions and 88 deletions

View file

@ -51,48 +51,59 @@ Any Cwtch user can turn the app on their phone or computer into an untrusted ser
>[**Briar**](https://briarproject.org) is another application which works in a similar way (with peer-to-peer and Tor), and uses the [Bramble Transport Protocol](https://code.briarproject.org/briar/briar/-/wikis/A-Quick-Overview-of-the-Protocol-Stack) (BTP). The main distinguishing feature of Briar is that it continues to function [even when underlying network infrastructure is down](https://briarproject.org/how-it-works/). It was [audited in 2017](https://code.briarproject.org/briar/briar/-/wikis/FAQ#has-briar-been-independently-audited). Unfortunately, Briar Desktop does not yet work with Tails or Qubes-Whonix, because it cannot [use the system Tor](https://code.briarproject.org/briar/briar/-/issues/2095). Unlike Cwtch, to connect with a contact on Briar, you must both add each other first. You can either exchange `briar://` links or scan a contacts QR code if they are nearby. [Briar Mailbox](https://briarproject.org/download-briar-mailbox/) enables asynchronous communication.
<details>
<summary><strong>Cwtch Installation on GrapheneOS</strong></summary>
<summary>
**Cwtch Installation on GrapheneOS**
</summary>
<br>
<p>If you have decided to use a smartphone despite our <a href="/posts/nophones/">recommendation to not use phones</a>, Cwtch is available for Android. Follow the instructions for <a href="/posts/grapheneos/#software-that-isn-t-on-the-play-store">installing software that isn't on the Play Store</a>. Updates must be made manually - back up your profile first.</p>
If you have decided to use a smartphone despite our [recommendation to not use phones](/posts/nophones/), Cwtch is available for Android. Follow the instructions for [installing software that isn't on the Play Store](/posts/grapheneos/#software-that-isn-t-on-the-play-store). Updates must be made manually - back up your profile first.
<br>
</details>
<details>
<summary><strong>Cwtch Installation on Tails</strong></summary>
<summary>
**Cwtch Installation on Tails**
</summary>
<br>
<p>Cwtch is still beta - support for Tails is very new and not yet thoroughly tested.</p>
<ul>
<li>Start Tails with an Adminstration Password.</li>
<li>Download <a href="https://cwtch.im/download/#linux">Cwtch for Linux</a> using Tor Browser</li>
<li>Verify the download <ul>
<li>Open the folder from Tor Browser&#39;s download icon </li>
<li>Right click in the file manager and select &quot;Open a Terminal Here&quot;</li>
<li>Run <code>sha512sum cwtch-VERSION-NUMBER.tar.gz</code> (replacing the filename as appropriate)</li>
<li>Compare the hash of the file with what is listed on the download page </li>
</ul>
</li>
<li>As per our <a href="/posts/tails-best/#using-a-write-protect-switch">Tails Best Practices</a>, personal data should be stored on a second LUKS USB, and the Persistent Storage is not enabled. Extract the file with the file manager (right click, select &quot;Extract Here&quot;), then copy the folder <code>cwtch</code> to such a personal data LUKS USB. <ul>
<li>OPTIONAL - If you do enable Persistent Storage: with Persistent Storage unlocked, in Terminal run <code>sudo sed -i '$ a /home/amnesia/.cwtch source=cwtch' /live/persistence/TailsData_unlocked/persistence.conf && sudo sed -i '$ a /home/amnesia/.local source=cwtch_install' /live/persistence/TailsData_unlocked/persistence.conf</code> then reboot Tails for the changes to take effect, again with an Adminstration Password.</li>
</ul>
</li>
<li>Run the install script<ul>
<li>In the File Manager, enter the directory you just created, <code>cwtch</code>. Right click in the File Manager and select "Open a Terminal Here"</li>
<li>Run <code>install-tails.sh</code> and enter the Administration Password when prompted.</li>
</ul>
</li>
<li>As the <a href="https://docs.cwtch.im/docs/platforms/tails">documentation</a> specifies, "When launching, Cwtch on Tails should be passed the CWTCH_TAILS=true environment variable". In the Terminal, run:<ul>
<li><code>exec env CWTCH_TAILS=true LD_LIBRARY_PATH=~/.local/lib/cwtch/:~/.local/lib/cwtch/Tor ~/.local/lib/cwtch/cwtch</code></li>
</ul>
</li>
<li>With Persistent Storage disabled, configuration and profile data must be recovered from backup every session you need to install Cwtch. Backup <code>`/home/amnesia/.cwtch/`</code> to the personal data LUKS USB, and copy it back into <code>/home/amnesia/</code> the next time you install Cwtch.</li>
<li>Updates to new versions must be made manually - back up your profile first.</li>
Cwtch is still beta - support for Tails is very new and not yet thoroughly tested.
* Start Tails with an Adminstration Password.
* Download [Cwtch for Linux](https://cwtch.im/download/#linux) using Tor Browser
* Verify the download
* Open the folder from Tor Browser's download icon
* Right click in the file manager and select "Open a Terminal Here"
* Run `sha512sum cwtch-VERSION-NUMBER.tar.gz` (replacing the filename as appropriate)
* Compare the hash of the file with what is listed on the download page
* As per our [Tails Best Practices](/posts/tails-best/#using-a-write-protect-switch), personal data should be stored on a second LUKS USB, and the Persistent Storage is not enabled. Extract the file with the file manager (right click, select "Extract Here"), then copy the folder `cwtch` to such a personal data LUKS USB.
* OPTIONAL - If you do enable Persistent Storage: with Persistent Storage unlocked, in Terminal run `sudo sed -i '$ a /home/amnesia/.cwtch source=cwtch' /live/persistence/TailsData_unlocked/persistence.conf && sudo sed -i '$ a /home/amnesia/.local source=cwtch_install' /live/persistence/TailsData_unlocked/persistence.conf` then reboot Tails for the changes to take effect, again with an Adminstration Password.
* Run the install script
* In the File Manager, enter the directory you just created, `cwtch`. Right click in the File Manager and select "Open a Terminal Here"
* Run `install-tails.sh` and enter the Administration Password when prompted.
* As the [documentation](https://docs.cwtch.im/docs/platforms/tails) specifies, "When launching, Cwtch on Tails should be passed the CWTCH_TAILS=true environment variable". In the Terminal, run:
* `exec env CWTCH_TAILS=true LD_LIBRARY_PATH=~/.local/lib/cwtch/:~/.local/lib/cwtch/Tor ~/.local/lib/cwtch/cwtch`
* With Persistent Storage disabled, configuration and profile data must be recovered from backup every session you need to install Cwtch. Backup `/home/amnesia/.cwtch/` to the personal data LUKS USB, and copy it back into `/home/amnesia/` the next time you install Cwtch.
* Updates to new versions must be made manually - back up your profile first.
<br>
</details>
<details>
<summary><strong>Cwtch Installation on Qubes-Whonix</strong></summary>
<summary>
**Cwtch Installation on Qubes-Whonix**
</summary>
<br>
Cwtch on Whonix currently has an [issue](https://git.openprivacy.ca/cwtch.im/cwtch-ui/issues/550) - support is forthcoming.
<br>
<p>Cwtch on Whonix currently has an <a href="https://git.openprivacy.ca/cwtch.im/cwtch-ui/issues/550">issue</a> - support is forthcoming. </p>
</details>
![](onionshare.png)
@ -132,25 +143,44 @@ As a result, Signal is rarely used anonymously which has a significant impact if
Due to the near impossibility of using Signal anonymously as well as our [recommendation to not use phones](/posts/nophones/), we don't currently recommend anarchists use Signal. We nonetheless provide installation instructions because it has become the norm in the anarchist space in many countries, and it might be hard to get in touch with somebody without it.
<details>
<summary><strong>Signal Installation on GrapheneOS</strong></summary>
</details>
<summary>
**Signal Installation on GrapheneOS**
</summary>
<br>
If you have decided to use a smartphone [despite our recommendation to not use phones](/posts/nophones/), we recommend the [Signal Configuration and Hardening Guide](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/). As noted above, unless you are comfortable with the [Command Line Interface](/glossary/#command-line-interface-cli), Signal must be registered on a smartphone before being linked to a computer. Install Signal like you would for any [app that doesn't require Google Services](/posts/grapheneos/#how-to-install-software) (we don't recommend F-Droid).
[Molly-FOSS](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/#molly-android) is a fork of Signal with hardening and anti-forensic features available on Android - we recommend it over Signal for anarchists, and extending trust to the Molly team is facilitated by its [reproducible builds](https://github.com/mollyim/mollyim-android/tree/main/reproducible-builds). Follow the instructions for [installing software that isn't on the Play Store](/posts/grapheneos/#software-that-isn-t-on-the-play-store). You can [migrate from an existing Signal account](https://github.com/mollyim/mollyim-android#compatibility-with-signal). Turn on database encryption.
<details>
<summary><strong>Signal Installation on Tails</strong></summary>
<br>
</details>
<details>
<summary>
**Signal Installation on Tails**
</summary>
<br>
About.Privacy [maintains a guide](http://wmj5kiic7b6kjplpbvwadnht2nh2qnkbnqtcv3dyvpqtz7ssbssftxid.onion/about.privacy/messengers-on-tails-os/-/wikis/HowTo) for installing Signal Desktop on Tails. There is a guide for registering an account from Tails without a smartphone (using Signal-cli), and another guide for if you already have a Signal account.
Some of [Signal Configuration and Hardening Guide](https://blog.privacyguides.org/2022/07/07/signal-configuration-and-hardening/) also applies to Signal Desktop.
<details>
<summary><strong>Signal Installation on Qubes-Whonix</strong></summary>
<br>
</details>
<details>
<summary>
**Signal Installation on Qubes-Whonix**
</summary>
<br>
Signal Desktop on Whonix is not guaranteed to have Tor Stream Isolation from other applications in the same qube, so we will install it in a dedicated qube. Signal Desktop is installed in a Template, not an App qube (because it is available as a .deb from a third party repository).
* Go to **Applications menu → Qubes Tools → Qube Manager**
@ -173,6 +203,9 @@ https_proxy = 127.0.0.1:8082
>
>You can install Signal Desktop in a Whonix Workstation App qube by using [Qube Apps](https://micahflee.com/2021/11/introducing-qube-apps/), and you will not need to bother with Templates. Signal Desktop on Flathub is [community maintained](https://github.com/flathub/org.signal.Signal), not official, which [is a security consideration](https://www.kicksecure.com/wiki/Install_Software#Flathub_Package_Sources_Security).
<br>
</details>
<br>
<br>
@ -203,7 +236,7 @@ As soon as you have logged in, go to **Setting → Security & Privacy**.
* For Element Desktop, you will only need to use the Security Key if you sign out.
* For Element Web (using Tor Browser), you will need the Security Key every time you use it. Tor Browser clears your cookies, so you will need to sign in to a new session.
Some current limitations:
## Some current limitations
* "Disappearing messages" is not yet a feature, but it is forthcoming. Message retention time can be set by the homeserver administrator, as mentioned above, and it is indeed set on both of our recommended homeservers.
* One to one audio/video calls [are encrypted](https://matrix.org/faq/#are-voip-calls-encrypted%3F) and you can use them. Group audio/video calls are not encrypted, so don't use them. This will be resolved when [Element-call](https://github.com/vector-im/element-call) is stable.
@ -215,23 +248,41 @@ Some current limitations:
>You may have heard of **XMPP** (formerly called Jabber). XMPP has similar security properties to Matrix, but many clients don't support end-to-end encryption (via the OMEMO protocol) by default. Configuring a client properly is non-trivial. XMPP and Matrix leak similar amounts of metadata, but OMEMO has never been formally audited like the Matrix encryption protocol. Additionally, the administrator is able to act as a [man-in-the-middle](/glossary#man-in-the-middle-attack) on [any XMPP server](https://web.archive.org/web/20211215132539/https://infosec-handbook.eu/articles/xmpp-aitm/). For these reasons, we recommend using Matrix over XMPP.
<details>
<summary><strong>Element Installation on GrapheneOS</strong></summary>
</details>
<summary>
**Element Installation on GrapheneOS**
</summary>
<br>
If you have decided to use a smartphone despite our [recommendation to not use phones](/posts/nophones/), Element is available for Android. Install Element like you would for any [app that doesn't require Google Services](/posts/grapheneos/#how-to-install-software) (we don't recommend F-Droid).
<details>
<summary><strong>Element Installation on Tails</strong></summary>
<br>
</details>
<details>
<summary>
**Element Installation on Tails**
</summary>
<br>
The easiest option is to use the Element web client on Tor Browser. This doesn't require any additional software. Tor Browser deletes all data upon closing, so you'll be prompted for the Security Key after each login in order to access your past messages. Make sure to **Sign Out** when finished, to avoid accumulating "Signed-in devices".
To install Element Desktop, About.Privacy [maintains a guide](http://wmj5kiic7b6kjplpbvwadnht2nh2qnkbnqtcv3dyvpqtz7ssbssftxid.onion/about.privacy/messengers-on-tails-os/-/wikis/HowTo).
<details>
<summary><strong>Element Installation on Qubes-Whonix</strong></summary>
<br>
</details>
<details>
<summary>
**Element Installation on Qubes-Whonix**
</summary>
<br>
The easiest option is to use the Element web client on Tor Browser is a disposable Whonix qube. This doesn't require any additional software. Tor Browser deletes all data upon closing, so you'll be prompted for the Security Key after each login in order to access your past messages. Make sure to **Sign Out** when finished, to avoid accumulating "Signed-in devices".
To install Element Desktop, Whonix is not guaranteed to have Tor Stream Isolation from other applications in the same qube, so we will install it in a dedicated qube. Element Desktop is installed in a Template, not an App qube (because it is available as a .deb from a third party repository).
@ -256,6 +307,9 @@ https_proxy = 127.0.0.1:8082
>
>You can install Element Desktop in a Whonix Workstation App qube by using [Qube Apps](https://micahflee.com/2021/11/introducing-qube-apps/), and you will not need to bother with Templates. Element Desktop on Flathub is [community maintained](https://github.com/flathub/im.riot.Riot), not official, which [is a security consideration](https://www.kicksecure.com/wiki/Install_Software#Flathub_Package_Sources_Security).
<br>
</details>
<br>
<br>