Threema via Chatty

@orrence wrote in MUA application on our L5
(Thought I make this a new topic to not further derail that thread)

Like seriously? You’re my hero :star_struck:
I wasn’t even aware the protocol is known.
But is this based on “Threema web”, needing a different device somewhere to work, or can I actually import my ID on the Librem 5?
Links to background info and code?

4 Likes

Well, most of the credit goes to the friendly dutch guy who wrote a library for the Threema communication protocol:

The Threema protocol is not open source, but on request Threema allowed a smart student to reverse engineer the protocol. Based on his work the OpenMittsu desktop client was developed (by some other guy).

Mister Bruintjes went ahead and developed not only a cool C++ based library that manages communication with the Threema servers, but he also developed a libpurple based plugin (threepl). threepl works out of the box within Pidgin, so I thought it can’t be hard to make it work in Chatty, since it supports libpurple based plugins.

Basic communication is working (text and emoticons), but there is still a lot missing (the handshake necessary to indicate status (sent, received, seen etc.) is not integrated into libpurple and must be added in Chatty itself).

It is completely independent of “Threema Web”. I added my account and my contacts within Chatty itself.

Unfortunately I do not have a lot of time to put into the details still missing, but over time the integration will get better and better (I hope). I have not made a pull request of my changes to the repository yet, so there is no way for you to test this so far.

Thanks again for all the constructive posts in this forum, @Caliga.

Cheers,
orrence.

6 Likes

I know this topic is being abandoned for a long time but as the Threema clients for Android and iOS are open source now i thought we could hopefully get some progress into this.

@orrence do you still have the changes you made to get ceema working in Chatty available?
May i ask you to create a merge request so that everyone can have access to your great work? :slight_smile:

Hi mxor!

It’s great to read that there is still interest in this. :slight_smile:
Unfortunately I do not have access to my changes anymore since I lost my Linux system due to a stupid mistake on my part. And: no backup, no pity! :wink:

But even if I still had those changes, I am very sure that they would not be useful anymore due to the massive changes that Chats (formerly known as Chatty) has gone through in the last two years. Especially since Mohammad Sddiq took over development, there have been lots of changes …

So I guess I would have to start all over again. But the good news is, that there is not much to do to make basic communication possible. The hard part is to get it to a state that is on par with the features we all have gotten used to (state management, audio and video calls etc.) …

Still (more or less) patiently waiting for my L5 to arrive, so I guess I will have to experiment again with the emulation in QEMU.

I am still very much interested to use Threema on the L5 myself, so I am motivated to work on this.

Cheers,
orrence.

4 Likes

Did you or anyone in general fund a request for Threema on L5? Threema is much more secure than Signal, since Threema’s server are standing on swiss soil which binds them to the swiss legal system.

you can’t trust the swiss, because of their history:

Swiss spies knew about Crypto AG compromise

"Swiss politicians only found out last year that cipher machine company Crypto AG was (quite literally) owned by the US and Germany during the Cold War, a striking report from its parliament has revealed.

The company, which supplied high-grade encryption machines to governments and corporations around the world, was in fact owned by the US civilian foreign intelligence service the CIA and Germany’s BND spy agency during the Cold War, as we reported earlier this year.

Although Swiss spies themselves knew that Crypto AG’s products were being intentionally weakened so the West could read messages passing over them, they didn’t tell governmental overseers until last year – barely one year after the operation ended."

3 Likes

You are referring to Crypto AG which makes the swiss only having 1 scandal while every other country has a whole mountain of it.

So, in comparison, the swiss are still better compared to any other country when it comes to the laws. :wink:

Additional…
Scroll down inside the link for comparison box:
https://threema.ch/en/messenger-comparison

put your code out and let everyone see all your flaws. only open source can be trusted!

3 Likes

Unless you can show the connection between Threema and Swiss spies, I think your post is off topic here. Please take this discussion elsewhere.

2 Likes

This post was flagged by the community and is temporarily hidden.

I think it is foolish to claim that because software is housed in, what you may consider, a less vulnerable location, that it is more secure. Signal has to exist in the Lion’s den, so to speak. When it comes to REAL security and not just the illusion of it, this tends to mean much much more.

On top of that, I would bet quite a bit that the actual encryption mechanism in place is built off of Signal’s. Just like nearly every other chat system out there.

That said, I like Threema, and use it. Like Signal its dependency on a phone for an account is a huge turn off. XMPP with OMEMO seems like a much better system. Of course if you are using your own server, then the E2E is, for most of the time, just unnecessary overkill as the transport of text are encrypted anyway.

It is not. Threema predates Signal. Its protocol was developed at the same time as TextSecure’s Axolotl protocol.

Regarding the Crypto AG references: In contrast to those encryption hardware devices, which are based on security by obscurity, Threema apps are fully open source and – where possible – offer reproducible builds: https://threema.ch/en/open-source/ The cryptography itself is essentially the NaCl cryptobox by Daniel Bernstein (djb).

More information can be found in the Cryptography Whitepaper.

3 Likes

Good to know. Thanks! :+1::+1:

What is ontopic though, is the fact that the threema client is now open source. While new accounts can only be created with an official client due to some signature keys or something.
The Android client for instance is here:


So, the protocol is as documented as the code is, I guess, and integrating this into chatty not impossible.

And the code is under the very open: GNU Affero General Public License v3.0 license.

I did. I gave 5$ to the fund-your-app campaign to “register” Threema in that wish-list. I was a little bit disappointed that it did not show up at all in that list of apps, but that was obviously a misunderstanding on my part.
It seems that you need a certain amount of funding requests (or amount of Euros?) for your desired app to show up in those fund-your-app lists.

So, if you want to support Purism even more than you already have so far and have 5$ (or more) to spend, I would be happy if I weren’t the only one voting with my Euros for a Linux-native Threema client for the Librem 5.

Cheers,
orrence.

1 Like

I agree and send today a little amount to support too.
Regards,

very good, someone’s smarther now than @ncc and the 3 people that liked his comment.

you can use the Threema Web by visiting this site https://web.threema.ch/#!/welcome

:slight_smile:

Well what you said is true but you still need to have an Android or iOS device with Threema running on it.
I don’t think that is what we want.

Thanks! That’s great! :smiley: