14 DAY TRIAL // A new project, aiming to provide anonymity for online communications, has been started by a group of security experts. Shaped as an instant messaging tool with file sharing capabilities, Invisible.im has been designed as a system for journalists and other privacy-conscious people.
The initiators of the project are Australian security analyst Patrick Gray, Metasploit founder HD Moore, security expert The Grugq, and security engineer and developer Richo Healey.
Invisible.im is currently at the beginning stages and the developers are trying to make it an easy to use tool that leaves “as small a metadata trail as possible,” intended for the freelance journalists and independent media.
In the documentation of the project, the developers dismiss the ephemeral identities that have to be established in other anonymity tools as impractical, and say that a different approach is needed to stay completely safe, one that does not rely on third-party servers that could be used to reveal the communication.
The service uses the TOR network to hide the local XMPP server managing the communication and forces off-the-record (OTR) encryption for the conversation.
The source of the local XMPP service is protected from being discovered by preventing its connection to anything that is not routed through the Tor network, and the federation feature of XMPP takes care of everything else.
“The nice thing is XMPP federation will launch an outbound connection from the system that is initiating the chat session to the destination party's XMPP service listening on a hidden service,” it is written in the FAQ section of the project.
A working prototype, leveraging OTR and OpenPGP, complete with a contact list and status, has been created. However, at this moment, the developers struggle with a problem that causes the first few messages in a chat session to simply vanish into thin air.
The basic working principle of the messenger is as follows: “A journalist (or minor party senator) using technology will generate a cryptographically verifiable identity that is used, in turn, to verify their Tor hidden service, as well as their OTR and PGP keys. If someone wishes to contact them, they simply download the software, choose to connect in ‘anonymous mode,’ which generates single-use, ephemeral OTR keys, and then enter the hidden service address of the person they wish to communicate with.”
Thus, someone who wishes to preserve their anonymity can contact journalists whose identity is verifiable.
However, it should be known that if a source is already under surveillance, Invisible.im cannot help with providing anonymous chats.