Ricochet 1.1.2

Ricochet 1.1.2 fixes a vulnerability which could lead to user-assisted network deanonymization, improves contact connection reliability, and fixes a common stability issue.

We're also proud to release the results of an audit by NCC Group through the Open Technology Fund. The report validates Ricochet's security and provides a great outline of areas to improve in the near future.

Downloads

• Windows - (pgp)
• Mac OS X - (pgp)
• Linux 32-bit - (pgp)
• Linux 64-bit - (pgp)
• Source - (pgp)

Security fixes

By sending a nickname with some HTML tags in a contact request, an attacker could cause Ricochet to make network requests without Tor after the request is accepted, which would reveal the user's IP address. The malicious nickname is clearly displayed, and no network activity takes place unless the request is accepted. We've addressed this vulnerability by sanitizing nicknames in all cases before display, rejecting contact requests with suspicious nicknames, and blocking any network requests at that layer.

Thanks to the incredible Sarah Jamie Lewis (@s-rah) for originally discovering this issue.

Changes

• Block all network requests to guard against potential deanonymization issues (#303)
• Reject contact requests with nicknames containing suspicious characters
• Sanitize nicknames before use in UI labels
• Fix a common crash when restarting an outbound connection attempt
• Fix a bug which caused connection attempts to contacts to stall until restarted (#295)
• Added translations for Hebrew, Slovenian, and Chinese
• Updated translations
• Updated to Qt 5.5.1, OpenSSL 1.0.1r, and Tor 0.2.7.6
• OS X builds now use AddressSanitizer for hardening

Thanks

This release is made possible by contributions from:

Billy Burrows, John Brooks, Robin Burchell, Jeff Burdges, Colin Childs, Gabe Edwards, Patrick Gray, Kacper Kołodziej, Sarah Jamie Lewis, all of our translators, NCC Group and the Open Tech Fund, and many others.