Anonymous Living

PSI is a very popular Jabber-client which supposedly supports SOCKS-compatible proxies in the upcoming version. This support is, sadly, utterly broken from a security point of view.

What’s Jabber, anyway?

Jabber is a protocol for user-to-user messages which to the end-user works just like MSN, ICQ and similar systems. The difference is that Jabber is a open protocol. No single corporation owns the network, you can use any software which follows the standard to communicate, and you can run your own Jabber-server if you don’t want to use any of the many public servers who are available.

PSI is one of the many programs you can use to communicate with other Jabber-users (it is also possible to talk to MSN and ICQ users over “gateways”) and PSI is in many ways the best Jabber-client.

It’s proxy “support” is, sadly, totally broken in both the latest “stable” version and the developer SVN version as of March 28th, 2007.

Why is proxy-support so important?

There is a great number of reasons why you would want to communicate with the rest of the world without revealing your location. The Tor-network is a great traffic analysis resistant proxy network which allows you to do that. But not by using PSI.

Let’s tell the world by leaking DNS

The proxy support in the latest version of PSI insists on doing DNS queries locally and then connects to the IP resolved over the configured SOCKS-proxy. If the adversary is watching your local connection or your DNS-server then the adversary will learn enough information to know that you’re communicating over Jabber. PSI insists on trying to resolve DNS queries locally and will only try to resolve over the SOCKS-proxy if local DNS reslution fails. So it can act securely and resolve DNS over SOCKS, it just won’t, and you can’t configure it to behave properly unless you are willing to change the source-code.

Are there any working alternatives?

If you know about a Jabber-client with working SOCKS proxy support then please, do share. The PSI developers were informed about their broken SOCKS support ages ago, and nothing has changed. There really should be a Jabber client which allows you to communicate with the world without having to reveal exactly where in the world you are.