Secure Messenger Scorecard (May 2017)

This is a draft.

I’m starting my own Secure Messenger Scorecard based on the prior work of the Electronic Frontier Foundation.

I’ve created an editable Google Doc for further input and development.

Please scrutinize and contribute by Signaling me, emailing me or tweeting at me.

version one

version two

version three

How to: Use Ricochet for Windows

This guide outlines how to use Ricochet on Microsoft Windows. I hope that it becomes part of the Electronic Frontier Foundation’s Surveillance Self Defense. Having recently updated the EFF’s guide for Tor Browser, I adapted our previous work for this guide.


Software versions tested in this guide:

  • Windows 7 SP1
  • Firefox 42.0
  • Ricochet 1.1.1

Level: Beginner – Intermediate
Time required: 5 – 10 minutes


What is Ricochet?

Ricochet is a different approach to instant messaging that doesn’t trust anyone in protecting your privacy.

Ricochet is a free software, multi-platform, end-to-end encrypted instant messenger. It is a decentralized IM tool, meaning there is no registration and no server to connect to and share metadata with.


Getting Ricochet

Open a browser like Mozilla Firefox, Google Chrome, Microsoft Internet Explorer, or Microsoft Edge and go to:

https://ricochet.im/

If you are using a search engine to look for Ricochet, make sure that the URL is correct.

Do not use any other source, and if you are prompted to accept alternative HTTPS (SSL/TLS) security certificates, do not proceed.

Click the large Windows download button.

01

Some browsers will ask you to confirm whether you want to download this file. Internet Explorer 11 shows a bar at the bottom of the browser window. For any browser, it is best to save the file first before proceeding.

This example shows Ricochet version 1.1.1 which is the current version at the time of writing this guide. There may be a more recent version of Ricochet available for download by the time you read this, so please download and use the current version available at Ricochet.im.

Click the Save button.

02

Installing Ricochet

In Firefox, you can click the download button (the down arrow in the upper-right comer) to view your download. Click Ricochet-1.1.1.exe

03

After opening the Ricochet installer, a window will open with a warning about the origin of the software. You should always take these warnings seriously. Unfortunately, the developers of Ricochet have not had their installer signed by Microsoft (Unknown Publisher). This makes it very important that you download Ricochet from Ricochet.im over a secure connection. Since you know what you want, and you know where to get the software, and the download was from Ricochet’s HTTPS site, go ahead and click Run.

04

A Welcome to the Ricochet Setup Wizard window will open verifying you wish to continue. Click Next.

05

There are two options when installing Ricochet in Windows:

  1. Install (Recommended) will install Ricochet like a normal application and is the most convenient for regular use.
  2. Extract (Portable) making it easy for you to install Ricochet onto a USB drive or into a folder that gets regular backups. This may be important to you since Ricochet has no account registration–if you want to keep a long-term identity and your Ricochet contacts, you will need to keep your Ricochet folder backed up.

For the purposes of this guide, keep Install (Recommended) selected and click Next.

06

You will find a new window that will tell you where the Ricochet will be installed. Click Install.

07

Ricochet is very small, so installation should be quick. The installation process is complete when you see the Completing the Ricochet Setup Wizard window. If you click the Finish button, Ricochet will start immediately and Ricochet shortcuts will be added to the Start Menu.

08

Using Ricochet

The first time Ricochet starts, you will get a window that allows you to modify some settings if necessary. You might have to come back and change some configuration settings, but go ahead and try to connect to the Tor network by clicking Connect.

09

A new window will open with a green bar that illustrates Ricochet connecting to the Tor network.

10

The Ricochet client will open immediately after it has connected to the Tor network. Ricochet will show that you are online but you will not have any contacts to chat with.

This guide presumes that you have another contact waiting to be added. Click the + (plus sign) to add your Ricochet contact.

11

A new window will appear with your Ricochet ID at the top (example: ricochet:4dyjsjub6m7ai7y5).

12

In the ID field, enter your contact’s Ricochet ID (example: ricochet:d7gbj53jaipm5itv) and a name (example: Portable User) for your contact. It is optional to send a message with your contact request invite. If you know the person whom you will be securely messaging, perhaps give your name so that they know who is messaging them. Click Add.

13

If and when your contact (example: Portable User) comes online, they will see a new window with your Ricochet ID and your message, if you chose to give one. They will not know who you are unless you have told them using a different medium.

14

Your contact (example: Portable User) will have the option of giving you a name (example: Installed User) for their contact list. If they reject the message, you will not be able to see that they are online, and you will not be able to communicate with them using Ricochet.

15

Once your contact accepts your message, and if they are online, you will be able see them as online, and you will be able to start a new conversation with them.

16

Your contact will also be able to see when you are online.

17

Double-click on your contact (example: Portable User) to begin a secure conversation.

18

19

If your contact is online, they will get a new window with your message.

20

21

22

Once you close your IM window, the conversation history will be gone, too.

If and when your contact closes Ricochet, your client will show them as offline.

23


Privacy benefits

  • Ricochet users are not personally identifiable.
  • Ricochet does not reveal user IP addresses or physical locations because of Tor
  • Message content is cryptographically authenticated and private.
  • There is no need to register anywhere in order to use Ricochet, particularly with a fixed server.
  • Contact list information is stored locally, and it would be very difficult for passive surveillance techniques to determine whom you’re chatting with.
  • Ricochet does not save chat history. When you close a conversation, the chat log is not recoverable.
  • The use of Tor hidden services prevents network traffic from ever leaving the Tor network, thereby preserving anonymity and complicating passive network surveillance.
  • Ricochet is a portable application, users do not need to install any software to use Ricochet. Ricochet connects to the Tor network automatically.

Security warnings

  • Ricochet has not been subjected to an independent security audit.
  • An already-compromised computer system will typically defeat the privacy protections that Ricochet offers, such as a keystroke logging malware.
  • Even though Ricochet uses Tor, other applications will not be using Tor unless you’ve independently set up additional Tor services on your computer.
  • Active and passive surveillance techniques can still tell if you’re using the Internet, and when, but not necessarily what you’re doing on the Internet.
  • Since a Ricochet user does not register or log in anywhere to use Ricochet, not even with a password, it is important to implement layered physical security, including disk encryption, to protect Ricochet.
  • Tails Linux users, and other live operating systems users, can optionally backup Ricochet to zero-knowledge cloud services such as SpiderOak, or on a personally owned USB drive (ideally encrypted).