Published: 2014-02-26 18:41:50 by Daniele Ricci

WARNING this post is outdated. Please refer to this page.

It's been some weeks since I've been able to use Kontalk XMPP from my notebook, using a custom Python script to remedy for the lack of client certificate authentication in Pidgin. The code was very ugly (it still is) and had hard-coded values.
So I decided to fix it a bit and release it in the public domain. You can find the script in the xmppserver repository (download link). You'll need Twisted to run it.

user@host:~/kontalk/xmppserver/test$ ./ssl_bridge.py -h
usage: ssl_bridge.py [-h] [-d] [-p PORT] --domain DOMAIN -c CERTIFICATE -k
                     PRIVATEKEY
                     address

An XMPP bridge for clients not supporting SSL client certificate
authentication.

positional arguments:
  address               forward connections to this host (host:port)

optional arguments:
  -h, --help            show this help message and exit
  -d, --debug           enable debug output
  -p PORT, --port PORT  listen for local connections on this port (default:
                        5224)
  --domain DOMAIN       use this domain for stream initialization
  -c CERTIFICATE, --certificate CERTIFICATE
                        X.509 certificate file
  -k PRIVATEKEY, --privatekey PRIVATEKEY
                        X.509 private key file

ssl_bridge.py is basically a tunnel that masks the STARTTLS process by doing its own SSL handshake using a provided client certificate and private key.

The first thing you have to do is to export the client certificate and private key from your device. Of course you have to register to Kontalk first if you haven't done it yet. Open Kontalk, press menu > Settings > Export personal key. This will create four files on your SD card:

  • kontalk-login.crt
  • kontalk-login.key
  • kontalk-private.pgp
  • kontalk-public.pgp

Transfer the two highlighted files to your computer. Then you'll need to convert them to an appropriate format using the following commands:

openssl x509 -inform der -outform pem -in kontalk-login.crt -out kontalk-login.pem
openssl rsa -inform der -outform pem -in kontalk-login.key -out kontalk-login.rsa

Your certificate and private key are ready for use!

Start the SSL bridge script:

./ssl_bridge.py -p 5224 --domain kontalk.net -c kontalk-login.pem -k kontalk-login.rsa beta.kontalk.net:5222

This will start to listen on port 5224 which will be forwarded to beta.kontalk.net:5222 after STARTTLS have been negotiated.

Now it's time to configure your favourite XMPP client. We will take Pidgin as an example but the configuration is pretty much the same.
Create a new XMPP account using these parameters:

  • username: dummy (doesn't matter actually)
  • domain: kontalk.net
  • password: dummy (doesn't matter)
  • check Remember password
  • connection security: Use encryption if available
  • check Allow plaintext auth over unencrypted streams
  • connect port: 5224
  • connect server: localhost

And there you go!!! Connect your account and you will see buddies with strange codes. Those are your buddies hashed phone numbers. You'll have to recognize each one by talking to them, sorry. You can then rename your buddies accordingly, Pidgin will keep track of the names.

Please note that encrypted messages are not supported by Pidgin and you'll have to tell your buddies to disable encryption when they talk to you (you won't receive anything otherwise).
Also delivery confirmations are not supported, so your buddy will not see his/her messages confirmed. The only way to confirm them is to open Kontalk from Android. You will receive all the unconfirmed messages again and the app will confirm them.

The SSL bridge script is still not perfect, if you have any problem please report them to the Kontalk issue tracker.

Published: 2014-02-23 11:47:51 by Daniele Ricci

Dear Indian users,
I'm sorry to inform you that we did all we could do in our power to let Indian users receive our verification SMS. We use Nexmo to send them. Like any international SMS wholesale service, it has specific carrier restrictions in India, as described here: Specific Carrier Restrictions in India, notably:

  • Nexmo can only guarantee message delivery between 9am to 9pm. Messages submitted after 9pm Nexmo will attempt to send, but due to local regulations, these messages may be blocked or queued.
  • you might receive our SMS probably as Cell Broadcast. Please enable CB on your mobile to be sure to receive it
  • messages sent to numbers registered in the NDNC (National Do Not Call) list will be blocked.
  • messages towards Jammu and Kashmir networks (example, 405/55 - Airtel J&K) will be blocked by the government due to political sensitivity.

Registration attempts have been cut to one every 24 hours. We decided to do that because we pay for these blocked messages and we can't afford the price even with donations. You don't have any idea how much registration attempts we receive from India.
I'm sorry there is nothing else we can do for now. We will investigate other solutions, but it will be taken care of in version 3.0.

Published: 2014-02-17 19:57:21 by Daniele Ricci

In August 2013 a journalist named Angela Gruber contacted me via e-mail asking for some technical details about Kontalk. I was more than happy to answer her questions. After a couple of replies, I never heard from her again.

A few days ago, a user on our mailing list posted this: Die vermeintlich sicheren Alternativen zu WhatsApp.

I didn't know about Die Zeit. A quick look on Wikipedia turned out that it is one of the largest newspaper in Germany.

Die Zeit is a German national weekly newspaper well-regarded for its journalistic quality [...] it is the most widely read German weekly newspaper. Wikipedia

Then the majority of users are from Germany. Is it a coincidence? :-)

Here is a translated version of the snippet about Kontalk.

More decentralized approach to Kontalk

The application Kontalk is still under development. Daniele Ricci from Italy who founded the project, he is also the lead developer. With Kontalk he wants to establish a non-commercial community project and counts on a decentralized server structure. Volunteers are expected to rent server capacity and provide it to Kontalk, creating a network under one domain name.

The project is still in its early stages. Currently a free app is available for Android only, so far only text messages and pictures can be sent. This is less than what myEnigma or Threema offer which can send more media types.

Also the encryption method has flaws, what Ricci admits: in its first version Kontalk works with symmetric encryption. For upcoming versions Ricci wants to correct this.

Published: 2014-02-12 10:22:23 by Daniele Ricci

We are glad to announce that we've just entered alpha testing! Click here for the announcement on kontalk-devel. Being this an initial alpha release, it contains a lot of new features but also a lot of bugs. It might also blow up your phone.
Alpha release is public, but please note that some skills are required for being a good tester: you might be asked to generate system log dumps, possibly extract system files and stuff like that. Please wait for beta if you think you don't have time to spare or some basic Android skills.

This alpha introduces the use of XMPP with the original package name org.kontalk. Some highlights:

  • you will not be able to chat with Kontalk 2.x users until they upgrade
  • invitation system: no more automatic subscriptions. Although there is a privacy setting regulating this, XMPP normal presence subscription flow is used
  • XMPP compression is not enabled yet, so this version will require more bandwidth than "normal" thus more energy
  • you will be asked for your name at the first chance you open the new app. That will be the name that will be used in your PGP key uid

A lot of stuff is still missing: media messages (e.g. images) are not available yet. You can see a list of changes planned for alpha2 here.

I want to thank Christian Braun which has kindly donated a mirror for Kontalk releases and other stuff: https://kontalk.raunz.name/files/.
Despite of what I said in the release announcement, we are not hosting releases on Google Drive any more. Mirrors are listed in the downloads page on Google Code.