What is it?
DropChat is a simple anonymous messaging system that works through Tor. The idea is simple: you want to share information with someone, but you don't want anyone to know who you're sharing it with or what that information is. Furthermore, you may not completely trust who you're sharing information with and they may not completely trust you. DropChat allows you to communicate by creating a disposable chatroom available via Tor hidden service.
How It Works
DropChat works via an ad hoc client-server architecture. One person is the "Drop Server" who sets up the ephemeral hidden service and the other folks are the "Drop Clients" that connect to the hidden service chatroom. Then everyone chats and is happy knowing their information and identities are secure. Let's take a look at an example.
I, Alex, going by the handle DotSlashPunk, would like to chat with a couple of folks I met on a Dark Net Forum to ask them some research questions. They don't particularly trust me, nor do I trust them. I don't want them having my IP, my real name, nor do I want to chat via private message on a Dark Net Forum, where messages could be stored forever as far as I know. In other words, nobody trusts anybody. So I set up a DropChat Server:
[email protected]:~$ dropchat * Connecting to tor * Creating ephemeral hidden service, this may take a minute or two * Started a new hidden service with the address of lwghtppxkjflq7nz.onion * Our service is available at: lwghtppxkjflq7nz.onion/n3tcZnI3QHfZ5URDDiZbz4Zecia1cXFpKUPMurxsCW44xw7FYtOkA6pzOH6EaFlh , press ctrl+c to quit * Running on http://127.0.0.1:5000/ (Press CTRL+C to quit)
Notice all I had to do to setup the server is type the
dropchat command in my terminal and voila, I have a chat server. Now I share the .onion URL (with the path) for my two non-trusted friends, connect to it myself and I have a disposable, secret chat where we can share information.
No information ever leaves the Tor network, so it (theoretically) cannot be man-in-the-middled or read by prying eyes.
Where to get it
DropChat Server can be found here: https://github.com/HyperionGray/dropchat with installation instructions.
There is no DropChat Client, as it is intended to be used with Tor Browser.
How it is Different
There's a couple of other well-known messaging systems that do similar, but slightly different things. First is Ricochet, a similar system that works through Tor in a peer-to-peer manner. The problem with Ricochet is it's a bit heavy-handed, you have to install a client, configure your own hidden service, add friends to a friends list, etc.
DropChat does everything for you, with one command (usage to come) it creates an ephemeral hidden service that you can use to share sensitive information with your friends. Everything happens through Tor, nothing is written to disk, and the only client you need is a Tor Browser. It is super simple.
Another kinda sorta semi-similar technology is Signal. Signal is a messenger that provides end-to-end encrypted messaging. It is awesome and you should install it on your mobile phone immediately. Signal hides what you send by, but does not hide who you send it to. DropChat is able to hide both. This does not mean it is in any way better than Signal, it just has a different use case (and is far less integrated with mobile). DropChat is a great supplement to something like Signal.
Some Cool Features
DropChat comes with a few safety and security features. First of all, you don't get to pick your username. A great way to get deanonymized is to reuse usernames, so DropChat chooses a random one for you.
DropChat Messages live for only 5 minutes before they are completely destroyed. Because everything lives in memory once the DropChat Server is stopped, no information remains on disk.
Because DropChat clients are just using Tor to connect, they can use it on any platform, Windows, OS X, even Mobile platforms as long as they have a Tor connection.
Just like any anonymity software, DropChat should be used carefully. There's nothing to stop a user from copy and pasting your entire conversation and saving it for later. There is also nothing stopping a DropChat Server from being modified to attempt to deanonymize you, which is why we recommend turning off JS and not accepting any HTML5 or other warnings you get. DropChat should not give you any warnings upon use as a client, and if it does, someone is trying to fuck with you. Disconnect immediately.
DropChat is still in its early stages. It purposefully is meant to look very "bare bones" to reflect its philosophy and we'd love to hear your thoughts! For any bugs or feature requests open up an issue in gitlab or hit me up on Twitter at @DotSlashPunk.