ScatterChat - secure, anonymous, free, cross-platform Instant Messaging client

ScatterChat is a new cross-platform IM client announced by the Cult of the Dead Cow / Hacktivismo (during the HOPE conference, it seems).

From the website:

ScatterChat is a HACKTIVIST WEAPON designed to allow non-technical human rights activists and political dissidents to communicate securely and anonymously while operating in hostile territory. It is also useful in corporate settings, or in other situations where privacy is desired.

It is a secure instant messaging client (based upon the Gaim software) that provides end-to-end encryption, integrated onion-routing with Tor, secure file transfers, and easy-to-read documentation.

Its security features include resiliency against partial compromise through perfect forward secrecy, immunity from replay attacks, and limited resistance to traffic analysis... all reinforced through a pro-actively secure design.

So the client is a "friendly-fork" of Gaim, it uses Tor to achieve anonymity, and for the crypto parts (secure messaging, secure file transfer) ScatterChat uses libgcrypt.

It's a cross-platform application available for Linux, Windows; support for other OSes is planned (Mac OS X, others).

You can always download the source code, of course, as it's free software. Actually, not quite. While ScatterChat itself is based on the GPL'd Gaim, it has to be GPL'd, too. However, the scatterchat-module package, which seems to contain the crypto-parts, is licensed under a custom "Hacktivismo Enhanced-Source Software License Agreement" (HESSLA) right now, which is so horribly long I didn't even bother reading it.

However, the README says:

I am open to the possibility of re-licensing parts of this library to GPL, BSD, public domain, or some other license. I cannot make any promises, but I will try to accomodate reasonable requests.

I'm going to do just that, email the author and ask him nicely to change the license to some sane, well-known free software license. If you feel similar, please let the author know (hint, hint). Depending on what the HESSLA really says, it might prevent ScatterChat from entering Debian, for example.

I haven't yet tried to use the application, but it sure looks like it has a lot of potential. It also seems do most security-related things right:

  • it doesn't try to reinvent/reimplement its own crypto primitives (which would be doomed to fail), but rather uses libgcrypt
  • it has a documented crypto protocol
  • it's free software, which is a major requirement (see Kerckhoffs' principle)
  • it doesn't reinvent the wheel, but rather uses Tor for anonymity (for example)
  • etc. etc.

Of course that's no guarantee that it's secure; I hope some crypto-gurus look over it soon. But at least they didn't make obvious stupid mistakes we've all seen in many other pieces of software.

Anyways, I feel this is a real important project which will help lots of people (activists, political dissidents, normal people like me and you who value their privacy). Go check it out!

(via Boing Boing)


Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Can it be trusted?

As network security gets advanced, hackers also are climbing up. You never know which is really secure.

try it is anonymous and clientless

a true anonymous community and personal instant message and chat.
it can be a tool for web masters and for personal use.
no need to download a client and no login.
just press it.
and talk to others.

GPL-incompatible; software not distributable

The HESSLA conflicts with the GPL, and includes provisions many consider non-free, including the GNU project; see . It very clearly fails DFSG 6 by adding a use restriction. Furthermore, since Gaim falls under the GPL, nobody can legally distribute HESSLA-licensed Gaim plugins.


Yes, that's what I feared. The only hope is to convince the author to relicense the code under the GPL or similar...


It is now licensed in both HESSLA and GPL, according to the website.

Wrong crypto. *sigh*.

Nice project, except they are doing the cryptography so wrong. OTR was the way to go, we don't need yet another way to use non-deniable signatures in an IM.

Yes, but...

The right choice should fall on GNUnet, which could provide complete crypto and deniable "level 3 anonymity" (noone knows who's the origin, the destiny nor the intermediary). As a matter of fact there are plans of having a gnunet-chat implementation, unfortunately there's a lack of coders on that... Maybe because all of them are looking to Tor.

I haven't looked at OTR too

I haven't looked at OTR too closely (neither ScatterChat) - what are the advantages and disadvantages of both? It's probably too early, but a thorough comparison would be nice...


OTR will give you crypto but not anonimity.