End-to-End Encryption and purple-facebook

[jeremyp3]

for several weeks now, facebook has been rolling out end-to-end encryption on messenger for all conversations.

when this end-to-end encryption is activated on a conversation, you can no longer interact with it from your pidgin. you no longer receive messages concerning it, and when you try to send a message, you receive an error from facebook: "Failed to send message".

when using the messenger application, there doesn't seem to be a way to disable this end-to-end encryption, or else I haven't found it...

in any case, I'm noting it here, because in my opinion, this will make the plugin obsolete if end-to-end encryption becomes even more widespread...

[Metalhead33]

We need some kind of fix. I wonder if there is a Facebook API for this.

[swinokur]

I've been having issues connecting to FB via both Pidgin and Miranda-NG for several days. I'm wondering if it has something to do with end to end encryption (or if it is perhaps just FB deciding to be weird for my account). I certainly didn't go and turn e2e on myself!

[swinokur]

(there's also an issue for e2e open at Miranda: https://github.com/miranda-ng/miranda-ng/issues/4169)

[gergof]

Here's a whitepaper describing how E2E encryption works in Messenger: https://engineering.fb.com/wp-content/uploads/2023/12/MessengerEnd-to-EndEncryptionOverview_12-6-2023.pdf

It might be a good starting point for implementing this.

[Metalhead33]

So, no solution so far, eh?

[advcomp2019]

Just yesterday, Facebook wanted to me to enable E2E encryption, and now I kept on getting "Failed to send message" from Pidgin.

Beyond that, it seems to get the friends list tho.

[advcomp2019]

I just found out something by accident. Someone that does not have E2E encryption enable, it will still work just fine. While someone with E2E encryption enabled, this is just useless.

[jeremyp3]

Yes, I can confirm this. Conversations that don't have E2E activated work perfectly normally.

that's the problem :)

[TheBense]

subscribing

[Metalhead33]

This plugin has no maintainer though. And there are no forks under active development.

[DMJC]

I'm actively developing a fork now. I have the code building in Meson and am trying to figure out how to integrate the token scripts. Anyone who can explain the field names and data structures would be greatly appreciated.

[DMJC]

ok, the e2e is using signal and there is a working signal plugin for libpurple...

[usvi]

I'm actively developing a fork now. I have the code building in Meson and am trying to figure out how to integrate the token scripts. Anyone who can explain the field names and data structures would be greatly appreciated.

I got the token stuff automated in bitlbee-facebook. Food for thought: https://github.com/bitlbee/bitlbee-facebook/pull/220

If you want to ask questions on IRC, I'm on Libera as usvi Update: I saw your message, unfortunately I am travelling and was unable to reply. Normally will check IRC quite often during the business hours of Finland timezone.

[Malvineous]

there is a working signal plugin for libpurple...

If you mean hoehermann/purple-signald then it's just an interface to a locally running signald instance, it doesn't seem to handle the protocol itself at all.

[DMJC]

I've been trying to get the Bitlbee code integrated into the plugin, I need some assistance with the structures in libpurple purpleconnection in particular. My git repo hasn't got the integrations committed, my local copy compiles but won't link atm due to some broken functions. I'm not sure if I should start again with guidance, or just clean up what I've done so far. I might commit my current changes to their own branch if someone is interested in looking at it.

[DMJC]

My repository can't login with 2FA, I hit the limits of my programming ability. I did modernise the repo and get it building with Meson. I also scrapped the patch files/mercurial repository and merged in most of the bitlbee code. If someone would like to fork and work on it I'd support those efforts. I've also got yaml automation setup so my repo can generate CI Builds. The repo is here: https://github.com/DMJC/purple-facebook

[Metalhead33]

My repository can't login with 2FA, I hit the limits of my programming ability. I did modernise the repo and get it building with Meson. I also scrapped the patch files/mercurial repository and merged in most of the bitlbee code. If someone would like to fork and work on it I'd support those efforts. I've also got yaml automation setup so my repo can generate CI Builds. The repo is here: https://github.com/DMJC/purple-facebook

@DMJC Afaik 2FA was never properly implemented: we always had to use workarounds, such as the one shown in #445

At least, that's what I have always done.

[debmanlinux]

As of May 5th, I am having exactly the same problem. Pidgin starts & shows Facebook Friends. However when I try to send a message I get "Disconnected, failed to send message". After a short time, it reconnects, but the same thing happens when I try to send again. Even when end-to-end encryption was not enabled, I had the problem that Pidgin would not send.

[DMJC]

We need to fix 2fa and implement end to end encryption.

On Mon, 6 May 2024, 6:12 am debmanlinux, @.***> wrote:

As of May 5th, I am having exactly the same problem. Pidgin starts & shows Facebook Friends. However when I try to send a message I get "Disconnected, failed to send message". After a short time, it reconnects, but the same thing happens when I try to send again. Even when end-to-end encryption was not enabled, I had the problem that Pidgin would not send.

— Reply to this email directly, view it on GitHub https://github.com/dequis/purple-facebook/issues/547#issuecomment-2094943676, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAFS2YZLMWK52AJA5LNSIITZA2KVFAVCNFSM6AAAAABCX6BG6OVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAOJUHE2DGNRXGY . You are receiving this because you were mentioned.Message ID: @.***>

[TheBense]

If I contribute some cash will it grease the wheels on development?

[DMJC]

Sorry, I just don't have the skill for it. If someone else wants to pick it up please do. I'm happy to assist with testing and providing info on what I've done so far.

On Mon, 20 May 2024, 11:55 pm Andrew T Bense, @.***> wrote:

If I contribute some cash will it grease the wheels on development?

— Reply to this email directly, view it on GitHub https://github.com/dequis/purple-facebook/issues/547#issuecomment-2120571681, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAFS2Y36V5T4J2R5EWRYUV3ZDIBXNAVCNFSM6AAAAABCX6BG6OVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMRQGU3TCNRYGE . You are receiving this because you were mentioned.Message ID: @.***>

[debmanlinux]

Is it possible that Eion Robb could help? He seems to do a few Pidgin plugins. https://github.com/EionRobb/

[TheBense]

Is it possible that Eion Robb could help? He seems to do a few Pidgin plugins. https://github.com/EionRobb/

Who's gonna start a GoFundMe for Eion?

[MP36ctrl]

If it helps to find a solution for Miranda NG i would be willing to chip in

[swinokur]

Hey all, just thought I'd mention beeper and their "bridge" to meta as a potential solution path to some sort of implementation in Pidgin? https://github.com/dequis/purple-facebook/issues/549#issuecomment-2148031690

[debmanlinux]

More info: I created a new username for Facebook, logged in & did NOT enable end to end encryption. This works OK. However on opening Chrome or Brave browsers, now getting "Disconnected. Unknown HTTP error". Then up pops a couple of notices asking me to accept certificates. As soon as they're accepted, I can connect again.

[TheBense]

A large amount of my contacts which I've previously messaged a while ago, there's no E2E encryption until after a handful of recent messages get exchanged.

Also, I'm telling Zuck that you created an alt account😆

[tommac-git]

pls 😥

[tommac-git]

ps. i would chip $ in for this also. Pidgin is the only way for me to feel like a young scamp on MSN still. I even hacked the app resources to bring back the sounds and icons lol

[DMJC]

This is my repository: https://github.com/DMJC/purple-facebook it has pidgin-facebook configured to build with Meson. I would start by forking that and hacking on it. The dequis repository has an integration with Mercurial and is a pain to update/patch with new changes.

On Thu, 13 Jun 2024 at 15:21, tommac-git @.***> wrote:

ps. i would chip in for this also. Pidgin is the only way for me to feel like a young scamp on MSN still. I even hacked the app resources to bring back the sounds and icons lol image.png (view on web) https://github.com/dequis/purple-facebook/assets/147358941/48727c9f-2def-42bd-bcc9-976396077a28

— Reply to this email directly, view it on GitHub https://github.com/dequis/purple-facebook/issues/547#issuecomment-2164477024, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAFS2Y3B7ZFCSW4MYBAZN2DZHEXO3AVCNFSM6AAAAABCX6BG6OVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCNRUGQ3TOMBSGQ . You are receiving this because you were mentioned.Message ID: @.***>

[debmanlinux]

Sometimes getting other popups

[joonas-foo]

This is my repository: https://github.com/DMJC/purple-facebook it has pidgin-facebook configured to build with Meson. I would start by forking that and hacking on it. The dequis repository has an integration with Mercurial and is a pain to update/patch with new changes.

That's great to hear! Have you corrected the problem of being not able to send messages (because of end-to-end encryption)? Also, please fix the need for hex editing as described here: https://github.com/dequis/purple-facebook/issues/311 . I also get that 'Accept certificate for graph.facebook.com' -error from time to time, maybe it could be patched by adding an auto-accept option for it if you can't think of something else?

[maraakate]

I must be honest... I love Gaim/Pidgin and have used it for literally 20 years. With AIM, ICQ and MSN being irrelevant and no longer operating the main reason for me to use it is Facebook. This worked well for a number of years until things have been changing more and more recently. As the internet turns more and more towards a focus on security older things are being locked out and delegated to the past.

I am a developer myself and I don't blame dequis or the pidgin team for the lack of progress on this. Maybe they don't have the experience or skills necessary to implement this, or maybe they do and it's too much work and they just are not interested any more. This is OK. I'm reaching a point where I think it's safe to say that Pidgin is mostly used out of nostalgia and it's not going to work on anything relevant any more on a desktop even though I'd like it to be. It made sense 20 years ago to constantly reverse engineer what AIM, ICQ and MSN were doing because a lot of people wanted to use this stuff. Now everyone has a phone or table and normal people could care less about a good desktop experience especially when Chrome rules the web and you can just get FB Messenger alerts right in the browser!

Hats off to all the developers of Gaim/Pidgin over the years. It's been a mainstay of every OS install for 20 years. I'll keep it up and running as long as I can, despite not being able to do any actual messaging on it.

[TheBense]

I must be honest... I love Gaim/Pidgin and have used it for literally 20 years. With AIM, ICQ and MSN being irrelevant and no longer operating the main reason for me to use it is Facebook. This worked well for a number of years until things have been changing more and more recently. As the internet turns more and more towards a focus on security older things are being locked out and delegated to the past.

I am a developer myself and I don't blame dequis or the pidgin team for the lack of progress on this. Maybe they don't have the experience or skills necessary to implement this, or maybe they do and it's too much work and they just are not interested any more. This is OK. I'm reaching a point where I think it's safe to say that Pidgin is mostly used out of nostalgia and it's not going to work on anything relevant any more on a desktop even though I'd like it to be. It made sense 20 years ago to constantly reverse engineer what AIM, ICQ and MSN were doing because a lot of people wanted to use this stuff. Now everyone has a phone or table and normal people could care less about a good desktop experience especially when Chrome rules the web and you can just get FB Messenger alerts right in the browser!

Hats off to all the developers of Gaim/Pidgin over the years. It's been a mainstay of every OS install for 20 years. I'll keep it up and running as long as I can, despite not being able to do any actual messaging on it.

You started using gaim / pidgin when you were between the age of 5 and 8?

[maraakate]

I must be honest... I love Gaim/Pidgin and have used it for literally 20 years. With AIM, ICQ and MSN being irrelevant and no longer operating the main reason for me to use it is Facebook. This worked well for a number of years until things have been changing more and more recently. As the internet turns more and more towards a focus on security older things are being locked out and delegated to the past. I am a developer myself and I don't blame dequis or the pidgin team for the lack of progress on this. Maybe they don't have the experience or skills necessary to implement this, or maybe they do and it's too much work and they just are not interested any more. This is OK. I'm reaching a point where I think it's safe to say that Pidgin is mostly used out of nostalgia and it's not going to work on anything relevant any more on a desktop even though I'd like it to be. It made sense 20 years ago to constantly reverse engineer what AIM, ICQ and MSN were doing because a lot of people wanted to use this stuff. Now everyone has a phone or table and normal people could care less about a good desktop experience especially when Chrome rules the web and you can just get FB Messenger alerts right in the browser! Hats off to all the developers of Gaim/Pidgin over the years. It's been a mainstay of every OS install for 20 years. I'll keep it up and running as long as I can, despite not being able to do any actual messaging on it.

You started using gaim / pidgin when you were between the age of 5 and 8?

What? No, I'm 36 years old so I was about 15-16 years old. Actually it was a bit earlier because I first found out about Gaim when I was trying out Mandrake and Red Hat Linux. I was about 13 then because I distinctly remember other life events at that time.

Where did you get the 5-8?

[DMJC]

I haven't got E2E implemented, but I have fixed sign-in issues. https://github.com/DMJC/purple-facebook Meson Building is working. clone the repo cd into the folder, run: meson build; cd build; ninja; ninja install

[DMJC]

If you want to ask questions on IRC, I'm on Libera as usvi Update: I saw your message, unfortunately I am travelling and was unable to reply. Normally will check IRC quite often during the business hours of Finland timezone.

I was able to get your code working/intetgrated into Pidgin. My MFA logins now work. I don't enter a code, I just tell Facebook that I was trying to login and it connects now. Do you have any information about the end to end encryption? I've found documents on LibSignal, I think the first thing to do is build a handler/identifier for chats that need encryption, then figure out howto implement/support the encryption. We should at least be able to make the client flag a user's chats as encrypted so we don't crash out when trying to start a chat.

[TheBense]

I must be honest... I love Gaim/Pidgin and have used it for literally 20 years. With AIM, ICQ and MSN being irrelevant and no longer operating the main reason for me to use it is Facebook. This worked well for a number of years until things have been changing more and more recently. As the internet turns more and more towards a focus on security older things are being locked out and delegated to the past. I am a developer myself and I don't blame dequis or the pidgin team for the lack of progress on this. Maybe they don't have the experience or skills necessary to implement this, or maybe they do and it's too much work and they just are not interested any more. This is OK. I'm reaching a point where I think it's safe to say that Pidgin is mostly used out of nostalgia and it's not going to work on anything relevant any more on a desktop even though I'd like it to be. It made sense 20 years ago to constantly reverse engineer what AIM, ICQ and MSN were doing because a lot of people wanted to use this stuff. Now everyone has a phone or table and normal people could care less about a good desktop experience especially when Chrome rules the web and you can just get FB Messenger alerts right in the browser! Hats off to all the developers of Gaim/Pidgin over the years. It's been a mainstay of every OS install for 20 years. I'll keep it up and running as long as I can, despite not being able to do any actual messaging on it.

You started using gaim / pidgin when you were between the age of 5 and 8?

What? No, I'm 36 years old so I was about 15-16 years old. Actually it was a bit earlier because I first found out about Gaim when I was trying out Mandrake and Red Hat Linux. I was about 13 then because I distinctly remember other life events at that time.

Where did you get the 5-8?

I figured that the only way that you could possibly have such a defeatist attitude was that you were part of this younger generation that knows nothing about having to buckle down and work due to becoming acclimated to Oprah participation trophies 🏆🌟

[maraakate]

Wow, I wonder who you're going to vote for boomer?

Anyways, it's a lot of work to develop anything that a lot of people use and clearly the original author of this plugin has lost interest, busy, unmotivated, etc. And until apparently yesterday nobody has stepped up to the plate. Lots of FOSS projects peter out at some point because nobody is maintaining them anymore. Less and less people are using desktops for personal use. I'm talking about the average person here, not gamers or "enthusiasts".

[greatquux]

doesn't matter how you are (or feel), a lot of people from all over appreciate faster software. electron-based fat clients are still slow even on the fastest machines. pidgin is fast and simple and easy to use and that's why i use it with WhatsApp, Teams, Skype, and hopefully soon again the Facebook plugin.

[debmanlinux]

greatquux

doesn't matter how you are (or feel), a lot of people from all over appreciate faster software. electron-based fat clients are still slow even on the fastest machines. pidgin is fast and simple and easy to use and that's why i use it with WhatsApp, Teams, Skype, and hopefully soon again the Facebook plugin.

Totally agree!

[zevelorgani]

With all due respect, most people value functionality over speed.

I do not find Discord running in a Firefox tab to be noticeably slow on my aging Lenovo T460 laptop. I do find the Pidgin Discord plugin to be unacceptably buggy and lacking in functionality.

If it takes me 5 seconds to type a message, I don't care that sending it takes 20ms longer. I do care when I lose incoming messages, get temp bans due to excessive requests, Pidgin crashes overnight, cannot easily use threads, emojis, tags, tagged responses, et cetera, et cetera, et cetera...

[maraakate]

With all due respect, most people value functionality over speed.

I do not find Discord running in a Firefox tab to be noticeably slow on my aging Lenovo T460 laptop. I do find the Pidgin Discord plugin to be unacceptably buggy and lacking in functionality.

If it takes me 5 seconds to type a message, I don't care that sending it takes 20ms longer. I do care when I lose incoming messages, get temp bans due to excessive requests, Pidgin crashes overnight, cannot easily use threads, emojis, tags, tagged responses, et cetera, et cetera, et cetera...

And this is the problem. As much as I'd love for it to just work it's pretty clear at this point the original developer has moved on. A shame as I'd love to use Pidgin on the desktop instead of browser tabs or phone apps but this is how it must be.

[TheBense]

Does anyone know what the specific reason, as to why this is difficult to implement?

Does it specifically pertain to adding encryption to the facebook plugin?

[maraakate]

Does anyone know what the specific reason, as to why this is difficult to implement?

Does it specifically pertain to adding encryption to the facebook plugin?

I believe so yes, and the way it works keeps changing and nobody wants to keep up with it.

[DMJC]

The issue with End to End encryption isn't that it keeps changing, the issue is that it's specialist knowledge around cryptography. I am a pretty basic C/C++ Programmer, I don't know all the patterns professional developers use or a lot of the designs. I didn't need to. To implement the MFA all I had to do was take existing Bitlbee code and integrate it into the Purple Facebook plugin code. It was pretty simple to do. To add end to end encryption I would need to learn signal protocol, reverse engineer the facebook protocol to understand how it encapsulates the encrypted data. Then I'd have to implement the encryption. From everything I can find online Facebook is not constantly changing the encryption, they've implemented Signal on top of the MQTT/JSON Facebook protocol and that's it. The problem is very few people understand encryption to program for it. Even fewer know howto reverse engineer a network protocol.

If Bitlbee implements the end to end encryption I would take a solid crack at getting the code into the Facebook purple plugin. But without a reference I can't really do anything.

There is very little documentation about the Facebook protocol outside of what Bitlbee and this plugin do. There's not much debug output in this plugin either, I would have to basically learn all about the Facebook protocol. It's not as straightforward as copy pasting 50 lines of code and modifying 2-4 function calls. (which is what the MFA required). If someone is up for the challenge I'd be happy to provide any assistance within my skillset to provide.

[TheBense]

Thank you DMJC. Pardon my ignorance, but does Bitlbee already support e2ee ?

[maraakate]

The issue with End to End encryption isn't that it keeps changing, the issue is that it's specialist knowledge around cryptography. I am a pretty basic C/C++ Programmer, I don't know all the patterns professional developers use or a lot of the designs. I didn't need to. To implement the MFA all I had to do was take existing Bitlbee code and integrate it into the Purple Facebook plugin code. It was pretty simple to do. To add end to end encryption I would need to learn signal protocol, reverse engineer the facebook protocol to understand how it encapsulates the encrypted data. Then I'd have to implement the encryption. From everything I can find online Facebook is not constantly changing the encryption, they've implemented Signal on top of the MQTT/JSON Facebook protocol and that's it. The problem is very few people understand encryption to program for it. Even fewer know howto reverse engineer a network protocol.

If Bitlbee implements the end to end encryption I would take a solid crack at getting the code into the Facebook purple plugin. But without a reference I can't really do anything.

There is very little documentation about the Facebook protocol outside of what Bitlbee and this plugin do. There's not much debug output in this plugin either, I would have to basically learn all about the Facebook protocol. It's not as straightforward as copy pasting 50 lines of code and modifying 2-4 function calls. (which is what the MFA required). If someone is up for the challenge I'd be happy to provide any assistance within my skillset to provide.

Sounds like we're around the same skillset in regards to crypto. I know enough to implement from libraries when needed for projects, but reverse engineering it and all that math, rounds, etc. around it I have no clue. The problem is something like that is specialized and a person who would be good enough to do has better things to do.

[TheBense]

The issue with End to End encryption isn't that it keeps changing, the issue is that it's specialist knowledge around cryptography. I am a pretty basic C/C++ Programmer, I don't know all the patterns professional developers use or a lot of the designs. I didn't need to. To implement the MFA all I had to do was take existing Bitlbee code and integrate it into the Purple Facebook plugin code. It was pretty simple to do. To add end to end encryption I would need to learn signal protocol, reverse engineer the facebook protocol to understand how it encapsulates the encrypted data. Then I'd have to implement the encryption. From everything I can find online Facebook is not constantly changing the encryption, they've implemented Signal on top of the MQTT/JSON Facebook protocol and that's it. The problem is very few people understand encryption to program for it. Even fewer know howto reverse engineer a network protocol. If Bitlbee implements the end to end encryption I would take a solid crack at getting the code into the Facebook purple plugin. But without a reference I can't really do anything. There is very little documentation about the Facebook protocol outside of what Bitlbee and this plugin do. There's not much debug output in this plugin either, I would have to basically learn all about the Facebook protocol. It's not as straightforward as copy pasting 50 lines of code and modifying 2-4 function calls. (which is what the MFA required). If someone is up for the challenge I'd be happy to provide any assistance within my skillset to provide.

Sounds like we're around the same skillset in regards to crypto. I know enough to implement from libraries when needed for projects, but reverse engineering it and all that math, rounds, etc. around it I have no clue. The problem is something like that is specialized and a person who would be good enough to do has better things to do.

The problem is something like that is specialized and [in MOST circumstances] a person [working professional career with this particular skill] who would be good enough to do (this) [usually] has better things to do.

There's also the possibility that there's /someone/ out there that has the skill set to do it, because they do it for fun, not funds, they don't care about much else, and might pursue something like this for any kind of reason.

The most advanced reverse engineering work I've done in my entire life, by a longshot was during a time period where I wouldn't have been able to maintain a part time job delivering pizza -- and the motivating factor behind my ambitious pursuits was ultimately because I was mad about some crazy girl that I was stupid enough to have ever pursued in the first place!

[maraakate]

The issue with End to End encryption isn't that it keeps changing, the issue is that it's specialist knowledge around cryptography. I am a pretty basic C/C++ Programmer, I don't know all the patterns professional developers use or a lot of the designs. I didn't need to. To implement the MFA all I had to do was take existing Bitlbee code and integrate it into the Purple Facebook plugin code. It was pretty simple to do. To add end to end encryption I would need to learn signal protocol, reverse engineer the facebook protocol to understand how it encapsulates the encrypted data. Then I'd have to implement the encryption. From everything I can find online Facebook is not constantly changing the encryption, they've implemented Signal on top of the MQTT/JSON Facebook protocol and that's it. The problem is very few people understand encryption to program for it. Even fewer know howto reverse engineer a network protocol. If Bitlbee implements the end to end encryption I would take a solid crack at getting the code into the Facebook purple plugin. But without a reference I can't really do anything. There is very little documentation about the Facebook protocol outside of what Bitlbee and this plugin do. There's not much debug output in this plugin either, I would have to basically learn all about the Facebook protocol. It's not as straightforward as copy pasting 50 lines of code and modifying 2-4 function calls. (which is what the MFA required). If someone is up for the challenge I'd be happy to provide any assistance within my skillset to provide.

Sounds like we're around the same skillset in regards to crypto. I know enough to implement from libraries when needed for projects, but reverse engineering it and all that math, rounds, etc. around it I have no clue. The problem is something like that is specialized and a person who would be good enough to do has better things to do.

The problem is something like that is specialized and [in MOST circumstances] a person [working professional career with this particular skill] who would be good enough to do (this) [usually] has better things to do.

There's also the possibility that there's /someone/ out there that has the skill set to do it, because they do it for fun, not funds, they don't care about much else, and might pursue something like this for any kind of reason.

The most advanced reverse engineering work I've done in my entire life, by a longshot was during a time period where I wouldn't have been able to maintain a part time job delivering pizza -- and the motivating factor behind my ambitious pursuits was ultimately because I was mad about some crazy girl that I was stupid enough to have ever pursued in the first place!

Right, sorry for the extremes. But, yes. I have written some good code that I have released and done for free during periods of unemployment.