Originally called Torsion IM, Ricochet was renamed in June 2014. Ricochet is a modern alternative to TorChat, which hasn't been updated in several years, and to Tor Messenger, which is discontinued. On September 17, 2014, it was announced that the Invisible.im group would be working with Brooks on further development of Ricochet in a Wired article by Kim Zetter. Zetter also wrote that Ricochet's future plans included a protocol redesign and file-transfer capabilities. The protocol redesign was implemented in April 2015. In February 2016, Ricochet's developers made public a security audit that had been sponsored by the Open Technology Fund and carried out by the NCC Group in November 2015. The results of the audit were "reasonably positive". The audit identified "multiple areas of improvement" and one vulnerability that could be used to deanonymize users. According to Brooks, the vulnerability has been fixed in the latest release.
Technology
Ricochet is a decentralized instant messenger, meaning there is no server to connect to and share metadata with. Further, using Tor, Ricochet starts a Tor hidden service locally on a person's computer and can communicate only with other Ricochet users who are also running their own Ricochet-created Tor hidden services. This way, Ricochet communication never leaves the Tor network. A user screen name is auto-generated upon first starting Ricochet; the first half of the screen name is the word "ricochet", with the second half being the address of the Tor hidden service. Before two Ricochet users can talk, at least one of them must privately or publicly share their unique screen name in some way.
Privacy benefits
Ricochet does not reveal user IP addresses or physical locations because it uses Tor.
Message content is cryptographically authenticated and private.
There is no need to register anywhere in order to use Ricochet, particularly with a fixed server.
Contact list information is stored locally, and it would be very difficult for passive surveillance techniques to determine whom the user is chatting with.
Ricochet does not save chat history. When the user closes a conversation, the chat log is not recoverable.
The use of Tor hidden services prevents network traffic from ever leaving the Tor network, thereby preserving anonymity and complicating passive network surveillance.
Ricochet is a portable application, users do not need to install any software to use Ricochet. Ricochet connects to the Tor network automatically.
Even though Ricochet uses Tor, other applications will not be using Tor unless the user has independently set up additional Tor services on their computer.
Active and passive surveillance techniques can still tell if the user is using the Internet, and when, but not necessarily what they are doing on the Internet.
Since a Ricochet user does not register or log in anywhere to use Ricochet, not even with a password, it is important to implement layered physical security, including disk encryption, to protect Ricochet. No encryption is present on inactive data.
