HackerLangs
TopNewTrendsCommentsPastAskShowJobs

jazzz

2 karmajoined 13 ปีที่แล้ว
<Things/>

comments

jazzz
·8 ชั่วโมงที่ผ่านมา·discuss
Based on what I understand about your use case, I'd suggest considering the following if looking to improve the security/privacy posture.

- A Hash style ratchet still works in your decentralized construction; Users ratchet a lamport timestamp, hash ratchet the next key. It still allows multiple messages to be sent with the same key if messages are sent simultaneously, but it's better than the approach where every message uses the same key. Ref: B

- There is real work on making Decentralized MLS work without requiring classic servers: (Disclosure: Not my work, but affiliated) https://lip.logos.co/anoncomms/raw/decentralized-mls-offchai.... It's far from ready, and It definitely adds more complexity, but provides the same server-less architecture without sacrificing on security. Ref: A+B+C

- Push not Pull: Query based interfaces are hard to protect from unmasking attacks. PubSub based peer to peer networks decouple the intended recipient from a message - Messages are broadcast which provides the necessary ambiguity about who the intended recipient is. Combined with P2P syncing for message durability. Ref: D

As you said, its all tradeoffs ¯\_(ツ)_/¯
jazzz
·9 ชั่วโมงที่ผ่านมา·discuss
Appreciate the clarity. It helps me focus without going off on a wild tangent. The durability/independence of the protocol being a primary driver makes sense, and aligns with the design.

> "no privileged party at all" > "The network should outlive the operator, function without it." I also believe these are absolute requirements for the future of groupchats. I'd argue for stronger requirements, but I'm definitely onboard here.

This protocol has strengths: 1) Per-sender buckets. This is a clever workaround for the downsides of client-side fanout, and provides reasonable sender identity decoupling. 2) Realistic membership limits. I think the number is quite low, but in general I love the willingness to draw a reasonable Schelling fence here. My criticism of MLS is that focusing on transport-level security in a 10k-person group chat seems rather moot — as the membership count grows, the largest risk comes from "inside" the group. Drawing a reasonable limit here, and basing scalability around it, makes sense. 3) It doesn't accept the status quo. Most protocols attempt to solve the whole world. Re-evaluating what's actually required from a feature set is a great approach to reducing complexity. 4) Static epoch key avoids the issues with state desynchronization due to dropped messages. Assuming the pairwise channel is reliable, this removes a whole host of problems. It's a security tradeoff, but I see the value.

> but none of them seem fundamental/unsolvable

I think this really depends on your requirements for privacy, throughput, and acceptable threat level. If the privacy and security models are targeted at financially motivated corporations selling data, then privacy may be adequate. Under an active attacker, I think some blockers start to emerge. It's hard to tell without a full spec, though, so I'll admit I could be fully off-base here.

You are correct to point out that holding a high security/privacy standard results in some complexity/performance trade off. In general I believe there is a baseline of privacy/security requirements which are "table-stakes" for modern messaging landscapes.

A) My team evaluated a similar approach for our latest messaging protocol; however, reaching group consensus through a single actor was a blocker to users recovering from compromise in a reasonable timeframe. With a group creator potentially offline for extended periods, there's no means to have a rapid response to a compromise. It may work depending on the model, but we were forced to pursue a model with multiple "creator" roles to address this.

B) Over the lifecycle of a group, the lack of forward secrecy would be a blocker to most definitions of privacy. Long-term confidentiality would be at risk given the inevitable compromise of keys. The real risk here is HNDL attacks, especially since messages are being broadcast over libp2p's DHT. One benefit of the construction cleverly alleviates the immediate need for post-quantum encryption, but without FS, harvested messages are still at risk from leaked keys.

C) Sender privacy is more important than recipient privacy. Posting outbound messages to an append log leaks significant metadata: users' online frequency and activity. In the face of timing or correlation attacks, this data would be catastrophic. From a design POV, it's hard to imagine workarounds (but very interested in potential designs).

D) Poll-based querying of messages `groups x members x not_closed_epochs` is hard to manage from a bandwidth and privacy perspective. If you assume 200 group chats (modest by current standards) with 10 members, that's 2000 queries every time a connection is dropped. Let's assume the requester identity is sufficiently masked; the query fingerprint will still be unique for each participant, leaking metadata/identity. While perhaps insignificant on its own, in aggregate this leads to complete unmasking and social graph reconstruction over time.

As you mentioned, there is "not free lunch" however ABCD are what I would consider baseline requirements for the future of groupchats, even if that means adding technical complexity.

> In return, we are getting our privacy back.

I'd suggest that this approach actually makes privacy worse. The query-based approach to message discovery will always leak some metadata through action. The cover traffic required to maintain k-anonymity pushes bandwidth utilization into unrealistic territory.

There's a school of thought that Moxie touches on in his [The Ecosystem is Moving](https://www.youtube.com/watch?v=DdM-XTRyC9c) talk (hotly debated in these circles). Given the same metadata, a user is better off trusting one centralized entity(X) rather than broadcasting it to the entire network(X+Everyone). Decentralization is a requirement for permissionlessness, censorship resistance, and data ownership; but if the only goal is "Privacy" it's categorically harmful. Minimizing metadata should be a priority for all privacy-focused protocols, centralized ones included.
jazzz
·21 ชั่วโมงที่ผ่านมา·discuss
I'm curious what the motivation is for the protocol being decentralized?

Being serverless is cool and all, but what makes it worth all the extra complexity and effort?

To me the future of decentralized group chats is focused on what's missing from platforms like WhatsApp, Telegram and WeChat: - Verifiable Sender and Conversation Privacy - Censorship Resistance / Permission-less operation - User ownership of their own messaging (no application lock-in) - Harvest Now, Decrypt Later (HNDL) protections

While maintaining a similar feature set: - Efficient scalable groups - Recovery from compromised/stolen devices - Accessible UX for non-technical users

All design work is managing trade offs, however this approach appears to make some serious concessions:

Sender & Social Graph Privacy: Queries in a DHT (like Kademlia) bind the requested key to the requester's IP/Node ID. This would allow the network to be able to reconstruct the social graph, and unmask group membership by associating who is querying for who.

Compromise Recovery: Users are unable to rotate their own keys without the creator being online. In the event a device/account is compromised, a user has no mechanism to stop attackers from posting messages on their behalf.

Additionally with the group size limits, lack of forward secrecy/post compromise security -

My question is, what makes this particular path worth it?