[messaging] Group messaging consistency under resource constraints

Trevor Perrin trevp at trevp.net
Thu Oct 16 10:37:08 PDT 2014


On Thu, Oct 16, 2014 at 9:53 AM, Ximin Luo <infinity0 at pwned.gg> wrote:
>
> There have been arguments that "typical transports don't work like this" and I gave TCP as a counterexample. Trevor also mentioned Pond, but actually this is an example in my favour - Pond delays *sent* messages to defeat some types of timing attack. Come on, this is pretty counterintuitive, but it is made essentially invisible to the user and its security reasoning is solid. So why not delay some *received* messages to defeat some types of consistency attack?

Messages in Pond are pairwise-encrypted, and different recipients may
have different mailbox servers.

Pond doesn't have a notion of group messages.  But if it did, I
imagine they would still have these properties (in particular, I
imagine users would *not* want to reveal to mailbox servers what
groups they are members of, since hiding relationships is the point of
Pond).  So if the sender goes offline, there's no-one else who can
re-transmit a lost message.

Dropped messages could easily arise, e.g. my network connection is
interrupted before I've sent my message to everyone in the group.

In that case, it seems obvious that the UI would have to tolerate
dropped messages.  Having a single dropped message prevent that
recipient from seeing the rest of the conversation doesn't seem
acceptable.

Trevor


More information about the Messaging mailing list