[messaging] Exposing MITM attacks socially engineered through group chat introductions

Jeff Burdges burdges at gmail.com
Sat Jan 31 17:53:24 PST 2015

On 31 Jan 2015, at 13:16, carlo von lynX <lynX at i.know.you.are.psyced.org> wrote:
> The idea of having a Pond public fingerprint doesn't sound good
> to me either, but I haven't thought it through. The dangers of
> social infiltration are probably minor compared to the risk of
> deanonymization and categorization of Pond users.

It’s slightly technical.  Pond has two public key pairs :
- Pond mailboxes are identified by a (public) identity key, which authenticates revoking group signature generations and afaik downloading message cypher text.  
- Pond's ratchet uses a public (message/ratchet) key that the server never sees.

In v1, these two key pairs are completely unrelated.  In v2, the identity key is derived from the public key, but this change can be rolled back since v2 is not yet deployed.  Instead v2 could contain a signature of the identity key by the public key.  

If the identity key is *not* derived from the public key, then a sha256 of the public key is safe to publish because no data the server relates to it, well except via your system’s random number generator.  It’s always bad to publish your identity key since doing so enables traffic analysis, encourages adversaries to hack pond servers, etc. 

Now you should maybe not publish your key’s fingerprint if you imagine your pond being seized one day, but that’s a threat model decision users can make for themselves.  And such users must worry about many issues like contacts using real names in their pond state file, etc. 

Anyways, the problem with the current situation is : If we do not identify a “fingerprint” that’s safe to publish, then users imagine they can publish the identity key, the public key, or both.  

This is not an academic discussion, multiple savvy users have told me they assumed they could publish both. 


More information about the Messaging mailing list