[SECURITY] Message saving and transmission #11
Description
When a (connected) peer communicate with an offline peer, encrypted (E2EE) messages are forwarded to offline peer's discovery server (the one he trusts) via online peer server (to avoid unwanted IP sharing).
However, this system can be diverted to send messages to non-friends user. IP is not shared (thanks to the logic before), but messages is NOT wanted for end peer. Neither of the two trusted servers is aware of the peer's contact list. As a result, there are two ways to avoid unwanted messages in inbox:
- The client receives messages (even unwanted ones) from the server when it connects to the WebSocket, and processes them by deleting or archiving unwanted messages;
- The client sends the list of hashed contacts to the server on connection and automatically deletes unwanted messages
-- confidentiality is compromised, even if the server is trusted(1).
~~We should implement both systems but let the end peer choice with the first one enabled by default (for privacy concerns).~~Second option is a great compromise between privacy and security (against spam leading to less performance).
(1) Since we send a hash of contact vanity, it wouldn't be compromising if we transfer these data. BUT we MUST also hash sender vanity on the sender trusted server, and then transfer the whole message. Common hash algorithm between servers is obligatory.
E.g. :
(WRITING) Writer encrypt message (client) => online peer discovery server hash his vanity => transfer message to recipient discovery server
(READING) Recipient user connect to its discovery server => recipient sends a hash of its contact list => server only sends messages with same hash as vanity => recipient client can make a link between hash and real vanity.