Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ricochet-Refresh Version 4 Design Refresh #186

Open
1 of 15 tasks
morganava opened this issue Jun 16, 2024 · 6 comments
Open
1 of 15 tasks

Ricochet-Refresh Version 4 Design Refresh #186

morganava opened this issue Jun 16, 2024 · 6 comments
Labels
documentation Improvements or additions to documentation enhancement New feature or request help wanted Extra attention is needed in progress This is currently being fixed meta An issue for tracking other issues ui UI specific issue

Comments

@morganava morganava added documentation Improvements or additions to documentation enhancement New feature or request help wanted Extra attention is needed ui UI specific issue in progress This is currently being fixed meta An issue for tracking other issues labels Jun 16, 2024
@webdingspowah
Copy link

These feature-independent, purely UX related issues could likely be fixed before the next minor update:
#95
#173

@morganava
Copy link
Collaborator Author

These feature-independent, purely UX related issues could likely be fixed before the next minor update: #95 #173

Happy to accept pulls to fix these issues, but I don't have the availability to investigate and fix these for the time being.

@AyrA
Copy link

AyrA commented Aug 4, 2024

With all these changes, I'm wondering if it would make sense to split the UI from the rest of the application. The two components would communicate through a HTTP api.

Amon other things, this would solve #73 because the backend can be run as a service on a device that is always online, eliminating the ability to probe a hidden service for availability, because it's always online this way. #133 also becomes easier because identity handling only has to be implemented in the backend, and for the frontend, the user can simply launch a second UI instance. If the API is simple enough it also makes it trivial for 3rd parties to implement their own UI.

@morganava
Copy link
Collaborator Author

@AyrA We've actually been developing Gosling to deal with #73 . Ideally I want to keep Ricochet-Refresh purely peer-to-peer, without the need of persistent connections or managing servers, etc. This does of course make things more difficult technically, but we we should expect users to have to run their own infra just to have anonymity.

But, you're on the right track re componentization. The high level plan for v4 is to create a breaking change to the protocol, base it on Gosling for the improved metadata protections, and develop a Rust crate with a C-FFI for the Ricochet-Refresh v4 protocol. This library would then be integrated into the official Ricochet-Refresh client, but potentially other front-ends could be built as well. I'd love a TUI interface for instance :D

@AyrA
Copy link

AyrA commented Aug 4, 2024

I don't think Gosling will fully solve #73. The root problem is that if you know a given hidden service name, you can look up its descriptor in the directory. This allows you to see if a service is online (or was very recently) in a fully passive manner. If you want to hide your online presence time you must keep the descriptor alive during your absence. And you can only do this by continuously publishing a new descriptor whenever the current one expires. This is why I was suggesting to split the application.
If done properly it would not make it any more difficult for standard users because the application can be configured to run its own backend instance by default, but for expert users will allow them to run it separately and remotely. Basically like the Tor Browser which brings its own Tor client, but you can also download the client separately and run it as a service if you want to.

@morganava
Copy link
Collaborator Author

So just to start with there is no general solution to this problem (#73) that does not have trade-offs.

The current situation directly links your onion service online status with your IRL activity, so adversaries can secretly and passively build a profile of your online/offline status.

Your proposal fixes this problem with the trade-off of power users with a persistent connection can set up a forwarder/bouncer so you always seem online.

A resolution to https://gitlab.torproject.org/tpo/core/torspec/-/issues/150 would also be a potential solution with the tradeoff being initial contact discovery becomes harder (and you would need to give both your service id and some stealth client auth key) and if these credentials ever leaked you're back to the current status quo..

Gosling works around this problem by only requiring your 'public' identity be online for new friends to find you, and allowing trusted friends to connect to secret onion services. The trade-off here is a slightly more complicated UX/mental model and probably worse performance/scalability as your number of contacts grows.

Thinking on it though, I do think I like this idea of yours. I've been brainstorming about the implementation details of Ricochet-Refresh v4 along with UX updates. Coming from the browser space (Tor Browser dev here hi), I love the idea off sandboxing off the relevant processes the way browsers do, especially as we're planning on adding functionality for inline images and I really want to avoid the whole "lol bug in your image parser download this gif and get owned" problem. The entire Tor+chat protocol layer could be its own process. If we were to build this in by default then having this process be a remote one would be relatively straight forward (relatively doing a lot of work here).

The root of this difficulty is the of course the pure peer-to-peer requirement. Ricochet-Refresh aims to serve folks with the most extreme threat models (whistle blowers, activists, etc) first. I think it would be perfectly reasonable to have some other tool that drops this peer-to-peer requirement to allow for a central chat server to solve these problems (at the expense of metadata-resistance).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
documentation Improvements or additions to documentation enhancement New feature or request help wanted Extra attention is needed in progress This is currently being fixed meta An issue for tracking other issues ui UI specific issue
Projects
None yet
Development

No branches or pull requests

3 participants