[LXMF] Theoretical Malicious Node #411
Replies: 2 comments 2 replies
-
Propagation nodes are meant to be manually trusted. Setting a default node
should solve that problem from the point of view of the sender.
I don't know enough about the synchronization to do a threat analysis at
this time. There is a potential threat of spoofing delivery unless each
node requires a cryptographic signature from the recipent before deleting,
or something similar. Worth looking into.
…On Thu, Dec 21, 2023, 8:33 AM Linux in a Bit ***@***.***> wrote:
What would happen if there was a malicious node that accepted messages and
returned that 'they are on the propagation net' then proceeded to not
distribute it or give it to the recipient?
Does LXMF check with other propagation nodes to make sure the message has
been properly distributed first? If not, is there something I'm missing?
—
Reply to this email directly, view it on GitHub
<#411>, or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ALIZNI43EHOGDIMH4DLK6XDYKRCDJAVCNFSM6AAAAABA6PXNZWVHI2DSMVQWIX3LMV43ERDJONRXK43TNFXW4OZVHE4DMMBWHE>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
Beta Was this translation helpful? Give feedback.
-
When sending via propagation nodes, LXMF currently only delivers to one propagation node. If this node accepts the message, and then disappears (maliciously or because of unintended failure), the message will not get delivered to it's final recipient. In practice, this is the only real attack vector for attempting denial of service. Once the message has been delivered to at least one propagation node, that is reliable in terms of at least attempting to propagate the message, it's almost impossible to block the message delivery, since every node that has the message will help out in getting the message to every other node that needs it. Note that connections between nodes doesn't even have to be reliable or always on for this to succeed, neither do nodes actually need to be powered on all the time (even though this is very much recommended, especially in situations where connectivity between nodes is very unreliable or intermittent). In my understanding, the best way to make attempts at denial of service irrelevant, would be to allow LXMF clients automatically deliver propagated messages to a couple of different nodes. This would dramatically improve chances of success, even in a network where X% of nodes are malicious, and the required number of deliveries can be easily mathematically modeled to satisfy any desired probability of success. Then again, another easy solution is to just use a propagation node that you know will not act maliciously, and if you don't have that luxury available from anyone else, the solution is simply to find an old computer, small SBC or similar and run:
|
Beta Was this translation helpful? Give feedback.
-
What would happen if there was a malicious node that accepted messages and returned that 'they are on the propagation net' then proceeded to not distribute it or give it to the recipient?
Does LXMF check with other propagation nodes to make sure the message has been properly distributed first? If not, is there something I'm missing?
Beta Was this translation helpful? Give feedback.
All reactions