From 233a30d4b2e82abf81300d59b5b5ddd20e7e2a0e Mon Sep 17 00:00:00 2001 From: spaced4ndy <8711996+spaced4ndy@users.noreply.github.com> Date: Mon, 10 Nov 2025 18:29:37 +0400 Subject: [PATCH] add to threat model --- docs/rfcs/2025-10-20-chat-relays.md | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/docs/rfcs/2025-10-20-chat-relays.md b/docs/rfcs/2025-10-20-chat-relays.md index 6557530d66..d1a3180b70 100644 --- a/docs/rfcs/2025-10-20-chat-relays.md +++ b/docs/rfcs/2025-10-20-chat-relays.md @@ -255,13 +255,14 @@ Notes: can: - effectively substitute group bar group ID and signed profile, by sending unsigned content from other group (or any arbitrary content), that doesn't require signature verification, such as regular messages. - one way this could be further mitigated is requiring owner to sign all messages. + - owner could periodically sign message history as merkle dag. - selectively drop any content or service messages from owner, including actions altering member roster. - selectively drop messages for some of members. cannot: - technically, redirect newly joining member to a different group. - substitute group profile. -- impersonate owner, send arbitrary messages that require signing by owner (actions altering member roster). +- impersonate owner, send any member message that requires signature. **Compromised chat relay (in situation where not all relays are compromised/colluding)** @@ -269,6 +270,8 @@ can: - in case number of compromised relays is same as number of uncompromised ones, compromised relay(s) can drop messages or send arbitrary unsigned messages, misleading members from identifying which relays are compromised. - ignore "message from channel" directive from owner, revealing which owner sent message. - this can be revealed to owner by members out-of-band. +- fabricate new members, possibly inflating counts/costs for owner (depends on implementation). + - it can be identified that these imaginary members don't connect to other relays. **Member** @@ -276,6 +279,11 @@ can: - infer which owner sent message as "message from channel", if group has a single owner. - owner client should prohibit this option if group has a single owner. +**Any client** + +can: +- connect to group unlimited number of times, inflating real counts/costs. + ## TODO list - Chat commands for creating group with relays.