Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Don't (easily) show information the user shouldn't make public #193

Open
gmaxwell opened this issue Jun 20, 2015 · 1 comment
Open

Don't (easily) show information the user shouldn't make public #193

gmaxwell opened this issue Jun 20, 2015 · 1 comment

Comments

@gmaxwell
Copy link

While instructing someone on using pond the first thing the did after getting it running was pasted to me (over the unencrypted channel we were chatting over) the pondserver url and public identity-- which I assume might (e.g. in connection with a server compromise) reduce the traffic analysis immunity.

Message content has whatever obvious privacy properties it should have, but other things that shouldn't be made public should probably be put behind a more obvious diagnostic interface.

@burdges
Copy link
Contributor

burdges commented Jun 20, 2015

Ideally, you should share a hash of your public key since the server never sees the public key. It's okay to share the public key itself I suppose. Do not stare your public identity because the server knows that. If you're interesting enough, then you might even make the server a target for your adversary by sharing your public identity.

I've a pull request deriving a finger print from the public key here : #175 It's complicated however because @agl has code that derives the public identity from the public key, thus breaking the above! At present, we're not using this code but it activates if a future revision that switches to the v2 ratchet. Do not use this pull request until @agl has reviewed it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants