Fabian Kaczmarczyck
2016-08-25 14:37:57 UTC
Hi,
I recently found your blog entry "The Difficulty Of Private Contact
Discovery" while thinking about this problem. I feel like I am missing
something since I have some kind of solution in my mind completely
different from what you tried.
What if you allow clients to anonymously request the server for
contacts? The server only needs a list of all registered contacts, the
client would probably want to make the request through TOR using a new
circuit for each contact. It might also be a good idea to decorrelate
the timing of the individual requests.
A possible extension could be sending a special hello message on
contact discovery. That way, the frequency of updating your own
contacts can be decreased because you get informed by others following
the protocol. I think this should be close to minimum bandwidth usage
possible.
So the whole idea is to not hide the contacts you are checking, but
yourself. It leaks information about which phone numbers exist and
whether they use signal, but this is not a regression to the current
state if I understood everything correctly. If I missed something or
this approach does not work for some reason, I would be glad to receive
a short answer.
Thanks,
Fabian
I recently found your blog entry "The Difficulty Of Private Contact
Discovery" while thinking about this problem. I feel like I am missing
something since I have some kind of solution in my mind completely
different from what you tried.
What if you allow clients to anonymously request the server for
contacts? The server only needs a list of all registered contacts, the
client would probably want to make the request through TOR using a new
circuit for each contact. It might also be a good idea to decorrelate
the timing of the individual requests.
A possible extension could be sending a special hello message on
contact discovery. That way, the frequency of updating your own
contacts can be decreased because you get informed by others following
the protocol. I think this should be close to minimum bandwidth usage
possible.
So the whole idea is to not hide the contacts you are checking, but
yourself. It leaks information about which phone numbers exist and
whether they use signal, but this is not a regression to the current
state if I understood everything correctly. If I missed something or
this approach does not work for some reason, I would be glad to receive
a short answer.
Thanks,
Fabian