14-WAKU2-MESSAGE: Security issue related to unencrypted timestamp of WakuMessage #439
Comments
staheri14
changed the title
|
Can we make this issue a bit more tight with a clear problem description, proposed solution and acceptance criteria? Right now it is a bit all over the place and a lot of text. |
|
Like any metadata leak, the thing to consider is what the timestamp gives us in terms of features (casual ordering?), that cannot be solved in the encrypted part of the message. Being set by the source, a timestamp leaks information about the origin of the message, as opposed to for example receipt time which is local - assuming you're querying messages from a single history node, it's fine - what both you (and an attacker) lose in that case is the ability to make cross-server queries - I'm unsure of the value here though - basically, to establish whether you lost messages or not, you still need an in-app-protocol mechanism of detecting them and mailservers remain a best-effort solution a la UDP. |
Absolutely, the issue is now revised! @oskarth Hope it is more clear now! |
staheri14
changed the title
|
One way in which the sender-generated timestamp can be exploited is by using some form of timing/probability analysis to determine the identity of the originating peer (e.g. comparing the known latency to a peer with the time elapsed since the sender timestamp). Couldn't a possible solution be to just use a coarser timestamp resolution (say ticking only once per second, or ticking on 0.5s boundaries)? This will obscure the relationship between the latencies of specific paths and the elapsed time determined from the sender timestamp, since multiple peers will tick on the same timestamp. I understand that this may make the sender timestamp less useful, but could be decent middle way. |
|
Thanks for the comment @jm-clius! In the meanwhile, there is a need to investigate the depth of the security issues that timestamp exposure may cause. Once that aspect gets clear, a proper solution can be picked. |
|
FYI back in Whisper / Waku v1 times I pointed out similar issue with the ttl/expiry fields there, and gave some simple example how it probably could be abused. Never made a PoC though: status-im/nim-eth#105 |
Thanks a lot for this comment @kdeme! for more visibility and ease of access, I am going to link this issue status-im/nim-eth#105 to the description of the current issue |
|
Issue moved here |
Problem
While currently, the
timestampis not part of the relayMessage, it is always accessible in plaintext even when theWakuMessageis encrypted. This is because encryption only affects thepayloadofWakuMessagebut not other fields liketimestamp. As such, a relay node is able to extract thetimestampfrom a relayedWakuMessage. This timestamp visibility may cause security issues. For example, one can break message unlinkability by having access to the sender timestamp i.e., an attacker links messages published by the same author through the pattern of timestamps. A similar problem has been reported for Waku v1/ Whipser in this issue status-im/nim-eth#105.@arnetheduck would be great if you could elaborate on the security issues you mentioned in https://github.com/status-im/nim-waku/pull/681/files#r677171720.
Context on the timestamp use case in Waku2
The
timestampis currently used in the store protocol to index waku messages and to enable paging for historical queries.Acceptance Criteria
Potential solutions
The text was updated successfully, but these errors were encountered: