pospeselr
commented
8 months ago So these docs are very out of date though the general themes are probably still on point. There may have been some problem with v2 onion services which made it possible.
By server we mean a Ricochet-Refresh user's onion service. The way Ricochet-inspired chat programs (eg Ricochet-Refresh, Quiet, cwtch, etc) work is that every client runs an onion service for their contacts to connect to. On launch, Ricochet-Refresh iterates over all of its contacts and attemtps to make a connection to their onion services, and perioically tries again on failure. The same goes for all of your contacts, each attempting to reach your onion service when they launch. A contact appears online when one of these connections has succeeded.
It is not known to be possible to impersonate an onion service/server without the associated ed25519 private key. So, so long as you don't leak your your ricochet-refresh config directory then it should not be possible to a malicious party to impersonate you (ie be the endpoint/server for your contacts to connect to). That said we do have https://github.com/blueprint-freespeech/ricochet-refresh/issues/71 open for actually storing this private key in an encrypted format to fix this local adversary/malware problem.
odiferousmint
As per https://github.com/blueprint-freespeech/ricochet-refresh/blob/main/doc/protocol.md, apparently it is possible to impersonate the server. How? What does it mean in practice? What is exactly meant by "server"?