morganava
commented
3 years ago Specifically the issue here is that we just accept connections and do work on them on the main thread, so if a ton queue up the UI will become unresponsive.
There should be some sort of queuing system or something in place to ensure the main thread isn't starved.
yanmaani
A malicious client can DDOS a user with connection requests as there is currently no option to ignore contact requests.
The protocol also does not implement any kind of rate limiting, which is described in the documentation in a hypothetical manner. This creates the possibility of denial of service attacks via contact requests for known ricochet-ids. This attack does not limit the network connection but makes the user interface unusable. It could be avoided by either implementing said rate limiting or making contact discovery configurable by the user.