search

oxen-io / session-desktop

Session Desktop - Onion routing based messenger
https://getsession.org
GNU General Public License v3.0
1.51k stars 193 forks source link

[Feature] Privacy vulnerability - deanonymization by Session ID (updated 22.11!) #2791

Open qdhj opened 1 year ago

qdhj commented 1 year ago

Privacy vulnerability - deanonymization by Session ID

Problem 1

The ID (or nickname, if got one) is only one, and you can't use it, if you have few alter-egos irl.

Example: I am just a girl Alice (1), but also an anarchist & political activist (2), but also BDSM-lover (3), but also drug-addict (4). I need to make four different Session account through some sneaky ways, because if I will give eg. to BDSM-club members (3) and to my friends (1) same Session ID, I can be deanonymized. Case is worse, if I want to do politics: exchanging same session ID with sneaky people in the net (2) and my friends (1) can give the officials an easy way to recognize me.

Problem 2

One has to distrust Session even when chatting friends, because even if Session is secure, it is not fully private about it's nicknames.

Example: I am a gay male in islamist country. I cannot really trust Session chatting with my friends about this, because if ever my friends gets caught by the government/right-wing group, which will search through their phone and find that this exact session ID, it can be linked to my identity. If I ever published my id online (eg. "Contact me in Session: 5d93..."), I'm screwed.

Example 2: I am an anarchist, who has private activist group in Session. If government gets one of us, they can find each and every one of as, who posted their ID online.

Solving ideas

0) They very best one: every time you copy session ID, it is temporary and one-time-use (like in SimpleXChat). [Solves both problems completely] Not possible with Session Messenger

1) Make some kind of "masks" for users. Eg. User can make temporary Session ID, which will work as mask for original ID but never reveal it, and self-delete after period of time. [Solves both problems completely]

2) "Session Subaccount as a Unidirectional Privacy Firewall to Protect the Main Account": user could make few different addresses/ONS' for the same account. Already greatly described here. [Solves first problem completely, second partially]

3) "crutchy" mask-idea: one can make a group where all members are fully hidden, and to which you can join using an address or a link. Then you could make this type of group and send the link to it to the mentioned "sneaky people", so they cannot find your original account through it. [Solves first problem completely, second partially]

4) Make an easy way to switch between Session accounts from the same device: just like you can add few accounts in your Telegram app. This requires the least work to do. [works as handy temporary solution, and should be implemented ASAP because it's easy and useful] !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

5) Ability to hide your session ID for a user after they have added you (???) [Solves only second problem]

KeeJef commented 11 months ago

I believe the right way to solve this is with #421 which is similar to your 2nd proposed solution. This is something we plan to work on in the future. The SimpleXChat solution is not optimal in a decentralized context as you would have to poll in multiple swarms if you generated a random Session ID.

qdhj commented 10 months ago

Make an easy way to switch between Session accounts from the same device: just like you can add few accounts in your Telegram app. This requires the least work to do. [works as handy temporary solution, and should be implemented ASAP because it's easy and useful]

this should be finally taken into account