One major privacy aspect in an anonymous transport protocol is the preservation of sender anonymity, which is
Sender anonymity: No global entity except the sender knows which entity owns the message
Waku2-Relay does not provide sender anonymity even against a local adversary. Below is the attack scenario:
The adversary can eavesdrop on the incoming and outgoing traffic of a target node and realizes that some messages appear in the outgoing traffic but not in the incoming traffic of that node. Those messages are the ones originated by that node.
Problem
Despite the lack of sender anonymity in Waku2-Relay, it is not clear what security implications would it have. Moreover, it is not clear whether violation of sender anonymity (as defined above) would be a disadvantage compared to Tor which seems to be able to support sender anonymity.
Acceptance Criteria
This issue is
[ ] to identify attack scenarios related to the lack of sender anonymity.
[ ] make a comparison with the sender anonymity supported by Tor.
The comparison shall include different adversarial power:
[ ] Local adversary (passive (HbC), active (malicious)): An adversary with the control of local network
[ ] Global adversary (passive (HbC), active (malicious)): An adversary with the control of a larger portion of the network e.g., ISPs.
Out of scope
The following items are outside of the scope of the current problem:
In the adversarial model, the end-point security is assumed, hence malware or hardware attacks are precluded.
The adversary has NO Auxiliary Information (background about users). The inclusion of such information would open up all sorts of inference attacks and a countermeasure demands research techniques like differential privacy which is going to be left out of scope for now.
In this analysis, we preclude the metadata included in the WakuMessage, as the unit of data transported using WAKU2-Relay. The waku message is treated as a black box. A privacy-respected application can provide the utmost level of security by encrypting the waku message before transportation. The analysis of the metadata included in the WakuMessage falls into the "conversational security" and deserves a separate issue.
Context
One major privacy aspect in an anonymous transport protocol is the preservation of sender anonymity, which is Sender anonymity: No global entity except the sender knows which entity owns the message Waku2-Relay does not provide sender anonymity even against a local adversary. Below is the attack scenario:
The adversary can eavesdrop on the incoming and outgoing traffic of a target node and realizes that some messages appear in the outgoing traffic but not in the incoming traffic of that node. Those messages are the ones originated by that node.
Problem
Despite the lack of sender anonymity in Waku2-Relay, it is not clear what security implications would it have. Moreover, it is not clear whether violation of sender anonymity (as defined above) would be a disadvantage compared to Tor which seems to be able to support sender anonymity.
Acceptance Criteria
This issue is
The comparison shall include different adversarial power:
Out of scope
The following items are outside of the scope of the current problem: