Store resolving draft

When receiving a message or discovering an actor group, an actor needs to connect to the store of a possibly unknown and untrusted actor. This requires some caution.

Message reception

When receiving a message, the message envelope contains the URL of the sender's store, e.g.

https://condensation.io

To process the message, the receiver must connect to that store to retrieve the sender's public key (to verify the envelope's signature), and the message content. This results in one or more get requests.

Actor group discovery

Similarly, members of the same actor group publish their stores on their public cards. To discover the group, an actor must connect to these stores, list their public box, and get their public cards and public keys.

Security risks

Get and list request will not cause any direct harm, since they do not modify the store. Careless implementations may however allow an attacker to use an actor as part of a greater attack. Two obvious examples are:

• DDOS attack: By sending envelopes indicating a victim store, an attacker may flood that store with get or list requests, and utilize excessive bandwidth and power.
• Side channel information: The timing of get requests to internal IP addresses may reveal information about the architecture of the internal network.

Precautions

An actor should take the following precautions:

• Accept only URLs of agreed-upon protocols (e.g. http: and https:), and reject all other URLs (e.g. file:).
• Reject any URL that points to your internal network.
• Do not try to "intelligently" resolve the situation or ask the user to provide a store URL. The sender is supposed to provide a valid URL. An invalid or inaccurate URL should always be considered malicious.
• Do not reply to messages with obviously wrong stores.
• Drop actor groups with obviously wrong stores.

In addition, missing public keys or empty public boxes are a weak indicator for a maliciously indicated store. You may greylist the corresponding sender or actor, rate limit requests on the corresponding store, or log such incidents for manual investigation.

User notifications

Generally, envelopes or public cards pointing to invalid stores should be silently ignored, without notifying the user.

However, if the corresponding actor or actor group is known and trusted (e.g. a friend), the user should be notified so that the problem can be resolved.