-
Notifications
You must be signed in to change notification settings - Fork 6
Threat Model
Hushlist is a tool for privately communicating in spite of a hostile network, in a censorship-resistant and metadata-minimizing way. For the various different kinds of users of Hush to know when and when they cannot safely use this tool, it is necessary to precisely describe the threat model in which Hushlist operates. This document lists Hushlist user assets at issue, and identifies threat sources that might compromise the user’s privacy by emanating various types of metadata.
Never use hushlist on the same physical computer or virtual machine with another user you do not trust. If that user can leverage a single CVE and get priveledge escalation, full loss of privacy could happen. Best to not ever let this easy-to-prevent situation to occur. Use hushlist on a private desktop or laptop computer, or a server that you have root on. Pratice the art of compartmentalizations and isolation at every level.
Bad actors on your local physical network have elevated risk to you. If you think your local physical network is not secure, use caution.
- ARP poisoning
- DDoSing because there is no firewall/router/NAT between
If you can't trust your local network admin, probably not a good idea. They have all things from above, but in addition
- DNS poisoining
- ...
- can obtain full cyphertext of all network traffic, via direct methods or the various agreements that various security agencies have to access each others resources.
- can poison BGP routes
- can inject/poison any unencrypted/unauthenticated network traffic such as HTTP
code=speech + money=code => money=speech