Threat Model
Most applications should have a threat model that defines what kind of threats and adversaries it protects you against, and what kind of mitigations are used for those protections. Most applications do have such a threat model, but it’s not always articulated or written down. It exists in the heads of the developers. CoyIM has for a long time been in the same situation, where the developers know what we can protect against, and what we can’t protect against. Of course, this dosen’t necessarily help the users. And it’s not so easy for outside developers to come in and work on the project with the same understanding.
We are currently working on expanding the threat model for CoyIM. You can see the current status of it here. This model is quite structured, since it follows an established methodology. But it might not necessarily help you as a user easily understand the implications. So in this document we will look at the most common scenarios and see what scenarios CoyIM will protect you against, and which scenarios it won’t. This is a short summary of the longer, more detailed threat model. If you have any scenario that is not clear from this discussion, don’t hesitate to contact us.
Who can see my contact list?
Because of how XMPP works, your server will always be able to see this information. However, the contact list only includes the account names for your contacts - and potentially whatever nicknames you have given to them through other applications. (CoyIM only stores nicknames locally, in order to minimize the information the server gets). The server doesn’t know anything else about these contacts, unless they are contacts with accounts on the same server - in that case, the server will know more.
Anyone that can intercept the traffic between you and the server can see the contact list. For this reason, XMPP uses transport security to protect this data. Assuming that the implementation and specifications are secure, no one except for the server can see the contact list.
Your contacts can not see your contact list. This is based in the functioning of the XMPP protocol.
Finally, anyone with access to your running computer at a super-user level - such as a virus or other kind of malware - will be able to see your contact list, while you are running CoyIM. Specifically, if they can read the memory of other running programs, they can attach to the CoyIM process and extract this information. If CoyIM is not running, or the malware does not have super user privileges, this information is not accessible, assuming that you are using the encrypted configuration file. If the configuration file is not encrypted, and the malware has read access to your home directory, this information is accessible.
Who can see my IP address?
Just as with the contact list, the server will see your IP address. Any ISP or person on the network between you and the server will also be able to see your IP address. However, the intercepts will not make it possible for them to make the connection between your IP address and your account address. But if the server does not have many accounts, it might be easy to figure out this connection. If your account is hosted on a larger server with many accounts, this can be harder to do, but still not impossible. CoyIM mitigates these risks by using Tor for transport, by default. If you are using Tor, neither the server nor any person intercepting traffic will be able to see your IP address, with the exception of the first Tor relay, and anyone on the network between you and the first Tor relay. However, because of the design of Tor, unless the adversary has a complete view of the full network, it won’t be feasible to connect your IP address to your account. Assuming that Tor works as designed, nobody except a global passive adversary can connect your IP address with your account. This includes the server.
Your contacts can not see your IP address. They can only know which server you are using.
Just as with the contact list, the exception is any adversary with access to your running computer, running at super-user level. If CoyIM is running, the malware can extract account information from the running process. If CoyIM is not running or the malware can’t read other processes memory, and the configuration file is encrypted, this information is not accessible. If the configuration file is not encrypted, and the malware has read access to your home directory, this information is accessible.
Who can see the content of my communication?
The goal of end-to-end encryption is to make sure that only the person that is the intended recipient can actually see the content of the communication. A secondary goal is also to ensure that the recipient receives the same content that was sent. If CoyIM did not have end-to-end encryption, the server would be able to see and modify the content. The server of the recipient would also be able to see and modify the content. Any malicious program running on the senders or receivers computer could also see and modify the content. Transport security protects the content during transmission from computer to server, from server to server, and from server to computer.
When thinking about the protection of encrypted communication, it’s worthwhile analyzing it from the perspective of when an attacker has access to the key material. There exists two common scenarios that map to the situation where an attacker gets access to key material at some point before a message is sent, and another scenario where an attacker gets access to key material at some point after a message is sent. In both cases, the attacker also need access to the ciphertext. But even with that access, the attacker will not get access to the plaintext. The only case where an attacker can get access to the plaintext is if they have access to the key material used in exactly the same instance as when the message is being sent or received.
An attacker does have the possibility of modifying an encrypted message, after it has been received. But this modification has to happen without knowledge of the content. This gives the security property called deniability.
In the basic configuration, CoyIM also stops any plaintext from ever being sent to an attacker. Thus, the threat model makes sure that the servers will never see any unencrypted content, assuming you haven’t changed the default settings.
If a malicious program is running on the senders or receivers computer, and that program has access to the memory of CoyIM, that program does have access to the content, and can also modify it.
What does CoyIM not protect against?
CoyIM can not protect against malicious programs running on the same machine, which have access to the process memory of CoyIM. CoyIM can not protect your anonymity against a global passive network observer - but the confidentiality and integrity of content are still protected. With an unencrypted configuration file, CoyIM can not protect against someone that can read files on your computer. CoyIM can not protect against an adversary that have the computational power or algorithms to break the DLP in a reasonable time frame, with a security level of 80 bits. CoyIM can not protect against an adversary that can break or downgrade the TLS methods used in communication between servers and client computers, when Tor is not used as a transport. However, this kind of adversary can only see contact lists and other meta data - not see or modify content.