Threat Model


Tingl aims to provide the following protections against attackers within the scope of the threat model:
  • Sender Anonymity: Identity key of the sender is only known to the members of the conversation, and the address of the sender is unknown to anyone except the first hop in the onion routing path. However, the first hop doesn’t know the destination or contents of the message.
  • Recipient Anonymity: The address is unknown to anyone except the last hop in the onion routing path. However, the last hop doesn’t know the source or contents of the message.
  • Data Integrity: Messages are received intact and unmodified, and if messages are modified they appear as corrupted and are discarded.
  • Storage: Messages are stored and available for the duration of their specified time to live.
  • End-To-End Encryption: Messages (with the exception of friend requests) maintain the properties of the Off the Record (OTR) messaging protocol, namely Perfect Forward Secrecy and Deniable Authentication.

In Scope

Service Node Operators Passive/Active Attacks

Storage and message delivery in Tingl is performed by Service Node operators. Since Tingl is permissionless, our threat model considers a highly resourced attacker with limited financial resources therefore can only control a fraction of the whole network. A dishonest Service Node operator would be able to perform a range of active and passive attacks. Such passive attacks could include passively reading message headers, logging timestamps of received/relayed messages, storing encrypted contents of a message and assessing the size of a message. Active attacks could include failing to relay a message, failing to store message, relaying modified messages, refusing to respond for message requests for messages from specific identity keys. Service Nodes operate the onion request system and could attack it to. Active attack could include dropping packets, modifying latency between hop, modifying packets. Passive attacks could include storing all data passing through the malicious Service Node and logging all connections with other Service Nodes.

Network Adversary Passive Attacks

Tingl also considers a local network adversary such as an ISP or local network provider. This adversary could perform passive attacks such as traffic monitoring, deep packet inspection or packet storage for later inspection.

Out of Scope

Attackers who are out of the scope of Tingl threat model may be able to break some of the protections Tingl aims to provide.

Network Adversary Active Attacks

A network adversary could conduct active attacks including corrupting or rerouting packets or adding delays. These attacks could compromise the storage and retrieval of messages. These primarily addressed by data encrytption and onion routing, making targeted attacks by network adversaries difficult.

Global Passive Adversary

A global passive adversary (GPA) that can monitor the first and last hops in an onion request path could use traffic analysis to reveal the true address of a Tingl client and the destination that Tingl client is talking to. This potential attack is a property of the onion request system; onion requests are a low-latency onion routing network, meaning that packets are forwarded to their destinations as fast as possible, with no delays or batching. This behaviour, while beneficial for user experience, makes traffic analysis trivial in the case of a GPA.

Out of Band Key Discovery

Tingl can’t protect users from exposing pseudonymity provided by the public key- based identity system.