49 lines
1.8 KiB
Markdown
49 lines
1.8 KiB
Markdown
# Cwtch UI
|
|
|
|
The UI is built on [therecipe/qt](https://github.com/therecipe/qt) which
|
|
links in Qt libraries.
|
|
|
|
|
|
|
|
# Known Risks
|
|
|
|
## Deanonymization through Content Injection
|
|
|
|
**Status: Mitigated in several places**
|
|
|
|
Like most UI frameworks, QML provides a HTML rendering engine with the potential
|
|
to make requests through remote resource loading. Any kind of malicious content
|
|
injection is therefore elevated to a critical deanonymization risk.
|
|
|
|
To mitigate such a risk we do the following:
|
|
|
|
* Maintain our own UI library that explicitly relies on PlainText fields to
|
|
handle all content (and thus styled safely)
|
|
* Mediate all Cwtch api networking calls through Tor
|
|
* Force QML to use a deliberately broken network resolver that is incapable of
|
|
resolving remote content
|
|
* Frequently test the UI for potential content injection vulnerabilities.
|
|
|
|
While none of these mitigations should be assumed robust by themselves, the
|
|
combination of them should be sufficient to prevent such attacks.
|
|
|
|
## Denial of Service through Spamming
|
|
|
|
**Status: Partially Mitigated**
|
|
|
|
There is currently no limitation on the number of messages that can be sent
|
|
to a Cwtch server or by a Cwtch peer. Each message requires process and is
|
|
added to the UI if valid.
|
|
|
|
We have put in work to ensure that an influx of messages does not degrade the
|
|
app experience, however it will result in an increase in network badwidth which
|
|
may be intolerable or undesired for many people - especially those on metered
|
|
connections (e.g. cellphone data plans)
|
|
|
|
In order to be suitable to deploy groups at a wide scale, the app require a way
|
|
to prevent Cwtch from fetching information over such connections, and this
|
|
should likely be turned on by default.
|
|
|
|
## Testing Status
|
|
|
|
The UI is currently only subject to manual testing. |