Chris Ballinger and I were discussing the most private possible methods to transmit data on ChatSecure iOS that will work in the background. Basically, iOS does not let normal apps operate in the background, but provides a service to do HTTP uploads and downloads in the background. For many users, using a direct HTTPS file transfer that sends an end-to-end encrypted file is private enough, and the usability gain over OTRDATA on iOS would be then worthwhile.
This can be implemented using OTR TLV8 with a specific TLV8 bytecode to represent this kind of transfer. Signal uses something like this, but with Amazon S3 as the store. I just found out about Zerobin from BastienLQ on #fdroid. I think it can provide the perfect store for a system like this. It is Free Software with an instance available here: https://www.zerobin.net/ http://zerobinqmdqd236y.onion/ * client encrypts so only encrypted data is stored on the server * each paste/file can automatically expire * "Burn after reading" for a one time download Here is more info on zerobin: http://sebsauvage.net/wiki/doku.php?id=php:zerobin Here's a rough idea of how the file transfer idea would work for ChatSecure iOS using zerobin: * zerobin provided by XMPP server * sender generates AES key and encrypts file * sender uploads encrypted file to zerobin using background service * optionally, the URL is uploaded in foreground via Tor/.onion * sender sends AES key and zerobin URL in an OTR TLV8 * next time receiver is online, it receives the TLV8 * the AES key and URL is stored in SQLCipher * the URL is downloaded via the background service * optionally, the URL is downloaded in foreground via Tor/.onion * once the file is downloaded, the AES key is fetched from SQLCipher On Android, there is a lot more flexibility with this. For example, the Android app can upload and download in the background via Tor/.onion. So if the Android apps are always transfering via Tor while iOS apps do it directly, then there is no metadata link related to that file transfer visible by the server. Feedback welcome, I think this could help with iOS usability a lot without leaking much extra information. I think it could also help make transferring large files with ChatSecure on Android more usable as well. .hc _______________________________________________ List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev To unsubscribe, email: [email protected]
