Docs
Security & Privacy
Threat library

Threat Library

NameApplicable situationDescriptionImpactSuggested mitigation
READ_SNAPSHOTThis considers anyone with access to the server or it’s database, but also could be a compromised WIFI or any other compromised in a networking layer.An attacker can read the snapshot message.The attacker can not retrieve any confidential content of the message. That said the attacker can gather meta data. For example to which document this message belongs. Further they can identify who sent that message based on the signature. If an attacker has access to all previous messages, the attacker would likely also be possible to estimate the size of the document.In order to prevent any meta-data leak each message could be wrapped in a sealed envelop. In order to reduce the chance to estimate the size of the document clients could add fake data into the message that would not change the actual document.
READ_UPDATESame as in READ_SNAPSHOTAn attacker can read the update message.Same as in READ_SNAPSHOT except that the attacker als can identify to which snapshot the update belongs and based on the counter how many updates the client applied to that particular snapshot.Same as in READ_SNAPSHOT with the addition that not only fake data could be added to the update, but also fake messages could be sent to avoid an attacker gaining knowledge about how many updates have been created.
READ_EPHEMRAL_UPDATESame as in READ_SNAPSHOTAn attacker can read the ephemeral message.The attacker can not retrieve any confidential content of the message. That said the attacker can gather meta data. For example to which document this message belongs. Further they can identify who sent that message based on the signature and since main use-case is to send presence information e.g. cursor position also the fact that the client is currently interacting with the document.SAME as READ_UPDATE
REPLAY_SNAPSHOTSame as in READ_SNAPSHOTThe attacker records a snapshot message and plays it back to the intended receiver.The message will be ignored due the verification, that the snapshot is based upon the last known snapshot by the client.
REPLAY_UPDATESame as in READ_SNAPSHOTThe attacker records a update message and plays it back to the intended receiver.The message will be ignored. Either if it’s not the same snapshot as the last known one by the client or the check for the public key and update counter.
REPLAY_EPHEMERAL_MESSAGE_SAME_SESSIONSame as in READ_SNAPSHOTThe attacker records a ephemeral message and plays it back to the intended receiver while the receiver has seen a previous ephemeral message from the sender.The message will be ignored since the ephemeral message counter value is equal or lower than the last seen one.
REPLAY_EPHEMERAL_MESSAGE_DIFF_SESSIONSame as in READ_SNAPSHOTThe attacker records a ephemeral message and plays it back to the intended receiver while the receiver has NOT seen a previous ephemeral message including a proof for the receiver ephemeral session ID.The message will be ignored since only ephemeral updates are accepted where a proof which includes the receivers current session ID has been included.
MSG_INSERTION_SNAPSHOTSame as in READ_SNAPSHOTThe attacker forges a snapshot message with some chosen set of properties and injects it into the network.The message will be ignored since the attacker does not have access to the shared secret and decryption will fail.
MSG_INSERTION_UPDATESame as in READ_SNAPSHOTThe attacker forges an update message with some chosen set of properties and injects it into the network.The message will be ignored since the attacker does not have access to the shared secret and decryption will fail.
MSG_INSERTION_EPHEMERAL_MESSAGESame as in READ_SNAPSHOTThe attacker forges an ephemeral message with some chosen set of properties and injects it into the network.The message will be ignored since the attacker does not have access to the shared secret and decryption will fail.
MSG_DELETION_SNAPSHOTSame as in READ_SNAPSHOTThe attacker removes a snapshot message from the wire.The client can’t resolve the latest state of the document and any further update or ephemeral message will be ignored and the client’s document basically becomes stale until a newer snapshot is received.Until a new message comes in the client won’t know about the missing message and there is nothing that can be done about it. From a UX perspective visualising when the last update happened might help a user to identify that document changes are missing. In case a update or ephemeral message for an unknown snapshot is received the user should be informed that the document is likely out of date.
MSG_DELETION_UPDATESame as in READ_SNAPSHOTThe attacker removes an update message from the wire.The client can’t resolve the latest state of the document and any further update or ephemeral message will be ignored and the client’s document basically becomes stale until a newer snapshot is received.Until a new message comes in the client won’t know about the missing message and there is nothing that can be done about it. From a UX perspective visualising when the last update happened might help a user to identify that document changes are missing. In case a update or ephemeral message referencing an unknown update is received the user should be informed that the document is likely out of date.
MSG_DELETION_EPHEMERAL_MESSAGESame as in READ_SNAPSHOTThe attacker removes an ephemeral message from the wire.The client misses the ephemeral messages. Since these updates are not supposed to be persistent a downgrade in the user-experience e.g. not seeing other users cursor’s might be the result, but document changes that should be persisted are lost.
MSG_MODIFICATION_SNAPSHOTSame as in READ_SNAPSHOTThe attacker removes a snapshot message from the wire, modifies it, and reinjects it into the network.The message will be ignored since the attacker does not have access to the shared secret and decryption will fail.
MSG_MODIFICATION_UPDATESame as in READ_SNAPSHOTThe attacker removes an update message from the wire, modifies it, and reinjects it into the network.The message will be ignored since the attacker does not have access to the shared secret and decryption will fail.
MSG_MODIFICATION_EPHEMERAL_MESSAGESame as in READ_SNAPSHOTThe attacker removes an ephemeral message from the wire, modifies it, and reinjects it into the network.The message will be ignored since the attacker does not have access to the shared secret and decryption will fail.
MAN_IN_THE_MIDDLESame as in READ_SNAPSHOTThe attacker subverts the communication stream in order to pose as the sender to receiver and the receiver to the sender.The message will be ignored since the attacker does not have access to the shared secret and decryption will fail.
LEAKED_SIGN_PRIVATE_KEYThe private key of the client is compromised due e.g. an insecure secret storage on the client or an implementation mistake.The attacker can forge signatures for all messages.The message will be ignored since the attacker does not have access to the shared secret and decryption will fail.
LEAKED_SHARED_SECERTThe shared secret is compromised due e.g. an insecure secret storage on the client or an implementation mistake.The attacker can create signatures for all messages.Confidentiality is broken and the attacker can read all messages they get access to.In order to reduce the risk it is advised to verify the origin of each message using the signature and verify that the public key of the signature is a trusted source. Ideally this is done via a out-of-band verification.
LEAKED_KEYSThe private key of the client and the shared secret are compromised due e.g. an insecure secret storage on the client or an implementation mistake.The attacker can forge valid messages.Confidentiality is broken and the attacker can read all messages. In addition the attacker can create valid messages.In order to reduce the risk it is advised to regularly rotate the shared secret to achieve a form of Post-Compromise Security for older messages.
ConsiderationsSpecification