9. Threat Model
This chapter is part of an initial draft specification. Enkrypted Chat has not been independently audited. Content may change.
9.1 Purpose
This chapter is the canonical threat model for Enkrypted Chat on the website. It supersedes informal “zero server” claims and consolidates themes from in-house security-audit and threat-model materials in the p2p repository.
9.2 Adversaries in scope
| Adversary | Capability | In scope |
|---|---|---|
| Passive network observer | Traffic analysis, metadata | Yes |
| Active network attacker | MITM on non-crypto paths | Yes |
| Malicious peer | Send malformed ciphertext, protocol abuse | Yes |
| Compromised signaling server | SDP/ICE manipulation, presence tracking | Yes |
| Malicious CDN / federated host | Serve trojaned JavaScript | Yes |
| State-level / APT | Resource-rich compromise | Yes (design consideration) |
9.3 Primary assets
| Asset | Sensitivity | Loss impact |
|---|---|---|
| Message plaintext | Critical | Confidentiality breach |
| Signal/MLS private keys | Critical | Session compromise |
| File contents | Critical | Data exfiltration |
| Local OPFS vault | High | Device compromise |
| Peer IDs & contact graph | Medium | Metadata deanonymization |
| Federated module integrity | Critical | Full platform compromise |
9.4 Threat scenarios and mitigations
9.4.1 Signaling MITM
Threat: Attacker on signaling path substitutes SDP to redirect media/data to themselves.
Mitigations:
- Use WSS and trusted self-hosted broker.
- Future: bind identity keys to signaling (TOFU/QR — not v1 spec).
- Application E2EE limits impact on content if session keys already established; initial handshake is highest risk.
9.4.2 Malicious JavaScript supply chain
Threat: CDN or federation host serves backdoored bundle.
Mitigations:
- Self-host all remotes (Chapter 8).
- CSP, SRI where applicable.
- Subresource integrity review on deploy.
9.4.3 Malicious peer
Threat: Peer sends invalid frames to crash or confuse parser.
Mitigations:
- Strict decryption failure handling (no plaintext on error).
- Input validation on envelopes.
- Fuzzing and audit (planned).
9.4.4 TURN traffic analysis
Threat: Relay operator correlates timing and volume.
Mitigations:
- Direct P2P when possible.
- User-operated TURN.
- VPN (user responsibility).
9.4.5 Local device compromise
Threat: Malware reads OPFS or memory keys.
Mitigations:
- At-rest encryption (WIP).
- OS-level device security (out of app scope).
9.5 STRIDE summary
| Category | Example | Control |
|---|---|---|
| Spoofing | Fake peer ID on broker | Peer ID is not authenticated globally — limitation |
| Tampering | Ciphertext bit flip | AEAD at cascade + transport |
| Repudiation | Deniable messages | Signal-style deniability (layer-dependent) |
| Information disclosure | Metadata at TURN | Disclosure + user config |
| Denial of service | Flood data channel | Rate limits (partial) |
| Elevation | N/A browser sandbox | Browser isolation |
9.6 Audit and verification status
- Independent security audit: Not yet completed; arrangements in progress.
- In-house audit docs: Available in
p2p/security-audit/(engineering reference). - Formal verification: Signal core — see formal verification; does not cover full web stack.
9.7 Residual risk statement
Even if all mitigations work as designed, Enkrypted Chat MAY NOT protect against:
- Compromised endpoint (browser extension, malware)
- Sophisticated traffic analysis on TURN/VPN exit
- Social engineering of peer IDs
- Undiscovered implementation vulnerabilities
Users with high-threat models SHOULD wait for independent audit results or deploy self-hosted infrastructure with expert review.