Contacts only option for who can message you, prevent block evasion from groups

I was writing a message to someone on how the chatmail is actually a really implementation in regards to being able to prevent block evasion with the whole invite codes and being able to reset them so you block someone, reset the code, and they should need to require that new code from you in order to reach you from a new profile.

But before I went ahead committed to saying any of that that could create a false sense of security if there’s something I’m missing, I chose to test out the thing I wasn’t 100% familiar with, how it is in regards to groups. So I tested it. Unfortunately groups let folks be able to block evade and send a message request from a new profile without the requiring an invite code.

Example:

The person that will be the blocker is named Bill. The person that will be the block evader is Ben.

Ben came across Bill’s delta chat invite from their fedi profile, and sent a message to them.

Bill blocks Ben for being nasty, and also resets their invite code intending to prevent Ben block evading.

Ben doesn’t know Bill has blocked Ben because after all Delta Chat in this regard is true to it being email under the hood, which is a good thing. But Ben maybe comes up with suspicion maybe they’ve done so despite there being no indication besides that Bill is no longer ever looking at Ben’s messages.

Ben knows of a way to block evade. He creates a group with Bill and a new profile.

That group created by Ben, like messages from Ben, are rejected by Bill’s delta chat due to Ben being a blocked contact. Ben’s side though and with the new profile also in the group, Ben can see Bill in the group’s member list.

From that new profile Ben created and added to the group, Ben clicks onto Bill from the member list and messages Bill.

Bill receives a message request from that new profile of Ben’s.

Ben has therefore block evaded using a new profile without requiring an invite code.

Proposal

Instead of having no option but have groups as a vector for block evasion, open for all in said group to send you message requests, have an option for what messages to allow, similarly to the classic email option for “all, chats only, accepted contacts”.

Have it by default set as all. With the option to choose “contacts only”.

So people can continue to have expected behavior that they can request to message members from group chats, and that if you delete a contact your side, you aren’t rejecting them from being able to send you a request again if they still have you as a contact.

But with the contacts only chosen, anyone in groups, and anyone who you’ve removed from your contacts even if they still have you as a contact, will need an invite from you to be able to reach you.

The option of having contacts only, that’d completely cut off block evasion and make Delta Chat as far as I can tell the most block evasion resilient chat app about without the onus being on you to move profiles to get out of that block evader’s reach.

Thought of this about block evasion came about from that I opted to add an invite link to one of my profiles on my fedi profile, but then last thing I want is a dav1d lol, so I’ve opted to have the invite in a followers only pinned toot instead lol.

@jase Your phrasing seems overly verbose and vague, but let me see whether I understand what you want:

• I have joined a public group of untrustworthy strangers. Then one of the participants started harassing and stalking me. What should I do?
• You should delete the profile, create a new one and join the group with that (or just join other groups instead). In general, you should only participate in untrustworthy groups and contact untrustworthy individuals with a throw-away profile.

The threat model of Delta Chat identities, invites and spam resistance is documented in numerous threads already:

The gist is after you exchange your first message or join a group shared with someone, they have your full public key and can utilize and forward it without restriction and subject you to numerous threats later on until you throw it away.

While the behavior has been documented, perhaps new mitigations might still be useful.

One way to reduce the impact would be to implement identity key rotation: Another use case for identity key change

Another might be that unless a new unknown account has previously gone through a personal invite link challenge (which I assume the local client could track in some way) any direct message from them is immediately silently auto-deleted if some new “Established contacts only” option was picked.

I like the suggestion.

I at first was thinking of the groups feature as in okay as long as you don’t reside in groups they can’t be a vector.

But what I mean by vector for block evasion is the blocked contact’s own groups.

Say I provided an invite link on this thread for folks to message on delta chat. Someone that has a problem with people wanting safe guarding features comes along and uses that invite to harass. I block them and reset my invite link so the invite existing here no longer works.

That blocked user creates a new delta chat profile, and with the blocked profile creates a group chat adding me and that new profile as members.

I won’t get that group chat bothering me because it’s created by a blocked user. However the blocked user from their new profile in that group can click on me in the members list and message me. And I get a message request with their continued harassment as a result.

In that scenario, I didn’t even know I was in a group, and for as long as I continue to keep that profile they the blocked user can continue doing profile after profile being added in that group chat to message me. A contacts only option would prevent that in it’s entirety.

Luckily I’ve not had experience of it per say, I’ve just realised from trying it out with three temporary profiles “Blocker”, “Blocked” and “Blocked is block-evading”, where Blocked added Blocker via invite. Blocker added Blocked to the blocked contacts. And then Blocker created a group chat with their new profile “Blocker is block-evading” and Blocker, and from that new profile messaged Blocker via the group’s member list. And Blocker gets that request from that new profile.

With the rampant amounts of block evading dav1d and ramon/jimmytruth do on fedi, any of their targets who have delta chat invite in their profile just even once are at risk of them realising they can do this and the only way to stop it being the more nuclear option doing a new profile and deleting that prior profile with all it’s chats. Whereas a contacts only option just again would be the saving grace in this situation without needing to resort to that.

Hope that helps clear up what I’m talking about.

Granted though, even if this was me talking about public groups, it could be a trusted friend that added me into one, as folks do all the time adding folks to group chats without permission and all, and it could be that within the short time I was there and removed myself from it not sending anything in it.. someone jumps on the harassment train in my requests and now no fault of my own, I have to just throw away possibly years of unreplaceable chats. I assume there’s permissions on these group chats so it’s not a free for all to add folks without their consent, but all it takes is if one is a free for all. Contacts only is a fantastic way to combat against that.

I urge you to check the existing threads, this is already known and documented:

If you found that my above workaround solved your issue at hand, feel free to click the Solution button on the comment.

The solution to my issue as stated will be a contacts only option in the settings like my feature proposal is.

How I’m supposed to come across that thread when as far as I can see that’s only loosely connected to what my issue is.

I’d appreciate you less coming across like throwing the book at me for opening an issue of an important aspect.

Someone searching “block evading” or “contacts only” are going to find my thread, but they aren’t going to find that thread you linked. I didn’t. i had no results. Searching only goes so far.

Yes, that’s why I linked it here so it is easier to find and to possible improve automatic clustering later. I agree that we should have more tools to combat harassment, hence why I’ve drafted this for you:

The problem with client-side only workarounds such as soft-ignoring or “blocking” users is that the chatmail server can’t offload it for you as it can’t by design break into E2EE. This means one who wants to harass you can still do a DoS-bombing on your account quota, your battery time and your mobile data allowance after they gain access to your email address and public key in the above way. Switching profiles makes you immune to this.

Also, now that I better understand what you wanted this issue to be about, the following are also duplicates:

Ah okay I’d not really thought to that extent then. So what you’re proposing would be something similar to the idea of resetting the invite code to protect but that it’s an emergency reset that also resets your identity and encryption keys so like rotates them and you choose what contacts to be made aware of such, and their side their chats also are swapped around so it’s all similar to like classic email with chats saying about the other person’s setup has changed.

Apologies for misreading your intent/tone. Thanks for clarifying about this.

Yea I can definitely see your point that yes bad actors whilst on one hand all they care about is doing profile after profile to non stop harass, on other hand them at the more technical level knowing they can absolutely cause havoc despite them being blocked from the whole client sided aspect. So yea identity rotation whilst not having chats either way around being affected would be absolutely fantastic, rather than delete and restart being the only option.

And yea thanks that’s more it for sure those linked topics