Cwtch UI

The UI is built on therecipe/qt which links in Qt libraries.

Known Risks

Deanonymization through Content Injection

Status: Mitigated in several places

Like most UI frameworks, QML provides a HTML rendering engine with the potential to make requests through remote resource loading. Any kind of malicious content injection is therefore elevated to a critical deanonymization risk.

To mitigate such a risk we do the following:

  • Maintain our own UI library that explicitly relies on PlainText fields to handle all content (and thus styled safely)
  • Mediate all Cwtch api networking calls through Tor
  • Force QML to use a deliberately broken network resolver that is incapable of resolving remote content
  • Frequently test the UI for potential content injection vulnerabilities.

While none of these mitigations should be assumed robust by themselves, the combination of them should be sufficient to prevent such attacks.

Denial of Service through Spamming

Status: Partially Mitigated

There is currently no limitation on the number of messages that can be sent to a Cwtch server or by a Cwtch peer. Each message requires process and is added to the UI if valid.

We have put in work to ensure that an influx of messages does not degrade the app experience, however it will result in an increase in network badwidth which may be intolerable or undesired for many people - especially those on metered connections (e.g. cellphone data plans)

In order to be suitable to deploy groups at a wide scale, the app require a way to prevent Cwtch from fetching information over such connections, and this should likely be turned on by default.

Testing Status

The UI is currently only subject to manual testing.