|
1 | 1 | //! IO-related types and functions. Specifically, fetching OHTTP keys from a payjoin directory. |
| 2 | +//! |
| 3 | +//! When multiple relays are configured, callers **should pick one at random per request** |
| 4 | +//! to avoid a fixed contact pattern at the network layer. The POST request (immediate |
| 5 | +//! response) and the GET requests (typically several 30-second responses followed by one |
| 6 | +//! shorter but likely non-immediate response) of a single client follow a temporal pattern |
| 7 | +//! that is different for the sender and the receiver (poll followed by post for receiver, |
| 8 | +//! post followed by poll for sender). OHTTP does not hide the client IP from the relay, |
| 9 | +//! which lets the relay link this information of "likely sender" or "likely receiver" to |
| 10 | +//! the IP address, which can reveal information like geographic location in some cases, or |
| 11 | +//! be linkable to personally identifying information. Due to the temporal pattern of the |
| 12 | +//! session as a whole, the relay may be able to narrow down to a list of candidate |
| 13 | +//! transactions, and then narrow those down further to those whose likely sender or |
| 14 | +//! receiver, assuming they are payjoin transactions, matches the fingerprint of the IP |
| 15 | +//! address. |
| 16 | +//! |
| 17 | +//! ## Health checks |
| 18 | +//! |
| 19 | +//! Some clients call [`fetch_ohttp_keys`] periodically to verify that the |
| 20 | +//! directory and relay infrastructure is reachable. Given the threat model |
| 21 | +//! above, this is acceptable only when: |
| 22 | +//! |
| 23 | +//! - The call is **not** triggered automatically on every app startup. |
| 24 | +//! Prefer triggering on user action (e.g. opening a settings/status |
| 25 | +//! screen) or piggybacking on operations the user already initiated |
| 26 | +//! (e.g. resuming an existing session). |
| 27 | +//! - The call is rate-limited so it does not produce a recurring timing |
| 28 | +//! pattern observable by the relay. |
| 29 | +//! |
| 30 | +//! A health check leaks the same metadata as a real payjoin request. |
| 31 | +//! Treat its frequency as part of your privacy budget. |
2 | 32 | use std::time::Duration; |
3 | 33 |
|
4 | 34 | use http::header::ACCEPT; |
|
0 commit comments