Secure communication: Pond

Secure communication: Pond

The Pond is asynchronous, encrypted, forward-secure messaging application written by Adam Langley in Go programming language. The Pond’s graphic interface looks like an email client from the early 90s, but under the surface it’s doing a good job protecting end-to-end communication using common hipster state of the art encryption protocol. To be honest, I had some hard time make its source code running so I have created a guide “How to install Pond” for you. Let’s analyze it a little bit more.

Pond GUI. Simple, but sufficient

Encrypted in transit?

Yes. It uses “customized” well known Axolotl Ratchet (now simply Signal) protocol. Author omitted OTR’s key identifier, and anti-replay counter in order to minimize information leakage about exchanged messages.

Encrypted so the provider can’t read it?

Yes, Pond server only registers identities and redirect an end-to-end encrypted messages between communicating parties.

Can you verify contact’s identities?

Yes. Actually, you are not able to communicate with somebody who does not approve your communication in the first place. It’s basically opt-in communication system. Sender, to be able to send a message to the recipient, must have member private key from the BBS group signature scheme. The mechanics of the BBS signature scheme are hard topic and out of scope, but we can say that the usage of group signatures is also useful in preventing contact list leakage to the server.

Are past communications secure if your keys are stolen?

Yes. At the cryptography layer, it is managed by the OTR Signal protocol. Regarding to the message storage, Pond periodically erases old messages after 7 days.

Is the code open to independent review?

Yes, the Pond source code is published on Github. It’s written in Go programming language.

Is the crypto design well-documented?

Yes. Cryptography design is documented independently by the creators of Axolotl Ratchet protocol. However, Pond author also spent time explaining design decisions and threat modeling.

Has there been an independent security audit?

No. I am not aware of any formal security audit, but the code base is used by lots of folks from crypto community — Matthew Green at Johns Hopkins University, The Grugq. Even Ars Technica published article about Pond, but I know, it does not mean that it is secure.

Tor interoperability

Yes. Actually Pond is only working through the Tor network. The server side Pond application is run as a Tor Hidden Service.

I2P interoperability

No. Pond code base is currently not forked to operate with I2P. Theoretically, the architecture can be redesigned to work with other anonymity networks as well.

Network type

Pond uses the Tor Network to deliver messages. Client — server architecture is used. Data blocks are not sent in real time, because connections are exponentially distributed to prevent basic traffic analysis. Connections are never reused when the server is contacted. Pond also uses fixed sized blocks for message delivery and identity registration.


Pond has some really nice properties like default security provided by mandatory usage of Tor and a fixed length messages. There are also multiple ways how to exchange the first set of keys between communication parties and those methods are really worth of your attention. The only trouble that I see is a complexity of installation. You have to build it from source code, install dependencies that are not that easy to find, etc. Try it!