(Note: recent events have lead to these topics being in the news quite often in recent weeks. However, Pond is not a reaction to those events - it was started nearly a year ago.)

For secure, synchronous communication we have OTR and, when run over Tor, this is pretty good. But while we have secure asynchronous messaging in the form of PGP email, it's not forward secure and it gratuitously leaks traffic information. While a desire for forward secure PGP is hardly new, it still hasn't materialised in a widely usable manner.

Additionally, email is used predominately for insecure communications (mailing lists, etc) and is useful because it allows previously unconnected people to communicate as long as a (public) email address is known to one party. But the flip side to this is that volume and spam are driving people to use centralised email services. These provide such huge benefits to the majority of email communication, so it's unlikely that this trend is going to reverse. But, even with PGP, these services are trusted with hugely valuable traffic information if any party uses them.

So Pond is not email. Pond is forward secure, asynchronous messaging for the discerning. Pond messages are asynchronous, but are not a record; they expire automatically a week after they are received. Pond seeks to prevent leaking traffic information against everyone except a global passive attacker.

Dear God, please don't use Pond for anything real yet. I've hammered out nearly 20K lines of code that have never been reviewed. Unless you're looking to experiment you should go use something that actually works.

Please email any feedback to agl at imperialviolet dot org or else use GitHub's tools.


User Guide (for CLI) Threat Model Technical Details Source Code



One can either build from source or use the prebuilt binaries. For building from source, see the section below.

The following binaries are all 64-bit and are distributed in signed, OpenPGP form. You can obtain my key with gpg --recv-key C92172384F387DBAED4D420165EB9636F02C5704 or from https://www.imperialviolet.org/key.asc.

Ubuntu 13.10pond.gpgsudo apt-get install libtspi1 libgtkspell3-3-0
Debian Wheezypond.gpgsudo apt-get install libtspi1 libgtkspell-3-0
Fedora 19pond.gpgsudo yum install trousers gtkspell3
OS X 10.9Pond.tar.gpgWARNING: no support for erasure storage yet
Tails 1.1pond.gpgNo TPM because it goes against the spirit of Tails. Will store state file in ~/Persistent if found.


These are very simple build instructions that will get Pond running from source. You should read the commands before running them because, if nothing else, it'll put your GOPATH in ~/gopkg, which may not be where you want.

Ubuntu 13.10
sudo apt-get install golang git libgtk-3-dev libgtkspell3-3-dev libtspi-dev trousers tor mercurial tpm-tools
mkdir gopkg
export GOPATH=$HOME/gopkg
go get github.com/agl/pond/client
Debian Wheezy and Ubuntu 12.04

Same as Ubuntu, above, but 1) on the go get command line add -tags ubuntu before the URL and 2) the gtkspell package is called libgtkspell-3-dev. On more recent versions of Debian, the instructions should be exactly the same as Ubuntu.

WARNING: Using golang version 1.0 (Wheezy package) is not recommended and compatibility is untested. If you face any problems compiling pond try to upgrade golang to version 1.2 from the testing repository.


Tails only supports the CLI mode of operation for Pond as it is based on an old Debian-stable. Build, install and usage instructions for Tails users:

sudo apt-get update --fix-missing
sudo apt-get install -t unstable golang
sudo apt-get install mercurial trousers gcc
sudo apt-get install -t squeeze-lts -y libssl-dev
sudo apt-get install -t backports libtspi-dev
mkdir ~/Persistent/go/
export GOPATH=$HOME/Persistent/go/
export PATH=$PATH:$GOPATH/bin
go get -tags nogui github.com/agl/pond/client
alias pond-client="$GOPATH/bin/client --state-file=/home/amnesia/Persistent/.pond"

(Note: the build process reportedly fails with less than 1GB of memory. You can still run Pond with less than 1GB, but you'll need to build it elsewhere.)

In order to update Pond, from time to time, run:

go get -u -tags nogui github.com/agl/pond/client
Fedora 19

Fedora's golang package appears to be completely broken, so this installs Go from source.

sudo yum install gtk3-devel gtkspell3-devel gcc trousers-devel git mercurial tor
sudo systemctl start tor
hg clone https://code.google.com/p/go
cd go/src
export PATH=$PATH:$HOME/go/bin
mkdir gopkg
export GOPATH=$HOME/gopkg
go get github.com/agl/pond/client
yaourt -S trousers mercurial tor go
mkdir gopkg
export GOPATH=$HOME/gopkg
go get github.com/agl/pond/client
systemctl start tor.service

In order to actually use the TPM, you'll need to systemctl start tcsd.


It's possible to get Pond building on OS X after spending lots of time with homebrew. Something that's known to have worked,

// You will require Tor to run Pond. If you do not already have it, you can get
// it from https://www.torproject.org/download/download.html.en . Running the Tor
// Browser Bundle is enough.

// These instructions assume the use of the Homebrew package manager for OSX.
// If you are already using macports or fink (competing package managers), you may
// not be able to follow these instructions. If you are not using any of these and
// need to install homebrew, you can find the instructions on doing so at
// http://brew.sh/

// Install prerequisites for running Pond
brew install go gtk+3 gtkspell3 mercurial

// You can either edit the GTK+ package build to use Quartz (the OS X graphics
// library) directly, or install XQuartz, an X server with a Quartz backend.
// XQuartz can be installed from http://xquartz.macosforge.org/. Otherwise:

brew edit gtk+3

// ... and then add --enable-quartz-backend to the configure arguments

// Add your go environment variable settings
export GOPATH=$HOME/gopkg
export PATH=$PATH:$GOPATH/bin
export PKG_CONFIG_PATH=/opt/X11/lib/pkgconfig:/usr/local/lib/pkgconfig:$PKG_CONFIG_PATH
// You need to also add these to your ~/.profile file if you want to run pond again after reboot, unless you want to manually apply the settings each time you run pond.

// Finally, install pond:
go get github.com/agl/pond/client
// now `client` should be in your path

However, unless you are already familiar with GTK development on OS X, I'd suggest using a Linux machine at this point. Since OS X development doesn't occur on my main development machine, I have to move patches across which also means that github doesn't always have the most up-to-date OS X changes.

WARNING: there are no TPM chips in Macs and, since they generally use SSDs, which are log structured internally, messages cannot be safely erased. There is a firmware NVRAM on Macs that could be used for erasure storage, but I haven't written support for that yet.

Running a Pond server

Note: this documentation is included for completeness but most users are not expected to run their own servers. At this point in the development, things are still changing and one may need to observe the development in order to know when server updates are needed.

Go environment

Create a user called pond and make sure its go environment is setup:

export GOPATH=/home/pond/go
export PATH=$PATH:$GOPATH/bin
Create pond server identity

Note that the pond server logs to stdout.

% cd /home/pond
% mkdir pond-server-base
% server --init --base-directory /home/pond/pond-server-base
2013/12/24 16:35:46 Started. Listening on port 16333 with identity FJPZWT4E6Y3BOYYXSLJII4EMZPFCU7CDL7DM3AZ4V65X4TGDKN6A
Start pond server normally
% cd /home/pond
% server --base-directory /home/pond/pond-server-base
2013/12/24 16:35:46 Started. Listening on port 16333 with identity FJPZWT4E6Y3BOYYXSLJII4EMZPFCU7CDL7DM3AZ4V65X4TGDKN6A
Setup a Tor hidden service

Make a torrc for your hidden service, as in this snippet:

HiddenServiceDir /var/lib/tor/pond_server/
HiddenServicePort 16333
Restart tor and then get your .onion addr:
% service tor restart
% cat /var/lib/tor/pond_server/hostname
Construct Pond server URL

Construct your Pond server url like this: pondserver:// + pond_server_id + @ + onion_address. The example above would yield:

Running under systemd

The Pond server doesn't fork into the background so systemd provides a nice way to run it as a service. Here's an example unit for doing so:


ExecStart=/home/pond/go/bin/server --base-directory /home/pond/pond-server-base