(Note: recent events have lead to these topics being in the news quite often in recent weeks. However, Pond is not a reaction to those events - it was started nearly a year ago.)

For secure, synchronous communication we have OTR and, when run over Tor, this is pretty good. But while we have secure asynchronous messaging in the form of PGP email, it's not forward secure and it gratuitously leaks traffic information. While a desire for forward secure PGP is hardly new, it still hasn't materialised in a widely usable manner.

Additionally, email is used predominately for insecure communications (mailing lists, etc) and is useful because it allows previously unconnected people to communicate as long as a (public) email address is known to one party. But the flip side to this is that volume and spam are driving people to use centralised email services. These provide such huge benefits to the majority of email communication, so it's unlikely that this trend is going to reverse. But, even with PGP, these services are trusted with hugely valuable traffic information if any party uses them.

So Pond is not email. Pond is forward secure, asynchronous messaging for the discerning. Pond messages are asynchronous, but are not a record; they expire automatically a week after they are received. Pond seeks to prevent leaking traffic information against everyone except a global passive attacker.

Dear God, please don't use Pond for anything real yet. I've hammered out nearly 20K lines of code that have never been reviewed. Unless you're looking to experiment you should go use something that actually works.

Please email any feedback to agl at imperialviolet dot org or else use GitHub's tools.


User Guide (for CLI) Threat Model Technical Details Source Code



These are very simple build instructions that will get Pond running from source. You should read the commands before running them because, if nothing else, it'll put your GOPATH in ~/gopkg, which may not be where you want.

Ubuntu 13.10

First, install Go. The packaged version of Go (usually called golang) is unlikely to work.

sudo apt-get install git libgtk-3-dev libgtkspell3-3-dev libtspi-dev trousers tor mercurial tpm-tools
mkdir gopkg
export GOPATH=$HOME/gopkg
go get github.com/agl/pond/client
Debian Wheezy and Ubuntu 12.04

Same as Ubuntu, above, but 1) on the go get command line add -tags ubuntu before the URL and 2) the gtkspell package is called libgtkspell-3-dev. On more recent versions of Debian, the instructions should be exactly the same as Ubuntu.

Tails (Version 1.1.1)

First, if you have not done so already, configure Tails persistence (ApplicationsTailsConfigure persistent volume) to persist "Personal Data", "APT Packages", "APT Lists", and "Dotfiles". A reboot is required after these settings are changed.

Next, when starting Tails, click "Yes" at the "More options?" prompt to set an Administration password. You'll need this password to install Pond's dependencies.

Next, open a Terminal and copy and paste the following commands to build and install Pond:

echo 'export GOPATH=$HOME/Persistent/go/' >> ~/.bashrc
. ~/.bashrc
mkdir $GOPATH
alias pond-build='sudo bash -c "sudo apt-get update && \
apt-get install -y -t testing golang && \
apt-get install -y gcc git mercurial libgtk-3-dev libgtkspell-3-dev libtspi-dev trousers" && \
go get -u -tags ubuntu github.com/agl/pond/client && \
echo "Success." || echo "Sorry, something went wrong."'
alias pond-install-deps='sudo apt-get install libtspi1 libgtkspell-3-0'
alias pond='$GOPATH/bin/client'
alias pond-cli='$GOPATH/bin/client --cli'
alias|grep pond >> ~/.bashrc

Finally, run the following command (if you have not previously done so) to add your ~/.bashrc to the persistent storage:

cp ~/.bashrc /live/persistence/TailsData_unlocked/dotfiles/.bashrc

Each time you start Tails in the future, before you can run Pond, you'll just need to reinstall its runtime dependencies using the pond-install-deps command.

At this point, you should be able to run Pond's graphical interface with the pond command, or run its command-line interface with the pond-cli command.

From time to time you can re-run the pond-build command to update to the latest version.

Fedora 19

Fedora's golang package appears to be completely broken, so this installs Go from source.

sudo yum install gtk3-devel gtkspell3-devel gcc trousers-devel git mercurial tor
sudo systemctl start tor
git clone https://github.com/golang/go
cd go/src
export PATH=$PATH:$HOME/go/bin
mkdir gopkg
export GOPATH=$HOME/gopkg
go get github.com/agl/pond/client
yaourt -S trousers mercurial tor go
mkdir gopkg
export GOPATH=$HOME/gopkg
go get github.com/agl/pond/client
systemctl start tor.service

In order to actually use the TPM, you'll need to systemctl start tcsd.


It's possible to get Pond building on OS X after spending lots of time with homebrew. Something that's known to have worked,

// You will require Tor to run Pond. If you do not already have it, you can get
// it from https://www.torproject.org/download/download.html.en . Running the Tor
// Browser Bundle is enough.

// These instructions assume the use of the Homebrew package manager for OSX.
// If you are already using macports or fink (competing package managers), you may
// not be able to follow these instructions. If you are not using any of these and
// need to install homebrew, you can find the instructions on doing so at
// http://brew.sh/

// Install prerequisites for running Pond
brew install go gtk+3 gtkspell3 mercurial

// You can either edit the GTK+ package build to use Quartz (the OS X graphics
// library) directly, or install XQuartz, an X server with a Quartz backend.
// XQuartz can be installed from http://xquartz.macosforge.org/. Otherwise:

brew edit gtk+3

// ... and then add --enable-quartz-backend to the configure arguments

// Add your go environment variable settings
export GOPATH=$HOME/gopkg
export PATH=$PATH:$GOPATH/bin
export PKG_CONFIG_PATH=/opt/X11/lib/pkgconfig:/usr/local/lib/pkgconfig:$PKG_CONFIG_PATH
// You need to also add these to your ~/.profile file if you want to run pond again after reboot, unless you want to manually apply the settings each time you run pond.

// Finally, install pond:
go get github.com/agl/pond/client
// now `client` should be in your path

However, unless you are already familiar with GTK development on OS X, I'd suggest using a Linux machine at this point. Since OS X development doesn't occur on my main development machine, I have to move patches across which also means that github doesn't always have the most up-to-date OS X changes.

If you just want the CLI version of Pond, you can use the nogui tag like so:

brew install go
export GOPATH=$HOME/gopkg
export PATH=$PATH:$GOPATH/bin
go get -tags nogui github.com/agl/pond/client
alias pond="$GOPATH/bin/client"

WARNING: there are no TPM chips in Macs and, since they generally use SSDs, which are log structured internally, messages cannot be safely erased. There is a firmware NVRAM on Macs that could be used for erasure storage, but I haven't written support for that yet.

Running a Pond server

Note: this documentation is included for completeness but most users are not expected to run their own servers. At this point in the development, things are still changing and one may need to observe the development in order to know when server updates are needed.

Go environment

Create a user called pond and make sure its go environment is setup:

export GOPATH=/home/pond/go
export PATH=$PATH:$GOPATH/bin
Create pond server identity

Note that the pond server logs to stdout.

% cd /home/pond
% mkdir pond-server-base
% server --init --base-directory /home/pond/pond-server-base
2013/12/24 16:35:46 Started. Listening on port 16333 with identity FJPZWT4E6Y3BOYYXSLJII4EMZPFCU7CDL7DM3AZ4V65X4TGDKN6A
Start pond server normally
% cd /home/pond
% server --base-directory /home/pond/pond-server-base
2013/12/24 16:35:46 Started. Listening on port 16333 with identity FJPZWT4E6Y3BOYYXSLJII4EMZPFCU7CDL7DM3AZ4V65X4TGDKN6A
Setup a Tor hidden service

Make a torrc for your hidden service, as in this snippet:

HiddenServiceDir /var/lib/tor/pond_server/
HiddenServicePort 16333
Restart tor and then get your .onion addr:
% service tor restart
% cat /var/lib/tor/pond_server/hostname
Construct Pond server URL

Construct your Pond server url like this: pondserver:// + pond_server_id + @ + onion_address. The example above would yield:

Running under systemd

The Pond server doesn't fork into the background so systemd provides a nice way to run it as a service. Here's an example unit for doing so:


ExecStart=/home/pond/go/bin/server --base-directory /home/pond/pond-server-base