On Saturday 01 January 2011 16:50:11 Matthew Toseland wrote: > Right now the situation on Freenet is that: > - Your peers can see what you are doing. On either opennet or darknet! > - On opennet, anonymous identities can be traced by e.g. connecting to every > node. > - On darknet, tracing anonymous identities is very hard. > - It is possible to write a plugin to identify a large proportion of what > your friends are doing, and would not be all that difficult; the database of > keys would be the most resource-intensive part. > - Per-friend trust levels control how much data is shared with a friend node > but even low friend trust does not solve the basic problem of requests being > visible. > > IMHO at a minimum we need to: > - Tell the user in the first-time wizard. We are pretty close to this now, it > probably makes sense to elaborate very slightly, see the other thread. > - Make darknet a lot easier to use with invites, FOAF connections etc. > - Be careful what claims we make in public or on the website. > - Consider a change of terminology to emphasise darknet - "social darknet" ? > The point is your friends are a) your gateway to the network and b) assumed > to be non-hostile, and the attacker is assumed not to be one of your friends > but a distant entity such as a corporate or (not too annoyed / well funded!) > government agency. > > Ideally we would provide an option which would provide adequate protection > against a single malicious friend, albeit at a significant performance cost. > IMHO most users won't need this, at least most of the time, because e.g. > filesharers tend to connect to filesharers. > Tunnels may be possible: Because, on darknet, mobile attacker source tracing is hideously expensive, (and connecting to everyone is virtually impossible, we do not have to worry about distant attackers (except perhaps for the predictable-in-advance top SSK and chat posts). So we only have to worry about our direct peers. Plus, we have both direct friend-to-friend connections and FOAF connections to route down, which should make life easier. The simplest, rather limited options:
Me -> A's friend -> A We are directly connected to A's friend as well as A and can see that he is on a different IP address. We can even require that A's friend be connected to at least one other of our friends. However, he could still be bogus. This increases the cost of a casual attack by requiring 1) to hire a server, or co-opt a friend, and 2) to get connections for that friend by social engineering. (Me -> A -> A's friend has similar issues assuming we are connected to A's friend either way) Me -> A -> B The problem here is B can see A, and knows that both A and B are friends of X, the target; we would know this set in advance but IMHO it will often be very small. However, if we could find an indirect route that gives A a big enough anonymity set to B, maybe it could work. Downloading friend data from FOAFs may help (since we're connected to them anyway); then we could source route the whole path, not just A and B. Me -> A's friend -> B's friend OR Me -> A -> A's friend -> B's friend This gives a larger anonymity set. Again, downloading more hops will help. Somebody needs to play with a simulator to see if they can find an algorithm that works in a reasonable number of hops and with a reasonably limited set of data. Hopefully a full blown cellular structure won't be necessary but even if it is it probably isn't a hideous number of hops. However, the key thing is any such mechanism *only protects against local attackers*. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part. URL: <https://emu.freenetproject.org/pipermail/devl/attachments/20110101/8e7d89e9/attachment.pgp>