On Wed, Apr 05, 2006 at 03:41:11AM -0500, Josh Webb wrote: > Now, I'll admit I haven't been following Freenet 0.7's development very > closely, and I'd imagine the issue has been brought up before, but... > > It seems that the argument for a darknet is that somebody watching your > traffic won't see you communicating with "known Freenet nodes," thereby > making it harder to know if you're running a node.
No, the argument is that they can't harvest, and they can't use spoofing attacks. Harvesting: Very cheaply find all nodes (these can then be blocked at zero cost). Spoofing: One large node pretends to be many nodes, always assigning the source to itself. It gets connected to every node on the network, and can then spy on or interfere with most requests. > > However, the effectiveness of this approach would seem to be mitigated > by the fact that an observer who can tell if you are communicating with > a "known Freenet node" will also be able to see that you are sending and > receiving a relatively large amount of encrypted UDP traffic, which > would tell them "something" is going on. If you were in a situation > where simply running a Freenet node was something you wanted to hide, > that "something" would be almost as bad. This is true, however, this sort of traffic flow analysis is several orders of magnitude more expensive than running an ordinary node and blocking every discovered node on the national firewall. We expect there will be alternative transports in future: - Simple stego: HTTP, HTTPS, SSH, VoIP, games, etc. - Fixed wifi links - Mobile automatic wifi rendezvous - Passing boxes of disks around And so on. The point is, for literally hundreds of dollars a year, the Chinese government can completely block opennet freenet. It is *far* more expensive to block darknet - even with its current transport protocol which is optimized for speed rather than invisibility. > > Now, let's get to the problem darknets and their "trusted peers" > introduce. For this, I will use a more specific example. Let's say there > is a group of Chinese citizens that are using Freenet to discuss > democracy. Now, let's say one of the members of the group gets caught > passing out pro-democracy leaflets. The authorities will then take the > member's computer and determine, through Frost list subscriptions, > browser cache, etc. that the member was using Freenet to discuss > Democracy. (Remember, this would be one of the less cautious members, so > the the previously mentioned things might not be securely > encrypted/deleted.) The member's Freenet node would then be monitored, > and because any communications with it are going to be from peers the > member specifically added, the authorities could reasonably assume most > neighboring nodes use Freenet for the same purpose. This costs a lot more than just blocking the network. Furthermore, a careless member probably communicates with his pals frequently either in real life or via email, instant messaging, text message etc. I accept that it is a concern that connections will give away trust, however, this happens even without Freenet. > > So, it seems to me that a darknet based Freenet is only marginally > effective at solving one problem Not true. Darknet Freenet makes it possible to use Freenet in nominally hostile regimes. The Freenet 0.5 session protocol was blocked by China last year. Freenet 0.7 doesn't have identifiable session bytes but if it was exclusively opennet then it could be blocked by one technician with very little cost. > and creates a new, larger problem. One > of the benefits to anonymity of an opennet approach is that a connection > between nodes does not imply a relationship between the nodes' operators. Unfortunately opennet is not viable in hostile regimes, full stop. If darknet isn't either then I don't see what the point is of Freenet. And there are certainly attacks which are much easier and more powerful on an opennet. > > I'm sure darknets have their uses, but an opennet seems to be more in > line with Freenet's objectives. -- Matthew J Toseland - toad at amphibian.dyndns.org Freenet Project Official Codemonkey - http://freenetproject.org/ ICTHUS - Nothing is impossible. Our Boss says so. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: Digital signature URL: <https://emu.freenetproject.org/pipermail/tech/attachments/20060405/73780c4f/attachment.pgp>
