![]() The actual author will always be present, and the other participants won't be static, and so eventually only the author will remain in the intersection.ģ. There is an easy so-called "intersection attack" in which the sets of users that are connected at any given time a pseudonymous entity posts are intersected. Users will create them on their own (by including a nickname in their posts) even if you don't build it in.Ģ. And you really can't have a forum without pseudonyms. multiple clients) to as many other peers as possible and observing who is the first to send new posts by the target pseudonym. It seems that the pseudonymous author of posts can easily be determined by connecting a bunch of Sybils (i.e. It may end up conveniently serving up those at most risk to their adversaries.Īs others have noted, anonymity is hard to get right, and the approach here has some serious flaws:ġ. I do worry that "usable" has gotten more thought than "security", and providing a system that doesn't deliver the security it promises could be worse than not having the software at all. I think it's cool that you're making usable security software. But what if you don't wnat to use an official or semi-official network? Are there distibuted, ad hoc network projects that would work well with this? Locally (for me) there are projects like to try and make sure there are networks for emergency situations. The problem with those situations is exactly that there is no infrastructure (or not a trusted infrastructure). etc - any situation where you want ad hoc, encrypted community Cory Doctorow "Little brother" scenario aftermath of a hurricane / natural disaster I can see lots of applications for this - beyond the reddit/bittorrent model, this would be really useful I get that this is a distributed application with encrypted transmission - but it does imply an infrastructure. I have a tangental interest - forgive me if the following is off topic.Īnd similar statements in the website got me thinking along a theme. Thank you for it I am enjoying playing around with it and am following the project on github.Įchoing others I would definately fix the license issue - and do that sooner than later. I really do not have a quibble with the application itself - nor the intended use. I like it - it installed easily enough on Mac. But it's easy to change, just delete the userprofile.json and you'll automatically produce a new one. It's probably more correct to say it identifies computers, rather than people. You're identified by your node id, which can hold multiple users. Yes, it's only direct connections, but when you connect to someone, it also gives you posts from other people the guy you connected to have upvoted. > it uses tls so it's just direct connections? so you're identified by your ip? I'm planning to add public key authentication in the future at the point I am reasonably confident the core stack is working reliably and there is sufficient interest. (There is two bitcoin topics currently, that's a corner case I'm fixing now)īut there is no way to know who you are actually talking to, yes. The forums only exist as names, there is no way to have two forums with the same name, they will automatically be merged. >it seems that by saying things are anonymous you punt on all questions of identity? so there's no way to know that you are joining the forum you expect? You can opt out of connecting to boostrap node if you have a friend you know to be currently online, and putting his / her ip:port at the settings page of the onboarding. ![]() Connecting to that node gets you a list of posts and a a list of nodes, like every other sync with any other node. There is a bootstrap node, which you connect to at the beginning of your first boot. Since the encryption is useless (mitm) yet you're not actually anonymous to an attacker (ip) it seems to combine the worst parts of insecure software with the worst parts of forums (no reliable identities). so there's no way to be sure two comments are by the same person? even in the same discussion? so it's really anonymous (not pseudonymous). ![]() You say (iirc) that keys are automatically regenerated and not verified. It uses tls so it's just direct connections? so you're identified by your ip? It seems that by saying things are anonymous you punt on all questions of identity? so there's no way to know that you are joining the forum you expect?Īnother way of saying the above - despite the encryption there's no protection against mitm, right?
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |