Nicholas Weaver wrote:
Except that if someone really wants to map the P2P overlay, they can
use a load of sybils participating in the network.
Not if they're unable to participate in the network but are only able to
passively observe.
This is the point:
Peers can find out about other peers
True.
Once you let an opponent into the network in any way, they can create
sufficient sibyls to map the network completely.
There may be sufficient cryptographic protection that an opponent cannot
be a network participant.
Not to mention the ISP can determine who's talking to who just from
traffic analysis alone, should that be desired.
The ISP (or any passive observer of a node) is limited to seeing only
those nodes a specific node chooses to talk to, not the larger list of
nodes that are under consideration for communication. ALTO may
potentially expose that larger list... to a passive observer if ALTO
communication is not protected by encryption, just to the ISP if it is.
In some cases the ISP may be more trusted than passive observation is.
(For instance, a user might be on an unencrypted wireless network and
unwilling to trust other people sitting nearby but be willing to trust
the operator of that network)
It is all these items which mean that direct bulk-data P2P can't be
privacy preserving, thus relaxing privacy constraints when developing
localization should be a priority, especially when it comes to
interacting with caching.
The privacy constraints are already relaxed because of the possibility
of passive observation. If ALTO is significantly less private then some
applications which might benefit from ALTO will be unable to use it.
That would be unfortunate for the ISPs.
Matthew Kaufman
_______________________________________________
alto mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/alto
