On Mar 27, 2009, at 2:43 PM, Matthew Kaufman wrote:
Nicholas Weaver wrote:
Except that if someone really wants to map the P2P overlay, they
can use a load of sybils participating in the network.
Not if they're unable to participate in the network but are only
able to passively observe.
Closed world networks work when small, they fail when large. Its
exactly the botnet analysis problem, and there is a lot that can be
done once you get a single node, let alone the ability to participate.
This is the point:
Peers can find out about other peers
True.
Once you let an opponent into the network in any way, they can
create sufficient sibyls to map the network completely.
There may be sufficient cryptographic protection that an opponent
cannot be a network participant.
If you carefully control admission and use some group key games, you
MIGHT be able to do it, but I wouldn't count on it.
Additionally, nodes churn, and churn alone can get you a lot of
information.
Not to mention the ISP can determine who's talking to who just from
traffic analysis alone, should that be desired.
The ISP (or any passive observer of a node) is limited to seeing
only those nodes a specific node chooses to talk to, not the larger
list of nodes that are under consideration for communication. ALTO
may potentially expose that larger list... to a passive observer if
ALTO communication is not protected by encryption, just to the ISP
if it is. In some cases the ISP may be more trusted than passive
observation is. (For instance, a user might be on an unencrypted
wireless network and unwilling to trust other people sitting nearby
but be willing to trust the operator of that network)
A) Then don't use localization for such a sensitive application!
This application you describe views the network as an opponent, so you
aren't going to want to use external localization services at all!
Period. Because just the ACT of querying tells the localization
service information, as well as node information, and a bunch of others.
B) An ISP vantage point doesn't just see one node, but a boatload of
nodes.
It is all these items which mean that direct bulk-data P2P can't be
privacy preserving, thus relaxing privacy constraints when
developing localization should be a priority, especially when it
comes to interacting with caching.
The privacy constraints are already relaxed because of the
possibility of passive observation. If ALTO is significantly less
private then some applications which might benefit from ALTO will be
unable to use it. That would be unfortunate for the ISPs.
My argument however is you are at a middle ground on privacy that is
ALMOST useless: active attackers and ISP level monitoring can rip
through so much of the privacy at the level you describe.
That such an application can't use a localization service is, to my
mind, a small loss: such applications shouldn't really exist anyway
because most of the privacy preserving is an illusion.
Matthew Kaufman
_______________________________________________
alto mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/alto
