I'm not seeing that many options though. The Phantom project died pretty fast; https://code.google.com/p/phantom/ https://groups.google.com/forum/#!forum/phantom-protocol http://phantom-anon.blogspot.se/
So who's out there developing any useful protocols for anonymization today? *Anybody*? Could we try to start a new project (if needed) to create one? (I would like one with at least the same level of functionality as I2P, even if it would have to have a very different architecture.) 2013/6/30 Jacob Appelbaum <ja...@appelbaum.net> > Natanael: > > I would like to point out that the developers of the anonymizing network > > I2P are looking for more external review of the codebase (it's in Java, > by > > the way). Everybody who knows how to do security reviews of source code > and > > has time to spare should take a look at it. > > > > I've previously read papers like this: > > http://grothoff.org/christian/i2p.pdf > > My thought is that some of the ideas behind i2p are interest but many of > them are... misguided or perhaps ignoring some of the hard won lessons > from GnuNET, Tor, FreeNet, the Freedom Network, etc. > > We should be reviewing protocols, not the code for i2p, I think. I'm not > convinced that the overall architecture makes sense from what we know > about building anonymity systems. > > > FYI, I also think that I2P's supernode architecture is a whole lot better > > than Tor's directory servers. It's much more decentralized, to start > with. > > > > Yeah, about that... > > Have you seen the most recent paper by Egger et al? > > The file is about two weeks old: > > Last-Modified: Fri, 14 Jun 2013 23:46:05 GMT > > "Abstract. Anonymity networks, such as Tor or I2P, were built to allow > users to access network resources without revealing their identity. > Newer designs, like I2P, run in a completely decentralized fashion, > while older systems, like Tor, are built around central authorities. The > decentralized approach has advantages (no trusted central party, better > scalability), but there are also security risks associated with the use > of distributed hash tables (DHTs) in this environment. > I2P was built with these security problems in mind, and the network > is considered to provide anonymity for all practical purposes. Unfortu- > nately, this is not entirely justified. In this paper, we present a > group of attacks that can be used to deanonymize I2P users. > Specifically, we show that an attacker, with relatively limited > resources, is able to deanonymize a I2P user that accesses a resource of > interest with high probability. > > ... > > "The developers of I2P have reacted to the publication of attacks, and > they have improved their network to resist the DHT-based attacks > introduced in [3] and [4], by limiting the database to a subset of > well-performing nodes. This reduces the number of nodes involved in each > individual lookup to only one for most cases. Moreover, the performance > computation techniques were up-dated to make it more difficult for an > attacker to exploit them. As a result, I2P > is considered secure in practice. Unfortunately, this is not entirely > justified. > > "In this paper, we describe an attack that can be used to break the > anonymity of a victim who is using anonymized resources in I2P – for > example, a user browsing eepsites (I2P’s terminology for anonymous > websites) or chatting. We are able, with high probability, to list the > services the victim accesses regularly, the time of access, and the > amount of time that is spent using the service > > The full paper is here: > > http://wwwcip.informatik.uni-erlangen.de/~spjsschl/i2p.pdf > > Seems rather... well, not a lot better. :( > > > A link on Hidden Services: > > http://donncha.is/2013/05/trawling-tor-hidden-services/ > > > > Yeah, Ralf's paper is worth reading: > > http://www.ieee-security.org/TC/SP2013/papers/4977a080.pdf > > Discussion about this paper starts here - read the thread for tickets, > fixes, etc: > > https://lists.torproject.org/pipermail/tor-dev/2013-May/004909.html > > All the best, > Jacob > _______________________________________________ > cryptography mailing list > cryptography@randombit.net > http://lists.randombit.net/mailman/listinfo/cryptography >
_______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
