Hi there, Dnia niedziela, 17 listopada 2013 23:44:14 Cathal Garvey pisze: > Retroshare isn't "like tor", it's "the opposite of tor". > > Tor establishes a network of mutual distrust (kinda; you still trust > some aspects of the network such as the directory servers). > > Retroshare establishes a network of mutual trust, although you can > withhold certain details such as whether you or merely a friend known > to you is sharing the files you make available (although as mentioned > by another this is likely to be traceable with enough network data).
Right. > For high-security work, something like i2p or Tor is probably better. > For an alternative to daily, casual internet traffic, Retroshare's > *idea* is probably superior; by relying on existing relationships of > trust, you can probably get better performance, and data that's > relevant to your interests is likely to be nearby in the network > because of social networking effects. Aye. > However, the flipside is without existing relationships of trust, > you're dead in the water; I tried Retroshare for a while but had no > friends on it, so had no access to the "core network" through any > trusted links. Yeah, that's kinda where I am now. I am wondering if: - it's possible to use my already established PGP/GPG web-of-trust; - it's actually a good idea to do it. > Also, I get mixed signals about the developer attitude to some security > aspects of the P2P side of things. For example, they use SHA1 for the > distributed hash table, whereas in my opinion one should never use an > even partially broken hash for a *hash table*; you never know what > exploits are known privately that further break the hash, and should > generally assume it's fully broken if your threat model includes > adversaries like the NSA. If you're willing to compromise on the > quality of the hash that underlies the entire P2P end of the system, > I'm wary about your attitude to security overall. Oh, this is important information, didn't have that. Thanks. > This wasn't such a big deal 'til I saw some anons advocating Retroshare > as a "usable crypto" solution. Well, it is; if your adversary is a > talent-starved rent-seeking quango like the RIAA. If your adversary is > the world's biggest circle-jerk of military cryptographers, I wouldn't > go there, personally. Right. > Maybe I'm paranoid about SHA1? I'm eager for other opinions here. > Crypto is an area where the Dunning Kruger only gets worse the deeper > you go. +1 on wanting to hear more about it. -- Pozdr rysiek
signature.asc
Description: This is a digitally signed message part.
