2013/11/18 Cathal Garvey <[email protected]> > Retroshare isn't "like tor", it's "the opposite of tor". > > Tor establishes a network of mutual distrust (kinda; you still trust > some aspects of the network such as the directory servers). >
Yeah, Retroshare is Tor except with a different mechanism for finding peers. I don't see how that is the opposite of Tor. The "opposite" of Tor probably wouldn't use Onion Routing. BitTorrent might be closest to the opposite of Tor. > Also, I get mixed signals about the developer attitude to some security > aspects of the P2P side of things. For example, they use SHA1 for the > distributed hash table, whereas in my opinion one should never use an > even partially broken hash for a *hash table*; you never know what > exploits are known privately that further break the hash, and should > generally assume it's fully broken if your threat model includes > adversaries like the NSA. If you're willing to compromise on the > quality of the hash that underlies the entire P2P end of the system, > I'm wary about your attitude to security overall. > Why does the DHT require a cryptographic quality hash? I agree that SHA1 is too weak to be cryptographic, but a DHT is merely finding chains of other nodes. Worst that can happen is the adversary manipulating you into connecting to them with higher chance. Given the whole friend-to-friend mechanisms I don't see much harm in that. Depends on the plugin that runs above it. I must say that this is exactly the sort of thing I think makes RetroShare risky. Some choices can be conditionally okay. Building a big stack of software lacks overview easily.
