[cryptography] Potential funding for crypto-related projects
michael at briarproject.org
Thu Jul 4 12:44:27 EDT 2013
-----BEGIN PGP SIGNED MESSAGE-----
On 04/07/13 17:15, danimoth wrote:
> Uhm, I don't consider it a matter of centralization vs
> decentralization. I think the point is how I2P select peers to
> communicate with; attacker DoS'd previous high-performance peers,
> then replace them with nodes under its control, and then do
> measurements to estimate the victim identity. In the section 5
> authors confirm that Tor shares with I2P a number of
> vulnerabilities (for example, repeated measurements could be made
> on hidden services). I consider myself a bit stupid, so I could be
As far as I can see, the attacks work by seizing control of the netDB,
which is i2p's decentralised directory service.
"We first show how an attacker can tamper with the group of nodes
providing the netDB, until he controls most of these nodes."
To mount a similar attack against Tor, the attacker would have to
compromise the directory authorities that sign the network consensus.
As far as we know that hasn't been done, so i2p's decision to use a
decentralised netDB instead of centralised directory authorities has
the practical effect of making these attacks possible.
I don't see any reference to Tor in section 5 of the paper - perhaps
we're looking at different versions?
> I completely agree with you, I only disliked the "I2P is flawed,
> don't use it but instead use Tor which is safe" tone used, as we
> all know that no existing methods or systems are bug-free.
I agree that we should always keep in mind that there are
vulnerabilities we don't know about. However, we still have to make
day-to-day decisions about which systems to use based on the
vulnerabilities we do know about.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
-----END PGP SIGNATURE-----
More information about the cryptography