I made a distributed, anonymous network for online discussion
It's called Aether: it's a distributed, anonymous and decentralized public space where you can discuss without revealing your identity or being eavesdropped. It has no servers, and it's unblockable.
I wanted to see what HN thought of it—sorry to take your time if out of topic.
Download it here: http://www.getaether.net
A speakerdeck slide introducing Aether: https://speakerdeck.com/nehbit/aether-a-decentralised-online-public-space
Check out the bitcoin topic! I posted it on reddit earlier today, and there's been some discussion starting up there.
Source code is here: https://github.com/nehbit/aether-public/
What do you think?
46 comments
[ 2.4 ms ] story [ 101 ms ] threadAlthough I use mac, the lack of linux seems to be something that should be worked on.
For more information, here's a totally non-polished, detailed text about how it works.
https://dl.dropboxusercontent.com/u/5815330/aether.spec.v0.2...
it seems that by saying things are anonymous you punt on all questions of identity? so there's no way to know that you are joining the forum you expect?
another way of saying the above - despite the encryption there's no protection against mitm, right?
it uses tls so it's just direct connections? so you're identified by your ip?
you say (iirc) that keys are automatically regenerated and not verified. so it's really anonymous (not pseudonymous). so there's no way to be sure two comments are by the same person? even in the same discussion?
since the encryption is useless (mitm) yet you're not actually anonymous to an attacker (ip) it seems to combine the worst parts of insecure software with the worst parts of forums (no reliable identities).
[edit: sorry, updated the above slightly. ok, so there's some forwarding of messages which makes people more anonymous if an attacker doesn't see all the network. pre-snowden that might have seemed worth something.]
There is a bootstrap node, which you connect to at the beginning of your first boot. Connecting to that node gets you a list of posts and a a list of nodes, like every other sync with any other node. You can opt out of connecting to boostrap node if you have a friend you know to be currently online, and putting his / her ip:port at the settings page of the onboarding.
>it seems that by saying things are anonymous you punt on all questions of identity? so there's no way to know that you are joining the forum you expect?
The forums only exist as names, there is no way to have two forums with the same name, they will automatically be merged. (There is two bitcoin topics currently, that's a corner case I'm fixing now)
But there is no way to know who you are actually talking to, yes. I'm planning to add public key authentication in the future at the point I am reasonably confident the core stack is working reliably and there is sufficient interest.
> it uses tls so it's just direct connections? so you're identified by your ip?
Yes, it's only direct connections, but when you connect to someone, it also gives you posts from other people the guy you connected to have upvoted. You're identified by your node id, which can hold multiple users. It's probably more correct to say it identifies computers, rather than people. But it's easy to change, just delete the userprofile.json and you'll automatically produce a new one.
>> The basic idea is quite simple: if Alice likes a post written by Bob, Alice will upvote it, and thus will start to distribute that post, too, increasing Carol’s chances of coming across Bob’s post.
If i get it correctly , your protocol leaks votes data. Assume i'm an attacker connected to Alice. I now know what she voted for. I gather all her voted posts, and can build pretty decent profile of her and probably uncover some of her messages with some more complexity.
People usually vote their stuff. You gather all the posts that been voted by alice. You use text analysis software to group those posts into buckets with the same author.
If you can do this across a large span of the network you get buckets of anonymous authors and voting patterns. Alice's bucket is the one where everything is upvoted(most likely).
That's one way. It's hard to counteract. Even if your software just counteracted this while using something like TOR to supply the rest of the anonimity, it would be pretty cool.
Another way:
Tap the internet. Gather a list of nodes connected to alice. Connect your nodes to all those nodes.
Watch whether message X is first delivered to your nodes from alice or from someone else. If it's first from alice, you got her. Statistically this will catch her at least some times.
Anyway,don't get discouraged. anonimity is hard. really hard.
The field of detecting authorship is called stylometry, and preventing that is called adversarial stylometry. Here's a java open source software that you could use :
http://www.hacker10.com/other-computing/deceiving-authorship...
BTW , another issue. If you really want to achieve strong anonimity you have to have large number of users, and large number of researchers trying to break your system.
The best way to build anonymous forums in this context , is to build popular anonymous email(currently there's none. only 2 we might see in the future "the dark mail alliance" and "pinchon gate") , and use it for forums.
2#, I agree. I'm trying to get as many users as I can, posting to HN, reddit and all :).
* Your license sucks. Restricting modified code from connecting to the network tells me that your network protocol is fragile and exploitable
* How is your system better than Tor and a hidden service?
2) The license is very temporary. I'll switch to an OSS certified license soon.
3) Hidden services still need server resources. This is closer to Bittorrent than Tor.
It was 2007 and it was consuming 300MB of ram, that was just not acceptable. Maybe more tolerable now, but still bad.
I really do not have a quibble with the application itself - nor the intended use. Thank you for it I am enjoying playing around with it and am following the project on github.
Echoing others I would definately fix the license issue - and do that sooner than later.
I have a tangental interest - forgive me if the following is off topic.
The last line from the deck: "It requires zero infrastructure" and similar statements in the website got me thinking along a theme.
I get that this is a distributed application with encrypted transmission - but it does imply an infrastructure. Once you need an IP; you need a network.
I can see lots of applications for this - beyond the reddit/bittorrent model, this would be really useful - aftermath of a hurricane / natural disaster - Occupy wallstreet style demonstrations - Cory Doctorow "Little brother" scenario - etc - any situation where you want ad hoc, encrypted community
the problem with those situations is exactly that there is no infrastructure (or not a trusted infrastructure).
Locally (for me) there are projects like http://www.milemesh.com/ to try and make sure there are networks for emergency situations. But what if you don't wnat to use an official or semi-official network? Are there distibuted, ad hoc network projects that would work well with this?
> Echoing others I would definately fix the license issue - and do that sooner than later.
Agreed.
> The last line from the deck: "It requires zero infrastructure" and similar statements in the website got me thinking along a theme.
Zero infrastructure except a working internet connection. But far as I know those mesh networks also work over IP (at least they seem to) so Aether should have no problems working over a mesh network.
The infrastructure need not be trusted— the current Internet infrastructure is not trusted, and it works fine for most applications if used with HTTPS. Aether isn't too different, I'm literally encrypting with the same encryption suite (TLSv1) even.
https://www.dropbox.com/s/7mnb2gng6a66b9y/Screenshot%202013-...
I do worry that "usable" has gotten more thought than "security", and providing a system that doesn't deliver the security it promises could be worse than not having the software at all. It may end up conveniently serving up those at most risk to their adversaries.
As others have noted, anonymity is hard to get right, and the approach here has some serious flaws:
1. It seems that the pseudonymous author of posts can easily be determined by connecting a bunch of Sybils (i.e. multiple clients) to as many other peers as possible and observing who is the first to send new posts by the target pseudonym. And you really can't have a forum without pseudonyms. Users will create them on their own (by including a nickname in their posts) even if you don't build it in.
2. There is an easy so-called "intersection attack" in which the sets of users that are connected at any given time a pseudonymous entity posts are intersected. The actual author will always be present, and the other participants won't be static, and so eventually only the author will remain in the intersection.
3. There is no apparent protocol obfuscation. Despite the use of TLS, the protocol traffic patterns of this new protocol are likely to be highly identifying. They can then be easily confirmed by an active attacker directly connecting to the suspected participant. In addition, it doesn't seem that the list of participants is protected, and so an adversary can just connect to the network to discover who to block or punish. Tor will not solve the problem here if users have to be able to receive incoming connections. And if you're using Tor, then you are relying on an external system that has censorship issues of its own (e.g. access from China is currently extremely limited) and does rely on servers.
4. The bootstrap IPs can obviously be easily blocked.
5. The votes are not anonymous, which is unlikely to be clear to users and which are nearly as sensitive as authorship itself.
6. Denial-of-service here is as simple as flooding the network with "forwarded" posts and votes.
Here are some suggestions for designing a system that is secure and that people can trust as being secure:
1. Write a white paper describing the design! This is not a detailed protocol spec - it's a description of how the protocol works at a higher level along with arguments establishing its security properties. This allows others to understand and critique the design.
2. Check out some of the related system designs [0-6]. They have had to deal with the same issues, and you can learn from them. You can get all these papers and more at <http://freehaven.net/anonbib/>. As you can see at that site, people have been thinking about these issues for a while and have figured out a lot!
3. Submit your white paper to a computer security conference. Even if it doesn't get in, you will get feedback from experts.
As it is currently, I wouldn't trust my communication to this system. You really need a large and diverse user base to provide anonymity, and so you will have to work at convincing people that this is something they can trust. Good luck!
[0] "Membership-concealing overlay networks" by Vasserman et al. CCS09
[1] "Crowds: anonymity for Web transactions" by Reiter and Rubin. TISSEC 1998.
[2] "Freenet: A Distributed Anonymous Information Storage and Retrieval System" by Clarke et al. PET 2000.
[3] "Traffic Analysis: Protocols, Attacks, Design Issues and Open Problems" by Jean-François Raymond. PET 2000.
[4] "ScrambleSuit: A Polymorphic Network Protocol to Circumvent Censorship" by Winter et al. WPES 2013.
[5] "Drac: An Architecture for Anonymous Low-Volume Communications" by Danezis et al. PETS 2010.
[6] "Tor: The Second-Generation Onion...
For your points, While I don't have a full–scale refutation, here's a few addendums in order. All of this is wrapped in a giant 'If I understand you correctly'.
> And you really can't have a forum without pseudonyms. Users will create them on their own (by including a nickname in their posts) even if you don't build it in.
That's human self–incrimination. As long as this is safe for an one–time user that opens the app on an internet cafe, posts something and goes away, I have some basic semblance of security I can build upon. That does not mean it is secure, it just means it's secure for something—and that's a start. (It might not be actually secure for even that, let me know if you know it not to be so)
> There is an easy so-called "intersection attack" in which the sets of users that are connected at any given time a pseudonymous entity posts are intersected. The actual author will always be present, and the other participants won't be static, and so eventually only the author will remain in the intersection.
The actual author won't always be present. The posts start at a point, but they do not need the author to be present to continue distribution. When Alice posts something and Bob gets the post, from then on Alice can disappear forever. If a post is below a threshold of availability on nodes Bob is connected to, Bob will flag it as neutral post (to make that distribution not count as an upvote) and start distributing it on his own to prevent post extinction. That said, this doesn't prevent intersection attacks, it just makes them less viable.
> Tor will not solve the problem here if users have to be able to receive incoming connections.
The users do not need to accept incoming connections. There are some very restrictive routers that refuse to be UPNP port mapped, and Aether works fine on them.
> and so an adversary can just connect to the network to discover who to block or punish.
For this, the roadmap is to have a 'protected' node which refuses all connections from nodes except those who are explicitly marked as trusted.
> The bootstrap IPs can obviously be easily blocked.
It does not rely on the bootstrap IP. If you have installed the application, it asked you in the onboarding process IP and port of a friend that you know to be online. If you give it that, it'll use it. In fact, I'm planning to turn the bootstrap node off or just make it a redirect to some other random node in the future.
> The votes are not anonymous, which is unlikely to be clear to users and which are nearly as sensitive as authorship itself.
They point to node id's, which are not users, but machines. This is an inherent tradeoff, in that I have to have some data to gauge the popularity of a post. As far as I know, there is no way out of this without implicit trust in a third party.
> Denial-of-service here is as simple as flooding the network with "forwarded" posts and votes.
Well, those posts won't get upvoted, and will get stuck in spam filters and upvote thresholds of users. None of those are implemented yet, of course, but this doesn't seem to be a structural problem.
> As it is currently, I wouldn't trust my communication to this system.
Please, for the love of god, don't trust Aether (yet). This is barely alpha level code.
For the rest, thank you. Much appreciated. I'll be reading.
> That's human self–incrimination. As long as this is safe for an one–time user... I have some basic semblance of security
So this is not anonymous reddit, then. That is much less useful, and it had better be extremely clear to users that they should only use it in that way.
> > There is an easy so-called "intersection attack"... The actual author will always be present,... and so eventually only the author will remain in the intersection.
> The actual author won't always be present. The posts start at a point, but they do not need the author to be present to continue distribution.
In this attack, the adversary would need to be one of Alice's peers most of the time. If he isn't, though, because Alice only connects to a few peers consistently, then he can at least identify one of those consistent peers. That serves as a focus for attack, say by denial of service.
> > Tor will not solve the problem here if users have to be able to receive incoming connections.
> The users do not need to accept incoming connections. There are some very restrictive routers that refuse to be UPNP port mapped, and Aether works fine on them.
So to actually be undetectable as using Aether, you can't accept connections. Then you have to hope that enough users are connecting for the anonymity and not the undetectability, or you'll have to provide some infrastructure nodes.
> > and so an adversary can just connect to the network to discover who to block or punish.
> For this, the roadmap is to have a 'protected' node which refuses all connections from nodes except those who are explicitly marked as trusted.
Great, if you promise undetectability, then this should be the default. Of course, that makes connectivity a challenge (what if everybody you trust doesn't accept connections because they also want to remain undetectable?).
> > The bootstrap IPs can obviously be easily blocked.
> It does not rely on the bootstrap IP. If you have installed the application, it asked you in the onboarding process IP and port of a friend
Sounds good!
> > The votes are not anonymous, which is unlikely to be clear to users and which are nearly as sensitive as authorship itself.
> They point to node id's, which are not users, but machines.
I don't understand the distinction being made here. In any case, the upvote is observed as coming directly from some IP. That is the identifier to worry about. As far as privately gauging the popularity of the post, I don't exactly understand what you need here, but they may be some crypto solutions that could work. Unfortunately, post popularity seems easily spoofed to me.
> > Denial-of-service here is as simple as flooding the network with "forwarded" posts and votes.
> Well, those posts won't get upvoted, and will get stuck in spam filters and upvote thresholds of users. None of those are implemented yet, of course, but this doesn't seem to be a structural problem.
What about the mechanism to prevent extinction of a post? Doesn't that spread a post without upvotes? And why can't I create a network of Sybils to upvote my spam posts? Also, spam filters are a UI mechanism, if I understand what you mean. I am talking about consuming network and memory via protocol flooding.
Depends on how you emphasize that sentence. It's reddit, but its anonymity is weaker on certain fronts and stronger on others. If used as one-shot device, it's pretty good. Otherwise, there are the issues you mentioned (which I plan to fix, to my best).
> So to actually be undetectable as using Aether, you can't accept connections. Then you have to hope that enough users are connecting for the anonymity and not the undetectability, or you'll have to provide some infrastructure nodes.
Correct.
> Great, if you promise undetectability, then this should be the default.
I do not promise undetectability, but it exists under certain circumstances. I will explicitly note those circumstances and mark undetectability as a side benefit only under those conditions.
> I don't understand the distinction being made here. In any case, the upvote is observed as coming directly from some IP. That is the identifier to worry about.
The distinction is largely academic as you said. If you have a cryptographic solution to that, I'd love if you could point me to the right direction.
> And why can't I create a network of Sybils to upvote my spam posts?
You can, but users can also block your nodes, or (we're really going into the medium-term future here) your nodes would be placed in blocklists, whose users—people who accepted them— would deny you from connecting to them. (This is a half–baked idea as of now, who maintains those lists etc.) This is a thorny problem. Spam filters, I was meaning less of an actual after-the-fact spam filter, and more of a "block this guy out, refuse connections" kind of filter. Sorry for the wrong choice of words.
All in all, very fair points I need to work on. If you would be interested in taking a look once in a while to point out where the logic holes are, I'd really appreciate your voice in development. If you'd be interested in helping out, send a mail to me (burak@nehbit.net)— I would try to run more important things by you before implementing to see if there are any obvious holes.