Nice. One feedback for the maintainer of the OS X instructions: in the compile from source section, instead of giving the command line for installing homebrew (which by the way renders incorrectly with an emoticon on that wiki page) the best practice is to provide a link to the homebrew project page, because the command line may change, and because they don't want things like typos or emoticons getting in the way of people getting brew installed.
This is an excellent point. I know I've been guilty of the pattern: "provide detailed directions for a poorly documented build, then spend years maintaining them in blog post/comments".
Better would be to actually contribute to central project documentation, I suppose.
Please consider this a security review by a tenured P2P professor:
The whitepaper describes a simple and focused system relying on partitioning in an attempt to preserve scalability.
Bitmessage has many architectural similarities to Usenet and also offers no valid response to spam. Using a proof-of-work system to combat spam is proposed, but to-date science has not yet seen a working approach anywhere. Details are missing on this vital element plus defenses against the Sybil attack are missing from this design.
Mechanisms such as the "averageProofOfWorkNonceTrialsPerByte" in this system only slow down attacks and do not stop them. Check the impossibility proof by Harvard to see that systems like Bitmessage which react to any message cannot build an effective Sybil defense: http://dash.harvard.edu/handle/1/4907301
So this is known as a hard unsolved problem.
Further diving into the scalability issue is this project thread on their forum:
https://bitmessage.org/forum/index.php?PHPSESSID=8cl6qeafitk...
It would be great if the partitioning concept and algorithms could be explained in detail. It's again a hard problem, even group size estimation in a hostile environment is already non-trivial. So how group consensus is formed to do a break-up is difficult and prone to attacks.
This design is not incentive compatible. TOR has over 50% Bittorrent traffic, it's difficult to stop users from using(abusing?) TOR like that. Systems like Bittorrent and Bitcoin have some incentives, but Bitmessage with broadcasts and proof-of-work might even have a negative incentive for participation. I have seen no mechanism to prevent it's users broadcasting Blueray rips. This would bring down the system, one cluster at a time. Please check this work, it shows how to bring this type of P2P networks down: www.christian-rossow.de/publications/p2pwned-ieee2013.pdf
Publicity like "Bitmessage Sends Secure, Encrypted, P2P Instant Messages" might be nice. It creates a false sense of safety. If you want to protect against NSA snooping, you're up against a real army of crypto experts with decades of experience each.
Nice to see that this project has such an active Github community, 480 closed issues and 1159 commits. But, in my opinion it's back to the drawing boards... Sorry.
Disclaimer: working for 8 years on Tribler, a streaming Bittorrent client.
I appreciate the write up, it's why I popped into the thread.
That said, at least these folks are trying to protect against the NSA. What do you purpose we all do? Lay down and accept that they watch everything we do? Fuck that. Let's continue to build tools as a community. They may have a lot of people, but our community is bigger. So, fuck them.
People should continue to experiment, and try new things until we come up with various way to protect against the god damn NSA.
Indeed, we should not roll over and declare privacy an illusion.
A lot of people are experimenting with designs that will never work. It's just wasting programming resources, while projects like Tor starve for volunteers. My research team is currently merging Tor and Bittorrent (http://forum.tribler.org/viewtopic.php?f=2&t=5128&p=8585#p85...).
Clear designs (and lots of them) are more important then experimental code I believe.
Although I agree with your premise that clear designs are essential, I'd say that it's important nonetheless to implement them. Having an implementation is a marker of whether the design does/does not work. A whitepaper can theoretically show this, but an application is always (in my experience) more effective.
For example, when Satoshi first published the whitepaper for Bitcoin, there was talk on the crypto mailing list that it wouldn't scale due to its gossip-based protocol. Satoshi's design showed it did, and laid the foundations for future cryptocurrencies (Namecoin, Peercoin).
P.S. I've been following your work with Tribler, excellent stuff!
Doesn't I2P fit better, considering the design requirements? Tor would require very significant changes to scale better for high volume traffic, but I2P already handles it reasonably well.
I wonder why I2P is getting so small amount of love. I've read somewhere that for some reason it's popular only in Russia. It has two working email systems, working Bittorrent and much more. Maybe it lacks a native (C or C++) implementation?
Try installing it, search for files and watch download speeds. Onion routing and tunnels cost bandwidth. The crowd that is used to Bittorrent speeds (in combo with VPN safety) is not interested in 2 Kbit/sec speeds. Plus the user interface is hard to understand without having attended crypto courses.
My understanding of tribler is that it is going to use onion style routing and use some internal cryptocurrency to incentivize users to provide bandwidth. They hope that with proper incentives people will provide enough bandwidth to enable speeds that are high enough to stream high def video anonymously. They hope to prevent spam by enabling anonymous wiki editing of torrent channels and voting of torrent quality.
Sure, but that's still the reason it isn't as widely used. And because research resources in the anonymous-networking field are so limited the marginalization of I2P tends to be self-reinforcing.
What do you think of Bote mail in I2P, which uses DHT for relaying mail? It is set to hold mail in the DHT for 100 days or until fetched by the recipient. It also uses public keys as addresses (ECDSA and NTRU are the options), and all mail is encrypted. I2P provides traffic anonymization, and Bote mail supports letting mails be relayed with random delays to further anonymize the sender by removing time correlation.
I would love to see someone give i2p-bote a good analysis. I tried using it a couple of times but wasn't able to ever receive messages successfully. They are advertixing some pretty awesome features though; no content or metadata leakage; it is secure against a global passive adeversary if you use delays between relay hops; parties don't have to be online at the same time to communicate.
I've never had problems with receiving messages with it. Had I2P been running for at least 20 minutes or so to be able to establish enough connections? Bote can tell you how many Bote nodes it is connected to.
They have some vague ideas for scalability that they do not know how to implement.
Also they have some major security issues that I pointed out to them, but they simply ignored. I am sure bitmessage will never be a success because it is fundamentally broken.
I'm interested in bitmessage but it being unvetted / not heavily reviewed gives me pause. Do you have any doubts about the design (that can't be easily solved)?
Regarding the link, The proof of work requirement exists to keep the network from being flooded too easily. It has the side benefit that it may make sending spam uneconomic. That said, any attacker with a good GPU without a financial incentive could send a very inconvenient number of messages through the network as has happened before. About the paper "On the Sybil-Proofness of Accounting Mechanisms", I'm not sure of its relevance as Bitmessage uses neither accounting nor reputation. The stream branching algorithm will indeed require a good group size estimation algorithm. My current best thought is to use child streams whenever there are a certain number of messages already going through each of one's current streams per unit time. "So how group consensus is formed to do a break-up is difficult and prone to attacks." Luckily using child streams doesn't require consensus; one can decide for one's self. To join a child stream, all one does is say that they are a member of that stream in version messages, create Bitmessage addresses with that stream number imbedded therein, and advertise the node's existence in the parent stream from time to time. But malicious attackers could cause problems by flooding a stream and getting others to make a bad decision about when to start using a child stream. "I have seen no mechanism to prevent it's users broadcasting Blueray rips. This would bring down the system, one cluster at a time." The proof of work mechanism is supposed to prevent that. Broadcasting torrent files in Bitmessage broadcasts would require much less computing resources for the sender. "Please check this work, it shows how to bring this type of P2P networks down..". Which attack specifically? And why hasn't anyone used it to take down Bitcoin?
Regarding your last question, if someone throws an FPGA at the PoW algorithm, they could flood the network with a lot of data and that concerns me. And, as mentioned above, deciding when to use child streams in the context of a hostile environment remains and open question.
I wrote the libertymail proposal. You said you'd read it but you never commented on it.
It is mainly a summation of attacks that are possible on bitmessage, and provides solutions on how to prevent such attacks. I also propose a solution for scaling, one that could actually be implemented.
It lacks a "summation of attacks that are possible on bitmessage" or "solutions on how to prevent such attacks."
I like that you tried to add a feature where users could choose their own anonymity/usability balance. "Users should be able to choose to remain anonymous or to disclose (partial) address information and be a ’light’ client." 200MB a day just for headers is a little bit much for a mobile 'light' client. If the protocol supports sending only headers based on a filter then why bother supporting headers? The "seeding" node could just supply a list of body messages to download that pass a filter. This would also mean that no one ever has to sync headers.
(I'm just a guy interested in BM, not involved with development, yet)
forward secrecy is helped by 2 things: you cannot know who is the recipient of a message, so if you want to store the messages to be able to decrypt them in the future when you'll have obtained their private key, you'd have to store all the network messages
If you're worried by such an attacker, you can just create a new identity for each message, just like you can create a new bitcoin address for each transaction
Pond seems interesting, but quite different from bitmessage, especially I like bitmessage because of its user-friendliness (the UI needs lots of improvement, but you just download it, create an identity and off you go... I doubt about the feasibility of getting the whole world to use TOR, especially people in China/Iran or "my parents")
That's not forward secrecy. Usenet with encryption is not forward secret either.
> If you're worried by such an attacker [...]
Uh, shouldn't everyone be at this point?
> you can just create a new identity for each message
Key exchange and management is hard. That's why you try not to do it often. You could claim PGP e-mail was forward secret: All you need to do is use a new private key every time.
I know, that's why I wrote "forward secrecy is helped", it's not something that you get out of the box with bitmessage
moreover, since the keypair and the BM identity is one-and-the-same the key exchange and management comes for free, once you got the first message sent to your recipient... changing identity is much easier than creating a new gpg keypair and sending it to the other guy, and on top of that you'll get some added anonimity
From what I can tell, it would appear that this system is still vulnerable to some level of traffic analysis. Last I checked the messages are identical as they are sent around the network, so it should be possible to observe the origin of a message by observing the first node to transmit that binary string. A similar approach could be used to identify receivers if the acknowledge messages are enabled. While this doesn't get you the content of the messages it does leak some information about the sender and receiver which bitmessage should be hiding. This level of traffic analysis might seem unrealistic, but there doesn't seem to be a good way to detect 'evil' clients which could watch a large portion of the total network without too much resources (in theory).
There are some recommendations on the other forums about using tor to make this information less useful, but that is not what the system uses by default.
All users receive all messages. The only sort of traffic analysis you can do with this is to harvest all of the peers. You have no idea who is sending messages to whom.
Well if you can get a handful of nodes between the sender and receiver you can start to narrow down on which peers are sending what to whom. This is partly the same sort of traffic analysis that is use against TOR.
Unless I'm mistaken if you can see all the traffic a sender can be identified by being the first node to produce a set cyphertext. As the delays seem to be fairly short for the acknowledge messages, there is some chance that the receiver can be identified in a similar way.
eg
node A broadcasts C1 which has not been observed before
nodes B,C,D propagate the cyphertext C1
node D broadcasts C2 shortly after receiving C1
nodes A,B,C propagate C2
etc
Of course seeing this pattern in practice might be hard, but it still seems like a possible attack vector given the current system.
Have a messaging system that implements per-MB fees in order to support the network. The transaction has to be signed by the sender, receiver, and burdened nodes. BOOM no spam.
No one is willing to pay money to send messages. I even proposed Satoshi Nakamoto's idea (possibly other earlier peoples' idea) to require paying to send a message but receiving money to receive a message and no one would accept even that idea.
Who cares if some people don't accept an idea at first if it's backward compatible? Make a client that checks if the recipient isn't found in the encrypted network and gives you the option to fall back to regular email, even without the benefits of anonymity and privacy.
Besides that, the idea is to attach two "stamps" to an encrypted message. One goes to the recipient and one goes to the mail server, but only in tandem. That pays the mail server for storing the message until the recipient goes online to pick it up. And it also stops people from running their own fake mail server that just skims stamps and throws away the messages. It's basically a throwaway dropbox.
I'm dreaming and have no idea how to implement it, but I've kicked it around for years ever since pondering the Your Idea Won't Work "form" (http://craphound.com/spamsolutions.txt)
You must admit that even an imperfect setup that leaks a little bit of metadata is a lot less bad than storing your entire inbox in cleartext at the NSA, which is what regular email amounts to.
But he never argued against that, he is saying that bitmessage (aims to) provides a solution to a particular problem, and your proposal would absolutely dismantle that solution.
Whether the result would be better that another unrelated product is irrelevant.
"here is a sugar-free pie !"
"you should add sugar to solve the sour taste problem"
"but, that would defeat the whole no-sugar thing ..."
"You must admit that it's still a lot less bad than soyent though !"
Now, if this is scalable as the authors claim, wouldn't this be a nice vehicle for a decentralized facebook? I can see at least an issue, which is that large files (i.e pictures, videos) can be transferred but they would have to be stored on the hard drive of anyone who wants to keep having access to it. What do you think?
I just installed it. How do you give an address to people without disclosing it to the whole world if they don't have PGP?
This is one of my addresses, I feel lonely HN :-)
BM-2cUHuH7sJdt3GchrqSikvzWP4w7Vm2cjhK
(so much for not disclosing to the whole world, but this is just for fun)
Bitmessage addresses aren't secret. They are even being broadcasted to the P2P network when you create them. Of course, one can keep in secret (by not announcing it) that he/she owns a particular Bitmessage address but the addresses themselves are not secret.
This relied on being able to send lots of messages, and having the user visit a link contained in them. The first issue can be fixed by upping the proof of work required to send a message, although this will not stop a determined attacker who has lots of cycles to throw at the problem. As for the second issue, users should not be visiting links from addresses they do not trust. As with most anonymity systems, it is only as good as you treat it.
> The first issue can be fixed by upping the proof of work required to send a message, although this will not stop a determined attacker who has lots of cycles to throw at the problem.
Could you implement something like IRC's "flood prevention" in a proof-of-work based consensus algorithm -- so sending messages closer together costs prohibitively more?
The network could require, say, the work in a transaction to be proportional to ∑(1/message dt) for the messages signed by the transaction.
> Could you implement something like IRC's "flood prevention" in a proof-of-work based consensus algorithm -- so sending messages closer together costs prohibitively more?
This seems easily circumvented by creating lots of identities. Though maybe creating an identity could be costly?
