Join GitHub today
Q: What makes the Cryptosphere different from [insert P2P system X here]?
A: This is a tough question to answer as there are myriad P2P systems with various degrees of overlap. We can first look at similar and dissimilar systems:
- Similar systems: Tahoe-LAFS, Freenet, GNUnet, MNet, IPFS, MaidSafe
- Dissimilar systems: Tribler, OneSwarm, RetroShare, Tor, I2P
The Cryptosphere is, at its heart, a way to distribute immutable cryptographically authenticated data structures between peers, and ensure that the data is replicated and persisted in a manner that provides a reliable storage system with similar (or potentially better) guarantees than centralized systems like Amazon S3. And, as the name implies, the primary goal is to ensure data remain confidential, potentially over long periods of time.
Q: Is the Cryptosphere being actively developed?
A: We are presently (as of May 2015) researching the prerequisite ideas of the Cryptosphere in a separate project called Confusion, which aims to provide an encrypted messaging system using the same prerequisite components as the Cryptosphere:
Q: What technologies is the Cryptosphere based on? Does it use BitTorrent or the Bitcoin blockchain?
A: No, the Cryptosphere is targeting highly reactive realtime behaviors, and BitTorrent and the Bitcoin blockchain are unsuitable for this. The Cryptosphere is built on novel, purpose-driven protocols optimized for low-latency, realtime operation.
Q: Isn't web security really hard? How can any system involving web browsers ever be secure?
A: We admit, it's a very, very, very hard problem, and we are bound to make mistakes along the way. But it's a problem being worked on from many different angles. The Cryptosphere's main contribution is a data security model for the web: attackers who compromise hosts cannot alter the contents of a web site without cryptographic keys.
The Cryptosphere also integrates others' efforts towards making the browser more secure using new "HTML5" features: iframe sandboxes (via Oasis.js), MessageChannel, and [Content Security Policy (CSP)][csp]
Q: Why not build the Cryptosphere entirely in a web browser using technologies like WebRTC and WebCrypto? Why have a backend component at all?
A: We look at web browsers as a hostile environment, and want to "airgap" the parts of the system that provide security from the browser itself. For this reason we never expose encryption keys into the browser environment at all. Browsers are given non-transferrable session tokens which are used in place of cryptographic keys, so vulnerabilities in web applications themselves do not compromise the encryption keys that keep the system secure.
This means that coding mistakes in the HTML/JS applications that run on top of the Cryptosphere cannot expose cryptographic tokens to third parties. This prevents a vulnerability in other web-based encryption systems where a simple code change in an application can be used to steal encryption keys and send them to a third party server.
Q: Will the Cryptosphere provide an anonymizing overlay network like Freenet and GNUnet?
Q: Do I have to provide storage service in the network to use it, or can I pay my way (e.g. with Bitcoins) instead?
A: Yes, it should be possible to purchase storage service from other peers.
Q: Why do you use Google Groups if you're such fans of privacy and decentralization?
A: We're fans of good user experience as well as not having to maintain things like mailing list ourselves because "the cloud" hosts it for us. We hope one day that a Google Groups like tool can be built on top of the Cryptosphere, but we have to build the Cryptosphere first. Google Groups acts like any other public mailing list, and you'd reveal nothing more to Google than if we ran our own copy of Mailman or ezmlm with a web archive.