Michael Grube edited this page May 16, 2017 · 2 revisions
Clone this wiki locally

On Freenet, darknet connections are connections made between your node and nodes run by people you know and trust (ie, your friends). A node can have only opennet connections, only darknet connections, or a mix of the two.

In general, security on Freenet is stronger against attackers further away from you on the network. Because you trust that your friends won't attack your anonymity, darknet connections offer better security than opennet connections. Of course, this advantage disappears if you make darknet connections to people you don't trust.

A darknet, for Freenet purposes, is a network where node connections are created manually by the users of the nodes via invitations. These connections should be made on the basis of mutual trust, friendship, or acquaintance. If they are, then the network should have a small-world topology and routing will work, especially since darknet peers are more or less permanent. If the connections are made completely at random, then the network topology will be wrong, and routing will not work.

In darknet mode, Freenet uses location swapping to create a routable network. Unlike opennet, darknet connections are outside of the control of the node. However, the underlying graph (social network) has the correct topology, and so will the resultant darknet. Location swapping is used to assign routable location to nodes on the network.


A darknet is not harvestable because your node reference will never be passed on by the network to other nodes (except for friend-of-a-friend connections, and possibly a few more hops for PISCES tunnels). Therefore, an attacker running a darknet node can only see those nodes which he has managed to get invitations to connect to (and possibly nodes very close to them).

Consequently, you are vulnerable primarily to the nodes you are connected to. Thus, it is a good idea to only connect to people you trust, if this is possible. However it is safer to connect to just about anyone you know than to connect to opennet, where you can be targeted by the bad guys (connecting to everyone, alternating between different groups, or doing a mobile attacker source tracing attack) - provided that the reason you got to know them wasn't solely to find a freenet noderef (e.g. exchanging noderefs with total strangers on IRC), as in that case there is a good chance they are the bad guys.

Note that at present we have not yet implemented a solution to the https://bugs.freenetproject.org/view.php?id=3919 Pitch Black attack. This allows an attacker to disrupt a darknet. We have a solution demonstrated by thesnark's simulations http://www.draketo.de/light/english/freenet/mitigate-pitch-black-attack-simulation-works

For additional information, see the Security Summary.

Practical problems

The main practical problem is finding people to connect to. The current strategy is to build a huge opennet, make it easy to add people, and then move everyone to darknet for (vastly) better security and robustness.

However another problem is uptime. Your node needs to be online at the same time as your friends' nodes, ideally right across the network. Long-term requests can help but at the cost of multi-day latency. A filesharing box is another idea - don't run it on your laptop, run it on a cheap fanless 24x7 box that you leave at home with your good broadband connection. A further idea are friend-of-a-friend connections. With that option, you allow contacts of your darknet contacts to connect to you, which would mean one step of implicit trust.