New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add ipfs to the self contained networks section #361

Merged
merged 3 commits into from Nov 30, 2017

Conversation

Projects
None yet
4 participants
@emanresusername
Contributor

emanresusername commented Nov 14, 2017

Description

add ipfs to the self contained networks section

HTML Preview

http://htmlpreview.github.io/?https://github.com/emanresusername/privacytools.io/blob/master/index.html

@Shifterovich

This comment has been minimized.

Show comment
Hide comment
@Shifterovich
Collaborator

Shifterovich commented Nov 14, 2017

@beardog108

This comment has been minimized.

Show comment
Hide comment
@beardog108

beardog108 Nov 14, 2017

Contributor

@ipfs, while being open source, and utilizing encryption for traffic, was not designed with anonymity or privacy in mind (unlike Freenet, which is kind of similar in that they're both data store programs).

You can kind of form a darknet with IPFS if you set IPFS to only bootstrap with friends, (and your friends do the same) but this is not as good as Retroshare or Freenet when it comes to anonymity & privacy. This requires some technical knowledge so we shouldn't expect normal users to do this This can also be done with traditional torrenting to an extent, since private trackers and disabled DHT with enabled encryption would essentially do this.

Like Bittorrent, you can see who is seeding/sharing any given file on the public IPFS network, although VPNs can help with this to an extent. I don't believe IPFS supports Tor very well, but I could be wrong. I know OpenBazaar ended up creating an addon for onion support, but this was for OpenBazaar only.

Important Supercookie notice (privacy warning)

In addition to traditional torrent-like concerns, IPFS also includes a web gateway to access files from your browser. This is enabled by default, but I believe it can be disabled. Using an "attack" (not really an attack so much as it is an abuse of features) I came up with early this year websites (inside or outside of IPFS) can create supercookies which persist even if your browser is wiped or a different browser is used. Link to this attack, here.

I realize not everyone's threat model includes complete anonymity, so I guess it would be fine to add IPFS (as you are) to a worth mentioning, but I think we should put a warning.

To summarize:

  • IPFS is not much better than open source Bittorrent clients (in terms of privacy)
  • IPFS was not really designed with privacy in mind (although it does use encryption for traffic)
  • Some features can be abused to actually harm user privacy, even when they're not actively using IPFS.

edit: Should clarify that I think IPFS is great as a project, but not so good when it comes to privacy.

Contributor

beardog108 commented Nov 14, 2017

@ipfs, while being open source, and utilizing encryption for traffic, was not designed with anonymity or privacy in mind (unlike Freenet, which is kind of similar in that they're both data store programs).

You can kind of form a darknet with IPFS if you set IPFS to only bootstrap with friends, (and your friends do the same) but this is not as good as Retroshare or Freenet when it comes to anonymity & privacy. This requires some technical knowledge so we shouldn't expect normal users to do this This can also be done with traditional torrenting to an extent, since private trackers and disabled DHT with enabled encryption would essentially do this.

Like Bittorrent, you can see who is seeding/sharing any given file on the public IPFS network, although VPNs can help with this to an extent. I don't believe IPFS supports Tor very well, but I could be wrong. I know OpenBazaar ended up creating an addon for onion support, but this was for OpenBazaar only.

Important Supercookie notice (privacy warning)

In addition to traditional torrent-like concerns, IPFS also includes a web gateway to access files from your browser. This is enabled by default, but I believe it can be disabled. Using an "attack" (not really an attack so much as it is an abuse of features) I came up with early this year websites (inside or outside of IPFS) can create supercookies which persist even if your browser is wiped or a different browser is used. Link to this attack, here.

I realize not everyone's threat model includes complete anonymity, so I guess it would be fine to add IPFS (as you are) to a worth mentioning, but I think we should put a warning.

To summarize:

  • IPFS is not much better than open source Bittorrent clients (in terms of privacy)
  • IPFS was not really designed with privacy in mind (although it does use encryption for traffic)
  • Some features can be abused to actually harm user privacy, even when they're not actively using IPFS.

edit: Should clarify that I think IPFS is great as a project, but not so good when it comes to privacy.

@kewde

This comment has been minimized.

Show comment
Hide comment
@kewde

kewde Nov 14, 2017

Collaborator

I'm checking this out.

IPFS is indeed not made for anonymity but I have seen moves towards Tor support.
Browser issue is a real privacy threat tho.

Some interesting GitHub issues & repos that are about IPFS & Tor.
ipfs/notes#37
https://github.com/OpenBazaar/go-onion-transport

Collaborator

kewde commented Nov 14, 2017

I'm checking this out.

IPFS is indeed not made for anonymity but I have seen moves towards Tor support.
Browser issue is a real privacy threat tho.

Some interesting GitHub issues & repos that are about IPFS & Tor.
ipfs/notes#37
https://github.com/OpenBazaar/go-onion-transport

@emanresusername

This comment has been minimized.

Show comment
Hide comment
@emanresusername

emanresusername Nov 15, 2017

Contributor

😲 whoa! y'all are way more knowledgable here than i, i defer
relevant thread before i disappear
disappear

Contributor

emanresusername commented Nov 15, 2017

😲 whoa! y'all are way more knowledgable here than i, i defer
relevant thread before i disappear
disappear

@kewde

This comment has been minimized.

Show comment
Hide comment
@kewde

kewde Nov 16, 2017

Collaborator

@beardog108

IPFS makes use of an node keypair and it persist across reboots. This key is used in the protocol to identify itself & maintain a reputation with other nodes through an internal ledger.

A silly implementation of IPFS and Tor together, would still result in a persistent node keypair, essentially serving as a fingerprint.
I wonder if the current Tor implementation of IPFS makes use of ephemeral (temporary) keys in those cases.

Collaborator

kewde commented Nov 16, 2017

@beardog108

IPFS makes use of an node keypair and it persist across reboots. This key is used in the protocol to identify itself & maintain a reputation with other nodes through an internal ledger.

A silly implementation of IPFS and Tor together, would still result in a persistent node keypair, essentially serving as a fingerprint.
I wonder if the current Tor implementation of IPFS makes use of ephemeral (temporary) keys in those cases.

@Shifterovich

This comment has been minimized.

Show comment
Hide comment
@Shifterovich

Shifterovich Nov 17, 2017

Collaborator

Not private by default, though. Are we closing @kewde @beardog108?

Collaborator

Shifterovich commented Nov 17, 2017

Not private by default, though. Are we closing @kewde @beardog108?

@Shifterovich

This comment has been minimized.

Show comment
Hide comment
@Shifterovich

Shifterovich Nov 19, 2017

Collaborator

What about Worth Mentioning with a warning @kewde?

Collaborator

Shifterovich commented Nov 19, 2017

What about Worth Mentioning with a warning @kewde?

@kewde

This comment has been minimized.

Show comment
Hide comment
@kewde

kewde Nov 26, 2017

Collaborator

@Shifterovich

A worth mentioning with a warning seems more appropriate.

Collaborator

kewde commented Nov 26, 2017

@Shifterovich

A worth mentioning with a warning seems more appropriate.

@Shifterovich

This comment has been minimized.

Show comment
Hide comment
@Shifterovich
Collaborator

Shifterovich commented Nov 26, 2017

@emanresusername

This comment has been minimized.

Show comment
Hide comment
@emanresusername

emanresusername Nov 27, 2017

Contributor

how's that last commit for the warning? (just linked to the convo here) @Shifterovich @kewde @beardog108

Contributor

emanresusername commented Nov 27, 2017

how's that last commit for the warning? (just linked to the convo here) @Shifterovich @kewde @beardog108

@beardog108

This comment has been minimized.

Show comment
Hide comment
@beardog108

beardog108 Nov 27, 2017

Contributor

I would say something along the lines of "important warning regarding privacy" or just "important warning" and specifically link to #issuecomment-344414022

Contributor

beardog108 commented Nov 27, 2017

I would say something along the lines of "important warning regarding privacy" or just "important warning" and specifically link to #issuecomment-344414022

@emanresusername

This comment has been minimized.

Show comment
Hide comment
@emanresusername
Contributor

emanresusername commented Nov 27, 2017

@beardog108 hows that?

@beardog108

This comment has been minimized.

Show comment
Hide comment
@beardog108

beardog108 Nov 27, 2017

Contributor

Yeah looks good to me, thanks.

Contributor

beardog108 commented Nov 27, 2017

Yeah looks good to me, thanks.

@Shifterovich

This comment has been minimized.

Show comment
Hide comment
@Shifterovich
Collaborator

Shifterovich commented Nov 27, 2017

@Shifterovich Shifterovich merged commit e07813e into privacytoolsIO:master Nov 30, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment