I found the following in a text file lying arround on my harddrive. I vaguely remember writing planning to get it added to the threat model page on i2p.net, it's a little out of date and probably needs some corrections, but at this point it would probably be safer, to let someone else do that, as I have put it off this long :) Anyway: Listening ISP If your ISP decides to listen in to all your internet traffic the most they could determine is that you are running the I2P software. They cannot tell what sort of data you are transferring, because all traffic over I2P is encrypted and is padded. Because I2P also tunnels it's traffic before it reaches it's final destination they cannot determine who you are transferring data to. Finally they cannot even tell IF you are even doing any transferring because your router will be routing other people's traffic even if you are not at your computer at the time. Listening Peers I2P does not assume any other person on the network is trustworthy. Not even the person you are talking with. It defends your identity as follows: Suppose you have a destination you want to connect to. First your router sends a message to another node on the network encrypted with it's public key. That message tells it to connect to a third node. You then send a message encrypted with the third nodes public key to it THROUGH the second node. That node is then instructed to connect to the ultimate destination. This way, you can talk to whom ever is at the ultimate destination, and they don't know who you are, just what you say. The node that is connected to the end destination, is not directly connected you so they don't know who you are. Nor do they know what you are saying (it is encrypted). The node that is connected to you does not know what you are saying or who you are talking to. So, nobody knows both the sender and the receiver and only they know what is being said. If the person that you are communicating with is also using I2P, they will take the same steps on their end to protect their own identity. So, if BOTH of the nodes you select for your tunnel are malicious then they could only determine that "you are saying something to someone". However this can be extended to an arbitrary number of nodes! If you need to be more careful about your identity, you can use more than two nodes, or if you don't particularly need anonymity for a particular application, you could use less. This also means that even if all intermediate nodes selected by both sides are compromised, together they still cannot prove that you and the person you were in fact talking to the person you were talking to, let alone what was said! Man in the Middle A common attack to many secure systems is called the Man in the Middle attack. Basically someone pretends to be the person that you are trying to connect to, and then relays what you say to that person pretending to be you. This attack does not work against I2P. This is because in I2P you don't know the actual IP of the person you are connecting to. You only know their public key. You can use this key to lookup the IP of the node that you can contact them through in the network database. Because this message is signed it cannot be forged. This means an attacker would have no way to fool you into connecting to them. Also even if a third party intercepted the traffic, because you know their public key from the start, they would have no way of being able to decrypt any of what was sent. Social Engineering Social Engineering consists of someone contacting you and lying to you in order to convince you to tell them some important piece of information. I2P cannot protect you if you want to give out some information no more than your phone can prevent you from giving your bank account number to people who are trying to steal your money. The important thing to remember is that, under NO circumstances will you ever need to give out ANY information over I2P. Do not ever tell anyone your real name, physical address, internet address, or any technical information about your computer that you don't know the significance of. If you wouldn't give out that information in real life to a total stranger then don't give it out to one over I2P, no matter how trustworthy they sound. If you are having trouble with I2P always go the the websight: www.i2p.net and read the FAQs and Documentation there. There is also a mailing list and an IRC chat you can go to if you are having problems. Exploits in other software It is not possible for the I2P developers to fix bugs in other programs on your computer, however the software does the best it can to prevent these from being used to reveal your identity on the network. First when you are browsing I2P through your web brouser it is setup to use a proxy which connects to the software on your local machine. This prevents anyone from putting a link or Java applit on an I2P sight that connects to the internet directly. So if after you have enabled the proxy and you attempt to go to a sight that is on the World Wide Web you will simply get a error message. If you still want to be able to brouse the WWW and be anonymous follow the instruction for setting up your browser to use an outbound proxy over I2P (squid.i2p). This way your normal web traffic will be routed through the I2P network to ensure your anonymity. The other thing I2P can do is filter HTML so that certain features cannot be used. However this does not make it impossible for a web page to compromise your identity. The reason for this is that Images and binary files cannot be filtered based on their content. So it is possible for a virus to come in through your webbrouser by viewing a malformed image if your webbrouser has a bug that makes it vulnerable in this way. The safest thing to do is to make sure that you are using the latest version of your webbrouser and keep it up to date. Internet Explorer is also not recommended if you are concerned about viruses. You can get an open source web brouser from www.mozilla.org. One other thing I2p does is directly assign what is called MIME information to some files. This makes it much harder for someone to make a file of one type, which your brouser would open believing to be safe, and then discover it is another. This means that some types of files won't open or launch directly from your webbrouser, instead you have to save them to you harddisk before opening them. It is also important to remember that you should not run programs from untrusted sources. So do not run any program you downloaded from I2P unless you can verify that it's checksum is the same as the version distributed by the person/organization that produces that program. If there is some fix for I2P or client software for I2P it will be announced with instructions and md5 or sha1 ckecksums for all files on www.i2p.net. To find the checksum of a file: on Unix/BSD/Linux/MacOSX run `md5sum filename` or `sha1 filename`. On windows you can download a tool to do this from http://www.md5summer.org/ or http://www.jonelo.de/java/jacksum or http://axcrypt.sourceforge.net/. If you really want to be sure your computer is safe you could make it such that all your traffic goes through I2P. This way even when your computer runs programs that connect to the normal internet you are still safe. This functionality will be added at some point. _______________________________________________ i2p mailing list i2p@i2p.net http://i2p.dnsalias.net/mailman/listinfo/i2p ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net [demime 1.01d removed an attachment of type application/pgp-signature]