RetroShare

[Cathal Garvey]

Retroshare isn't "like tor", it's "the opposite of tor".

Tor establishes a network of mutual distrust (kinda; you still trust
some aspects of the network such as the directory servers).

Retroshare establishes a network of mutual trust, although you can
withhold certain details such as whether you or merely a friend known
to you is sharing the files you make available (although as mentioned
by another this is likely to be traceable with enough network data).

For high-security work, something like i2p or Tor is probably better.
For an alternative to daily, casual internet traffic, Retroshare's
*idea* is probably superior; by relying on existing relationships of
trust, you can probably get better performance, and data that's
relevant to your interests is likely to be nearby in the network
because of social networking effects.

However, the flipside is without existing relationships of trust,
you're dead in the water; I tried Retroshare for a while but had no
friends on it, so had no access to the "core network" through any
trusted links.

Also, I get mixed signals about the developer attitude to some security
aspects of the P2P side of things. For example, they use SHA1 for the
distributed hash table, whereas in my opinion one should never use an
even partially broken hash for a *hash table*; you never know what
exploits are known privately that further break the hash, and should
generally assume it's fully broken if your threat model includes
adversaries like the NSA. If you're willing to compromise on the
quality of the hash that underlies the entire P2P end of the system,
I'm wary about your attitude to security overall.

This wasn't such a big deal 'til I saw some anons advocating Retroshare
as a "usable crypto" solution. Well, it is; if your adversary is a
talent-starved rent-seeking quango like the RIAA. If your adversary is
the world's biggest circle-jerk of military cryptographers, I wouldn't
go there, personally.

Maybe I'm paranoid about SHA1? I'm eager for other opinions here.
Crypto is an area where the Dunning Kruger only gets worse the deeper
you go.

On Sun, 17 Nov 2013 16:25:04 +0100
rysiek <rysiek at hackerspace.pl> wrote:

> Dnia sobota, 16 listopada 2013 23:19:58 Lodewijk andré de la porte
> pisze:
> > 2013/11/16 rysiek <rysiek at hackerspace.pl>
> > 
> > > So I guess this is my question: does RetroShare's protocol seem
> > > solid and sensible? Should we invest time and effort into it?
> > 
> > It's basic concepts are pretty well considered. It's quite like Tor
> > only the first nodes are "trusted nodes" and not just any random
> > one. That said I think the whole RetroShare thingy is shot to hell
> > regarding traffic analysis. That's hard for everyone except the Top
> > Secret level people.
> > 
> > Far as I know there's no deep-communication tactics except
> > store-and-forward for forums. That's some weakness if you ask me.
> > Finding a file based on a hash requires broadcasting the request
> > for the hash, which will likely flood through (part of) the
> > network. Tracing back a flood is pretty easy with a few nodes.
> > 
> > Invest in it? Not a bad thing to invest in. But it's not that
> > special on the crypto/security level AFAIK. I think the whole P2P
> > thing is a bigger deal than the crypto part of it.
> 
> Or, more precisely, how it *combines* crypto and P2P. Plus usability:
> while it's not a staple of it, it is definitely easier to set-up and
> use than XMPP+OTR over TOR, while the effect is more or less the same
> -- you get an encrypted, trusted comms channel.
> 
> Wonder however if RetroShare gives you plausible deniability?
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.cpunks.org/pipermail/cypherpunks/attachments/20131117/a97145e0/attachment-0001.sig>