Lodewijk andré de la porte l at
Mon Nov 18 02:07:10 PST 2013

2013/11/18 Cathal Garvey <cathalgarvey at>

> Retroshare isn't "like tor", it's "the opposite of tor".
> Tor establishes a network of mutual distrust (kinda; you still trust
> some aspects of the network such as the directory servers).

Yeah, Retroshare is Tor except with a different mechanism for finding
peers. I don't see how that is the opposite of Tor. The "opposite" of Tor
probably wouldn't use Onion Routing. BitTorrent might be closest to the
opposite of Tor.

> Also, I get mixed signals about the developer attitude to some security
> aspects of the P2P side of things. For example, they use SHA1 for the
> distributed hash table, whereas in my opinion one should never use an
> even partially broken hash for a *hash table*; you never know what
> exploits are known privately that further break the hash, and should
> generally assume it's fully broken if your threat model includes
> adversaries like the NSA. If you're willing to compromise on the
> quality of the hash that underlies the entire P2P end of the system,
> I'm wary about your attitude to security overall.

Why does the DHT require a cryptographic quality hash? I agree that SHA1 is
too weak to be cryptographic, but a DHT is merely finding chains of other
nodes. Worst that can happen is the adversary manipulating you into
connecting to them with higher chance. Given the whole friend-to-friend
mechanisms I don't see much harm in that. Depends on the plugin that runs
above it.

I must say that this is exactly the sort of thing I think makes RetroShare
risky. Some choices can be conditionally okay. Building a big stack of
software lacks overview easily.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 2351 bytes
Desc: not available
URL: <>

More information about the cypherpunks mailing list