2013/11/18 Cathal Garvey <[1]cathalgarvey@cathalgarvey.me>

   Retroshare isn't "like tor", it's "the opposite of tor".
   Tor establishes a network of mutual distrust (kinda; you still trust
   some aspects of the network such as the directory servers).

   Yeah, Retroshare is Tor except with a different mechanism for finding
   peers. I don't see how that is the opposite of Tor. The "opposite" of
   Tor probably wouldn't use Onion Routing. BitTorrent might be closest to
   the opposite of Tor.

   Also, I get mixed signals about the developer attitude to some security
   aspects of the P2P side of things. For example, they use SHA1 for the
   distributed hash table, whereas in my opinion one should never use an
   even partially broken hash for a *hash table*; you never know what
   exploits are known privately that further break the hash, and should
   generally assume it's fully broken if your threat model includes
   adversaries like the NSA. If you're willing to compromise on the
   quality of the hash that underlies the entire P2P end of the system,
   I'm wary about your attitude to security overall.

   Why does the DHT require a cryptographic quality hash? I agree that
   SHA1 is too weak to be cryptographic, but a DHT is merely finding
   chains of other nodes. Worst that can happen is the adversary
   manipulating you into connecting to them with higher chance. Given the
   whole friend-to-friend mechanisms I don't see much harm in that.
   Depends on the plugin that runs above it.
   I must say that this is exactly the sort of thing I think makes
   RetroShare risky. Some choices can be conditionally okay. Building a
   big stack of software lacks overview easily.

References

   1. mailto:cathalgarvey@cathalgarvey.me