[Twisted-Python] Introducing Aether, a peer-to-peer, anonymous forums app built with Twisted

Burak Nehbit burak at nehbit.net
Mon Nov 11 17:31:05 MST 2013


Hi Glyph,

It looks like this is definitely making some significant and interesting security-related claims.  Do you have plans for getting it audited?

I’m making more of anonymity claims and less of security. It is secure only in peer–to–peer connections, in that the connection between peers are encrypted. But all data that is distributed on Aether is public, so there is no secrecy, at all. I do not authenticate people either. The only reason the connection between peers are encrypted is it being a defence against a global passive adversary. So the the example goes, I do protect my users from the eye of Mordor (dragnet surveillance) but if Nazguls are in your home (your computer is seized), I can’t save you from that. I do in fact offer some protection for the latter case, too, but I’m less sure of its extent, so I am not touting it until I’m more confident. 

Protection against a dragnet is rather obvious: encrypt everything. Unless you’re a special target, you’ll be safe. 

Protection against seizure is a little bit more complex: I am not committing any information into the database* that can reduce your plausible deniability. So at the point you post an item, you’re no different than another sharer of that item both to the network and to your computer.

* I actually do commit one piece of information: If a post is created by the local user, it will have a flag describing it to be so, so the user’s client can notify the user of replies to that post. I am planning to convert this feature to ‘subscribe to posts or threads’ and remove the flag. So even the local computer won’t have any information about whether the post was received from the network or created locally, but the user will still continue to receive replies as he is subscribed to that post.

Audit— I would love to. I was talking to Laurens about this a few weeks ago for the security, but there hasn’t been a formal audit. I don’t have the resources to pay for that, unfortunately. If anyone wants to do it, I’d be glad to help. 

Best,
Burak



On November 11, 2013 at 7:16:00 PM, Glyph (glyph at twistedmatrix.com) wrote:


On Nov 11, 2013, at 11:49 AM, Burak Nehbit <burak at nehbit.net> wrote:

Hi everyone,

I wanted to share with you the yearlong project I have been working on, which led me to discover Twisted besides many other things. It’s using Twisted for all peer-to-peer network connections. This also has led me to produce a Qt5 reactor for Twisted (anyone needs this, I can send, MIT)

Hi Burak,

Thanks very much for choosing to use Twisted for this project!  It looks interesting :).  And thanks again for your kind words about the community :).

It looks like this is definitely making some significant and interesting security-related claims.  Do you have plans for getting it audited?

-glyph

_______________________________________________  
Twisted-Python mailing list  
Twisted-Python at twistedmatrix.com  
http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/twisted-python/attachments/20131111/c9a2eb27/attachment-0002.html>


More information about the Twisted-Python mailing list