[Freedombox-discuss] BitMessage
Jonathan Wilkes
jancsika at yahoo.com
Mon Apr 1 19:05:58 UTC 2013
----- Original Message -----
> From: Philip Hands <phil at hands.com>
> To: "freedombox-discuss at lists.alioth.debian.org" <freedombox-discuss at lists.alioth.debian.org>
> Cc:
> Sent: Monday, April 1, 2013 2:05 PM
> Subject: Re: [Freedombox-discuss] BitMessage
>
> Hi Jonathan,
>
> Jonathan Wilkes <jancsika at yahoo.com> writes:
>>> ________________________________
>>> From: Philip Hands <phil at hands.com>
>>> To: freedombox-discuss at lists.alioth.debian.org
>>> Sent: Monday, April 1, 2013 4:22 AM
>>> Subject: [Freedombox-discuss] BitMessage
>>>
>>> Hi,
>>>
>>> I note that there's been no mention of BitMessage, so I thought
> I'd
>>> mention it:
>>>
>>> https://bitmessage.org/
>>>
>>> https://bitmessage.org/wiki/FAQ
>>>
>>> it's doing something a bit like email using something similar to the
>>> bitcoin P2P network for passing encrypted messages around in a way that
>>> ensures that it's not possible to see who's talking to who. It
> encrypts
>>> the whole message, so not leaking via the headers.
>>
>> It's perfectly possible to see who's talking to who, just as it is
> in the
>> Bitcoin protocol.
> ...
>
> Odd, that is not to be the way I read their site & PDFs.
>
> In fact, I got the strong impression that one of the primary
> justifications for the thing was hiding the identities of those
> corresponding, so it is pretty feeble if they've failed to achieve that
> feature.
You can use Tor to decouple your IP from the Bitmessage node,
but then you should probably credit Tor with hiding your identity
and not Bitmessage. :)
>
> For instance, this table in the FAQ:
>
> https://bitmessage.org/wiki/FAQ#How_does_BitMessage_compare.3F
>
> makes it pretty obvious that they think it does hide the sender and
> recipient.
As far as I know the "Passive mode" isn't implemented, so you just
connect to every node, or a lot of them, and then it's a fairly simple
game to guess who originates a message by looking at which node
sent it first. Same with Bitcoin, demo'd (or described, can't remember
which) by Dan Kaminsky at some conference with video available on
Youtube.
I'm not certain about receiver, but I'd imagine revealing it is similar to
the collusion attack described here:
http://people.cs.umass.edu/~liberato/blog/2011/10/17/forensic-investigation-of-the-oneswarm-anonymous-filesharing-system/
Notice in that same paper how they describe a discrepancy between
whitepaper and implementation, and how that discrepancy actually makes people
who use the software less secure because they imagine their own
security based on the whitepaper while something different is happening
in the application.
>
> Perhaps you'll be so kind as to provide references to show that your
> interpretation is correct?
I "Bitmessage'd" the author and he confirmed that the "passive mode"
isn't implemented yet and that the same attack that would reveal originators
of Bitcoin transactions would work on Bitmessage.
-Jonathan
>
> Not that I think the merits or otherwise of BitMessage are on topic here
> (at least not until it's of a quality that might justify it being packaged).
>
> I'm certainly not going to bother defending it (I only stumbled across
> it a few days ago, and have not run it)
>
> I was instead hoping that someone here that was not yet aware of
> BitMessage might find the time and motivation to make the thing good
> enough for it to be packaged, and then perhaps it could find its way
> into FBX if it's a good fit (which it seemed to me that it might have
> the potential to be).
>
> Cheers, Phil.
> --
> |)| Philip Hands [+44 (0)20 8530 9560] http://www.hands.com/
> |-| HANDS.COM Ltd. http://www.uk.debian.org/
> |(| 10 Onslow Gardens, South Woodford, London E18 1NE ENGLAND
>
> _______________________________________________
> Freedombox-discuss mailing list
> Freedombox-discuss at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
>
More information about the Freedombox-discuss
mailing list