I was just about to post this, I'd love to see someone audit their codebase all these claims are super cool and all, but things like these really make it hard to take them serious.
On the other hand, setting up https is a different skill set from the types of distributed systems that Umbra is trying to be, and I still find it to be confusing even though things like Let's Encrypt have made the process a lot easier.
Still, I've been around the space for a long time and I don't remember hearing too much about the Umbra project before today. That's usually a bad sign, especially given that they don't have a whitepaper.
There are a few major problems that slaughter projects like this:
1. They don't respect scalability constraints.
2. They don't actually understand what it takes to achieve privacy.
3. They don't realize that they've set up a centralized system.
4. They don't understand a lot of things about decentralization. This stuff is hard.
The only whitepaper I could find for the whole system was for ShadowChat, which says they use AES-256-CBC to encrypt the chat. AES is a symmetric encryption algorithm, and a strange choice for a chat protocol. Furthermore, CBC is not great at hiding patterns, and chat will often have a lot of patterns. Not necessarily going to cause problems, but it's another decision that I think is pretty weak, especially when there are better standards already out there.
As for anonymous cryptocurrency, there have been a lot of attempts at creating anonymous cryptocurrency and they are generally garbage. Either the mixing leaks information, or there is a reliance on central services, or other major problems.
Shadowcash claims to be a Proof-of-Stake cryptocurrency, which is a consensus system that has been pretty highly discredited among the more well respected researchers. The threat model is definitely different, and in general is a lot weaker both in terms of attack-resistance and in terms of decentralization that traditional Proof-of-Work. Even Ethereum has yet to come up with a Proof-of-Stake algorithm that they feel comfortable committing to, and they were so certain they'd get there that they added a feature which will break the currency unless they hardfork to PoS (at least that was the idea - given that PoS is not ready, they will probably just hardfork to a not-intentionally-broken PoW).
A few worth taking seriously are Monero, Zcash (though Zcash depends on new/fancy/less-trusted crypto - zkSnarks), and JoinMarket. Everything else that's got academic strength behind it is too early to have a user-ready implementation.
That's just my two cents. Maybe in a few weeks there will be a whitepaper that covers the full strategies of Umbra and it ends up being pretty good. But I don't think so, given that the few decisions that I could find already suggest that this is a platform built by amateurs.
> The only whitepaper I could find for the whole system was for ShadowChat, which says they use AES-256-CBC to encrypt the chat.
Okay.
> AES is a symmetric encryption algorithm, and a strange choice for a chat protocol.
No, it's the standard choice.
Signal uses AES-256-CBC + HMAC-SHA-256, for example.
> Furthermore, CBC is not great at hiding patterns, and chat will often have a lot of patterns.
That's not true. CBC mode isn't great at hiding patterns with IV reuse. Solution: Don't reuse IVs.
The problem with CBC mode is that it's unauthenticated, and as a result is often susceptible to padding oracle attacks that allow messages to be decrypted byte-at-a-time.
Yes we're always where the critics are, they are or best source of information.
I'm very happy to see our work being reviewed. I'm not an expert cryptographer but I am capable of understanding it. (fyi I didn't code it).
Our memcmp in constant time is not the prettiest, but it's short so we roll with it :P
This project started around 2014, LibSodium was still very small back then and OpenSSL, in ours view, remains the defacto standard.
Is there any particular reason on why we should move away from RAND_bytes() ?
Yes: Aside from being a userspace CSPRNG (which is an additional risk of failure over the kernel's CSPRNG and doesn't provide defense-in-depth), it isn't thread-safe.
Indeed HTTPS was not enabled on the page, it was still a work in progress. It is now enabled.
We're working on an installer that will mitigate MITM issues by having releases to be signed by multiple people.
1. We do respect scalability constrains, but we decided to monitor the network and scale when needed.
The idea that we have to focus our limited development time and funds on issues that are not yet a problem is a bit goofy. The idea for scaling is to include a tree like structure:
1
/ \
2 3
You split the data into numbers, based on the capacity of your node.
E.G. Alice has an address of stream 2. If Bob wants to send a message to Alice he encodes the stream number as metadata into the message and connects to a node of either 1 or 2. Nodes with the same number relay messages to eachother. When Bob can't find a node with number 2 he can just share it with a node of number 1. It will finds its way down (like a stream) to 2.
Especially when issues like these: https://github.com/shadowproject/shadow/issues/25 pop up.
"There is no way to contact you on the bug bounty program"