Hacker News new | ask | show | jobs
by fooqux 4645 days ago
I like that this and Tox are tackling this issue, but they seem to be missing a huge piece of the puzzle: the so-called metadata.

If you can hide who the messages are being sent to, you can protect yourself against them spying on who your friends are, which to me, is just as important. Also, if you don't know who the recipient of an encrypted block of text is, it makes it near-impossible to brute force the private key(s) of all encrypted text coming out of a single IP.
1 comments
Shish2k 4645 days ago
> they seem to be missing a huge piece of the puzzle: the so-called metadata.

I wonder if the broadcast approach would help there? Be constantly throwing out GPG encrypted data to the entire network, anyone with the private key can pick it up. No "to" or "from" headers, and traffic analysis is hard since the flow of traffic is constant:

https://github.com/shish/firehose (Very alpha)

The main downside there is that bandwidth requirements are huge, you can only have a few thousand people on each shard :<

link
fooqux 4645 days ago
I don't know how bad the bandwidth requirements would actually be. A few thousand bytes a second is an awful lot of text. Granted, you won't be able to do anything else like VOIP.

I've been thinking of ways to combat this as well, and I admit it's an interesting problem. You either have to do some kind of Tor-like onion protocol (which has its own problems), or send every message to every client in the world. Sending your message to [your friend] + X random people would still allow an attacker to eventually gather a very detailed map of your friends by looking at which come up most often.

link
Shish2k 4645 days ago
> send every message to every client in the world

That's what I do, as I can't think of any alternative that is equally analysis-resistant

> A few thousand bytes a second is an awful lot of text

I was planning for ~500 bytes / sec so that traffic spikes wouldn't block up the send queue, but now that I think about it you're probably right -- even at 50 bytes/sec, the network speed cap would still be a fairly small factor compared to the amount of time spent typing...

link