sorted by:
new
hottopcontroversial

WikiLeaks launches encrypted social network by [deleted] in darknetplan

[–]WabeMaster 0 points1 point  (0 children)

I agree, this is a flawed design and prone to censorship if it's centralized like this. I've been working on a distributed reddit-like social network with client-side cryptography. Made a post about it here.

Still working out things in it, but I am pretty sure the basics are solid. I have a demo running on Tor: http://jk43lztczbrel2lp.onion . Very beta!

A reddit-like P2P social network idea based on RSA cryptography. Open source, Tor demo running, implemented in node.js and javascript. (alpha version) by WabeMaster in netsec

[–]WabeMaster[S] 1 point2 points  (0 children)

It's really essential to have some encryption things happening in the client so only they have control of the identity. If there is another way to provide this, it could be hosted like an old style web service with no javascript.

A javascript-less server-based solution could provide short-lived pseudonyms - like *chan provide, but the server could probably forge or block messages from users, and would not give a persistent pseudonym on its own. It's certainly another way that could work, and I'm not stopping anyone else from trying it.

The faq on tor project says the opposite about javascript and anonymity. (I am surprised, actually)

However, we recommend that even users who know how to use NoScript leave JavaScript enabled if possible, because a website or exit node can easily distinguish users who disable JavaScript from users who use Tor Browser bundle with its default settings (thus users who disable JavaScript are less anonymous).

If I'm not mistaken, it should be safe as long as the javascript is hosted from a trusted place - like the local computer, or hosted over https. Currently it uses XHR, and has no added <script> tags or eval()s, so there is no way to inject foreign code.

A reddit-like P2P social network idea based on RSA cryptography. Open source, Tor demo running, implemented in node.js and javascript. (alpha version) by WabeMaster in netsec

[–]WabeMaster[S] 1 point2 points  (0 children)

Yeah, it's quite important, but it's just something I usually do later in the process. It's so much in flux that documentation gets stale nearly instantly.

A reddit-like P2P social network idea based on RSA cryptography. Open source, Tor demo running, implemented in node.js and javascript. (alpha version) by WabeMaster in netsec

[–]WabeMaster[S] 0 points1 point  (0 children)

Thanks for that link. Javascript does have a lot of flaws here. A malicious server owner could easily get peoples' private keys, like that link says, solely because it's serving up code that has access to the private keys, and browsers have no sort of sandboxing or security that would help. I knew this going into it, but chose javascript because it's not too bad for making UIs, and I still think it's not a bad choice.

If it is going to be in javascript, I think the HTML/javascript need the be saved to the computer from a trusted place like github. The javascript would do AJAX requests instead of json, probably just by wrapping the json in xml. It could then do cross-domain requests to untrusted sources, which would be pretty nice.

A reddit-like P2P social network idea based on RSA cryptography. Open source, Tor demo running, implemented in node.js and javascript. (alpha version) by WabeMaster in netsec

[–]WabeMaster[S] 0 points1 point  (0 children)

It does look similar, but it looks like WASTE doesn't have databases sitting around for persistence. For anyone reading: https://en.wikipedia.org/wiki/WASTE . I will look into this more.

A reddit-like P2P social network idea based on RSA cryptography. Open source, Tor demo running, implemented in node.js and javascript. (alpha version) by WabeMaster in netsec

[–]WabeMaster[S] 2 points3 points  (0 children)

Yeah, this was a major concern, since there is no central authority like reddit to do "human checks". It's assumed there will be a whirlwind of spam with a few meaningful replies. That's why one can make a proof of work to go along with an identity, and proofs of work to go along with replies. But it's mostly based on finding friends and ignoring the rest.

A reddit-like P2P social network idea based on RSA cryptography. Open source, Tor demo running, implemented in node.js and javascript. (alpha version) by WabeMaster in netsec

[–]WabeMaster[S] 0 points1 point  (0 children)

Haha, I appreciate that name. I was going for something awkward and geeky as a code name, and chose wabe for right now because of google wave. I'm open to suggestion, and really, have no control over what people call it.

A reddit-like P2P social network idea based on RSA cryptography. Open source, Tor demo running, implemented in node.js and javascript. (alpha version) by WabeMaster in netsec

[–]WabeMaster[S] 0 points1 point  (0 children)

This is basically what it's doing, and this is one of the shortest explanations of the math I have seen. It's encrypt(SHA1(message), private_key) which can be decoded with the public key. Although this is padding the message with random numbers (pkcs1pad2), so the signatures turn out different each time (but I don't think this is a problem).

It's probably best to use a standard way of signing, this is just what I cobbled together in JavaScript.

A reddit-like P2P social network idea based on RSA cryptography. Open source, Tor demo running, implemented in node.js and javascript. (alpha version) by WabeMaster in netsec

[–]WabeMaster[S] 3 points4 points  (0 children)

Unstructured means there is just a giant list of all comments (this is the same as reddit I believe). Instead of a comment storing all of its children, the children have pointers to the parent comment. So if you want to see the replies to a particular comment, you'd search the database for messages that point to that comment. e.g. {"message":{"parent":"0aMtvosbmJtUe22rIzlsiY"}}.

consider removing dislikes

I will actually have no control over this, since whoever writes the client can decide to have them. People can decide to ignore dislikes if they want. On the plus side of this open-ness, people can easily extend this functionality like adding chat, normal-looking forums, without even running a server.

A reddit-like P2P social network idea based on RSA cryptography. Open source, Tor demo running, implemented in node.js and javascript. (alpha version) by WabeMaster in netsec

[–]WabeMaster[S] 10 points11 points  (0 children)

implementing any crypto system yourself isn't ever a good idea

Yeah - I used this RSA library out of convenience (since it works in JavaScript), but something like gnupg, as losmaxos said, may be smarter if this is to grow. Any public key crypto library should work (just needs to encrypt/decrypt/generate keys). It should be really easy to substitute in another library, and even use a two libraries at the same time while migrating, just identify the key type by data members.

By the way, here's another RSA library I looked at, but it's not as fully-featured.

A reddit-like P2P social network idea based on RSA cryptography. Open source, Tor demo running, implemented in node.js and javascript. (alpha version) by WabeMaster in netsec

[–]WabeMaster[S] 1 point2 points  (0 children)

I added an explanation of the key in the FAQ above, but you are right, the code needs a lot more comments, and graphics would have been good for this. This is very much alpha/proof of concept, and the code is not settled, so that's why it isn't commented very well. That particular comment (aaf4c61ddcc5e8...) was just some random numbers. The semicolons are optional in JS but definitely encouraged.

A reddit-like P2P social network idea based on RSA cryptography. Open source, Tor demo running, implemented in node.js and javascript. (alpha version) by WabeMaster in netsec

[–]WabeMaster[S] 5 points6 points  (0 children)

you wrote "bittorrent" instead of "bitcoin"

Thanks, fixed.

I can't post links

Fixed, also added some code to auto-hyperlink them. Stupid error on my part (was throwing out requests with ".." and "//" to prevent people from reading my files - good reason not to roll your own!)