Security recommendations

[mparramont]

https://lists.torproject.org/pipermail/tor-dev/2014-December/007999.html

[devinacker]

What a complete minefield of worst practices. i think anyone with more than a week of practical crypto experience would probably start sobbing uncontrollably at that RSA implementation, let alone anything else mentioned in that post

[moritzuehling]

Yep. A TL;DR for users: Don't use this.

Explanation for those not that fond of crypto:

They are doing almost everything wrong that you can do wrong.

Examples (all from the mail, so nothing new here):

• Not using random number generators (RNGs) properly.
  RNGs are the base of good encryption. The create the "keys" with that everything is encrypted.
• They are implementing their own cryptography functions (namely RSA).
  You should never do that. Always use library code. They made themselves vulnerable against attacks¹ through their own implementation.
• The symmetric encryption is ECB-AES128, without authentication.
  This algorithm is insecure in some ways and should never be used over the network. Not even as test.

You never ever should use this software if you have anything to hide. If you don't, don't use it either.

^{[1] One example of this: It is vulnerable against timing-attacks.}

[synctext]

Yes, clearly a solid ToDo list.
Both random and ECB was on the ToDo list. We have another 10y left..
Sadly we did not use more disclaimers on our website, the one on anomymity.html is too little.

Our strong point is scalability, 340million Bittorrent users moving to Tor would utterly break things. With Tribler it possibly might not break, it evolved for 10 years with scalability as the key constraint and test requirement.
[update: the random() dead code is now deleted]

[lloydeverett]

Frankly, this is disgusting. You don't have a strongpoint. The whole point of this software is to provide anonymity – something you've failed so badly at that you've made it to the top of /r/programming and hacker news.

It would be fine if this was disclosed openly, but you didn't do that whatsoever. Saying that your anonymity feature is untested on some obscure page doesn't count. Not even remotely, especially considering your "anonymity" amounts to nothing more than a pile of dead authentication code.

Here's what the guy who posted this on reddit (/u/w3m2d) said:
"There are at least 2 categories of common software where marketing crap is totally unacceptable - databases, where buggy junk might ruin someone's life through corruption, and security, where buggy junk might at least end you with a legal letter or perhaps even torture."

And then there's this:
"Work on Tribler has been supported by multiple Internet research European grants. In total we received 3,538,609 Euro in funding for our open source security research. Roughly 10 to 15 scientists and engineers work on it full-time."

Please, use your huge pile of money to get someone to edit your damn home page with a warning instead of setting 10-year deadlines.

Edit: reddit and <a href=https://news.ycombinator.com/item?id=8780313>hacker news thread

[DanielJoyce]

3.5 million for something this buggy?

[NielsZeilemaker]

@devinacker let me write a quick comment as to why I made yet another custom RSA implementation. I wrote a paper which was published in WIFS 2013 http://dx.doi.org/10.1109/WIFS.2013.6707798.
In this paper I implemented/evaluated three different approaches to the PSI and tested their applicability in a P2P system.
One of these approaches used RSA, which if used in unpadded mode (http://en.wikipedia.org/wiki/Homomorphic_encryption#Unpadded_RSA) has homomorphic properties. However, neither M2Crypto/PyCrypto allowed me to generate such an compatible key. Therefore, I wrote a small piece of python which allowed me to do so, hence the "compatible_key" method https://github.com/Tribler/tribler/blob/devel/Tribler/community/privatesemantic/crypto/rsa.py#L23.
This shouldn't be used in the wild, and the RSA stuff isn't used in the tunnels.

I just submitted a pull request which fixes the dodgy optional_crypto file, by removing the optional part.
If you have any other remarks, feel free to post them.

[Baigle-zz]

Normally when software is criticized like this and its flaws are thrown all over the internet there is no attempt to soothe the worried minds of the public or fix the most publicized issues, but you guys are different. You guys seem to actually listen and actively try and improve on aspects of the software and I am highly appreciative of that and wish there were more like you.

One step at a time I believe this project will turn into something great. Thank you, you give me hope in the software and especially the cause behind it regardless of the 10y time period for the ToDo list. Keep up the good work, and don't feed the trolls people, please!

[NielsZeilemaker]

Obviously this isn't the result of 10y of work, however we do need to get this right. I feel that most issues were caused by us being seriously clumbsy, and hopefully we can improve upon this less than desirable beginning of the tunnels.

[ghost]

Thanks for being open and willing to improve.

[fartwhif]

These things need to be fixed. It was disappointing to read this inflammatory critique. I wanted to use Tribler as a base for so many things.

But seriously, the devs need to learn crypto before they continue working on this, if they're responsible enough!

But I am glad that there's a "crypto cleanup" branch being worked on.

[Baigle-zz]

They are actively working on it, but they have lives over the holidays, too.
#1066

http://cryptopals.com/

😺

[NielsZeilemaker]

I'm closing this one as we're working on substiantial improvements together with the author of the original mailing. See #1066