Use the tor network as transport network - for hole punching and protecting privacy
See original GitHub issue“Welcome. LBRY takes privacy and choice seriously.”
This is the very first message that is shown when LBRY is first installed.
Privacy is hard to do right. A single bug or design flaw and your program leaks private data.
I would love if LBRY protected privacy so well, that even Burmese democracy activists could use this for activism without fear.
In Burma there is one ISP. And we can assume this ISP also has the resources to setup thousands of LBRY accounts and download every single LBRY video.
If this ISP with reasonable confidence can see which movie the activists are watching, it can mean prison time for the activists.
Does LBRY leak private data?
A simple ngrep
will show that searches and requesting videos is sent in clear text:
T 192.168.1.33:36162 -> 51.89.41.46:50001 [AP] #454
{"jsonrpc": "2.0", "method": "blockchain.claimtrie.resolve", "id": 108, "params": ["lbry://@PROSA"]}.
T 192.168.1.33:36162 -> 51.89.41.46:50001 [AP] #9430
{"jsonrpc": "2.0", "method": "blockchain.claimtrie.resolve", "id": 117, "params": ["lbry://@PROSA#c/Vacciner-dit-viftekort#3"]}.
This is bad, because that can be seen by the ISP.
ngrep
also reveals which blobs the activist requests:
T 192.168.1.33:45450 -> 51.210.220.149:5567 [AP] #95
{"requested_blobs": ["77416e376ab458b77e5d9db01634ecb647c8ad6d20abc8f4a00abe196905fd15b0aef1447b388c9144cea0a4a9890a9a"], "lbrycrd_address": true, "blob_data_payment_rate": 0.0, "requested_blob": "77416e376ab458b77e5d9db01634ecb647c8ad6d20abc8f4a00abe196905fd15b0aef1447b388c9144cea0a4a9890a9a"}
If an attacker has downloaded all videos, he will also have a blob file called: 77416e376ab458b77e5d9db01634ecb647c8ad6d20abc8f4a00abe196905fd15b0aef1447b388c9144cea0a4a9890a9a and he will know which video it came from. Even if the content of the blob is encrypted.
This is bad, because we can assume the ISP has the resources to download all videos and record their blobfile names. Thus the ISP can identify which video the activist is watching.
Even if the whole transport is encrypted, the sender would be able to see which blob (and thus which video) a given IP-address requests. If the ISP had all blobs for all videos and many accounts, chances are the activists will request at least one blob from the ISP.
This is bad because the ISP knows who is using the IP-address.
On top of this the ISP can throttle access to LBRY nodes outside Burma and thus increase the chances of one of their accounts being used as blob supplier.
So it is pretty clear that LBRY is leaking private data.
Tor
Tor is best known for Tor-browser. This makes it possible to access web pages that are censored in your home country. It also makes it hard for your ISP to see what you are doing.
Tor bandwidth
You may have experienced Tor-browser as slow. This is mostly due to the final hop, where your traffic is sent through an exit node. There are few of these and they are often overloaded.
But if your tor traffic never leaves the tor network, there is plenty of bandwidth.
Use Tor Hidden Services
Two tor nodes can contact each other using Hidden Services. This traffic stays in the tor network and never touches an exit node.
Data from the sender is bounced around 3 times before hitting a rendevous point, after which data is bounced around 3 more times before reaching the receiver.This sounds slow, but in practice I experience a lag of around 500 ms: It is perfectly acceptable for running SSH through. By using multiple connections (e.g. by downloading multiple blobs in parallel) a throughput of 10 Mbps is no problem.
Setting up a hidden service is not hard: It is literally 2 lines in a config file. E.g. for ssh
:
HiddenServiceDir /home/tor/hidden_service/
HiddenServicePort 22 127.0.0.1:22
Instead of accessing hosts like 12.189.124.107 LBRY will accessing hosts like imuqkh75wp2chf5av5esqyyzgdmn4in763vs7ilu2rikbcek6e7qfsqd.onion
No need to deal with hole punching
Another great feature of Tor Hidden Services is that you do not need to deal with port forwarding and hole punching. There is no problem in having multiple machines behind the same NAT wall, and two machines behind NAT walls can access each other.
If your ISP does not block access to Tor, you can be part of the network. And Tor excels in getting around ISPs that try to block Tor.
Distributing Tor with LBRY
Tor is free software, so you are allowed to distribute Tor along with LBRY. So there is no need for LBRY users also having to set up Tor.
Summary
Using the tor networks as transport for LBRY solves several problems:
- It makes it harder to leak private data onto the physical network.
- It makes it harder to see who is using LBRY.
- It solves the hole punching problem.
On top of this you will be helping Tor: Tor is only safe to use if there are legitimate uses for Tor. If the only ones using Tor in Burma are democracy activists, it makes it easier for the government to identify those. But if millions of Burmese use it, then using Tor in itself will not raise a red flag. And it will be harder for Burmese government to shut down tor, because many users will complain. Just like the Burmese government cannot shut down the internet without causing massive problems for the legitimate internet use.
I hope LBRY will consider using Tor as the transport network.
Issue Analytics
- State:
- Created 3 years ago
- Reactions:9
- Comments:8 (3 by maintainers)
Top GitHub Comments
I’m re-opening this because I think there are valid improvements outside the scope of already filed tickets. This should probably be processed by @lyoshenka or @eukreign.
I2P would also be an option.
Personally, though, I find the bullet list (“Benefits of Tor over I2P” on https://geti2p.net/en/comparison/tor) would weigh in favor of Tor: e.g. “Has already solved some scaling issues I2P has yet to address”. And in general: Tor has a proven track record, which will likely lead to fewer surprises.