> > And you really can't have a forum without pseudonyms. Users will create them on their own (by including a nickname in their posts) even if you don't build it in.
> That's human self–incrimination. As long as this is safe for an one–time user... I have some basic semblance of security
So this is not anonymous reddit, then. That is much less useful, and it had better be extremely clear to users that they should only use it in that way.
> > There is an easy so-called "intersection attack"... The actual author will always be present,... and so eventually only the author will remain in the intersection.
> The actual author won't always be present. The posts start at a point, but they do not need the author to be present to continue distribution.
In this attack, the adversary would need to be one of Alice's peers most of the time. If he isn't, though, because Alice only connects to a few peers consistently, then he can at least identify one of those consistent peers. That serves as a focus for attack, say by denial of service.
> > Tor will not solve the problem here if users have to be able to receive incoming connections.
> The users do not need to accept incoming connections. There are some very restrictive routers that refuse to be UPNP port mapped, and Aether works fine on them.
So to actually be undetectable as using Aether, you can't accept connections. Then you have to hope that enough users are connecting for the anonymity and not the undetectability, or you'll have to provide some infrastructure nodes.
> > and so an adversary can just connect to the network to discover who to block or punish.
> For this, the roadmap is to have a 'protected' node which refuses all connections from nodes except those who are explicitly marked as trusted.
Great, if you promise undetectability, then this should be the default. Of course, that makes connectivity a challenge (what if everybody you trust doesn't accept connections because they also want to remain undetectable?).
> > The bootstrap IPs can obviously be easily blocked.
> It does not rely on the bootstrap IP. If you have installed the application, it asked you in the onboarding process IP and port of a friend
Sounds good!
> > The votes are not anonymous, which is unlikely to be clear to users and which are nearly as sensitive as authorship itself.
> They point to node id's, which are not users, but machines.
I don't understand the distinction being made here. In any case, the upvote is observed as coming directly from some IP. That is the identifier to worry about. As far as privately gauging the popularity of the post, I don't exactly understand what you need here, but they may be some crypto solutions that could work. Unfortunately, post popularity seems easily spoofed to me.
> > Denial-of-service here is as simple as flooding the network with "forwarded" posts and votes.
> Well, those posts won't get upvoted, and will get stuck in spam filters and upvote thresholds of users. None of those are implemented yet, of course, but this doesn't seem to be a structural problem.
What about the mechanism to prevent extinction of a post? Doesn't that spread a post without upvotes? And why can't I create a network of Sybils to upvote my spam posts? Also, spam filters are a UI mechanism, if I understand what you mean. I am talking about consuming network and memory via protocol flooding.
> So this is not anonymous reddit, then. That is much less useful, and it had better be extremely clear to users that they should only use it in that way.
Depends on how you emphasize that sentence. It's reddit, but its anonymity is weaker on certain fronts and stronger on others. If used as one-shot device, it's pretty good. Otherwise, there are the issues you mentioned (which I plan to fix, to my best).
> So to actually be undetectable as using Aether, you can't accept connections. Then you have to hope that enough users are connecting for the anonymity and not the undetectability, or you'll have to provide some infrastructure nodes.
Correct.
> Great, if you promise undetectability, then this should be the default.
I do not promise undetectability, but it exists under certain circumstances. I will explicitly note those circumstances and mark undetectability as a side benefit only under those conditions.
> I don't understand the distinction being made here. In any case, the upvote is observed as coming directly from some IP. That is the identifier to worry about.
The distinction is largely academic as you said. If you have a cryptographic solution to that, I'd love if you could point me to the right direction.
> And why can't I create a network of Sybils to upvote my spam posts?
You can, but users can also block your nodes, or (we're really going into the medium-term future here) your nodes would be placed in blocklists, whose users—people who accepted them— would deny you from connecting to them. (This is a half–baked idea as of now, who maintains those lists etc.) This is a thorny problem. Spam filters, I was meaning less of an actual after-the-fact spam filter, and more of a "block this guy out, refuse connections" kind of filter. Sorry for the wrong choice of words.
All in all, very fair points I need to work on. If you would be interested in taking a look once in a while to point out where the logic holes are, I'd really appreciate your voice in development. If you'd be interested in helping out, send a mail to me (burak@nehbit.net)— I would try to run more important things by you before implementing to see if there are any obvious holes.
> That's human self–incrimination. As long as this is safe for an one–time user... I have some basic semblance of security
So this is not anonymous reddit, then. That is much less useful, and it had better be extremely clear to users that they should only use it in that way.
> > There is an easy so-called "intersection attack"... The actual author will always be present,... and so eventually only the author will remain in the intersection.
> The actual author won't always be present. The posts start at a point, but they do not need the author to be present to continue distribution.
In this attack, the adversary would need to be one of Alice's peers most of the time. If he isn't, though, because Alice only connects to a few peers consistently, then he can at least identify one of those consistent peers. That serves as a focus for attack, say by denial of service.
> > Tor will not solve the problem here if users have to be able to receive incoming connections.
> The users do not need to accept incoming connections. There are some very restrictive routers that refuse to be UPNP port mapped, and Aether works fine on them.
So to actually be undetectable as using Aether, you can't accept connections. Then you have to hope that enough users are connecting for the anonymity and not the undetectability, or you'll have to provide some infrastructure nodes.
> > and so an adversary can just connect to the network to discover who to block or punish.
> For this, the roadmap is to have a 'protected' node which refuses all connections from nodes except those who are explicitly marked as trusted.
Great, if you promise undetectability, then this should be the default. Of course, that makes connectivity a challenge (what if everybody you trust doesn't accept connections because they also want to remain undetectable?).
> > The bootstrap IPs can obviously be easily blocked.
> It does not rely on the bootstrap IP. If you have installed the application, it asked you in the onboarding process IP and port of a friend
Sounds good!
> > The votes are not anonymous, which is unlikely to be clear to users and which are nearly as sensitive as authorship itself.
> They point to node id's, which are not users, but machines.
I don't understand the distinction being made here. In any case, the upvote is observed as coming directly from some IP. That is the identifier to worry about. As far as privately gauging the popularity of the post, I don't exactly understand what you need here, but they may be some crypto solutions that could work. Unfortunately, post popularity seems easily spoofed to me.
> > Denial-of-service here is as simple as flooding the network with "forwarded" posts and votes.
> Well, those posts won't get upvoted, and will get stuck in spam filters and upvote thresholds of users. None of those are implemented yet, of course, but this doesn't seem to be a structural problem.
What about the mechanism to prevent extinction of a post? Doesn't that spread a post without upvotes? And why can't I create a network of Sybils to upvote my spam posts? Also, spam filters are a UI mechanism, if I understand what you mean. I am talking about consuming network and memory via protocol flooding.