[liberationtech] Introduction --- Haystack
Bram Cohen
bram.cohen at yahoo.com
Sat Sep 11 20:48:12 PDT 2010
Hey Daniel, thanks for posting this. I have some questions and comments.
I strongly urge you to use a BSD-style license rather than GPLv3. Using GPLv3
would ensure that nothing you ever released could be useful to other censorship
resistance or anonymity tools, which I don't think is your intent.
How efficient is your http-based obfuscation code? That is, how much larger is
the obfuscated traffic than the non-obfuscated traffic?
How do you plan to block a malicious web site from grabbing info about the
client's IP address? For example, a flash applet can look up the local machine
IP and communicate that back.
Why do you have client authentication? Your plans for that sound rather DRMish,
which is both unlikely to work and sounds counter to the goal of having lots of
users. If your goal is to limit information about the network which an attacker
can get from compromising one client, that should be done by having secrecy be
in the form of secret keys rather than secret code.
What is the reason for having separate exit nodes? They require extra bandwidth,
and don't block any obvious threats.
To be politically correct you should really use sha-256 rather than sha-1
You should get your random data from /dev/urandom instead of using mersenne
twister. /dev/urandom doesn't have the ridiculous blocking properties that
/dev/random does, but is still cryptographically strong. There's an equivalent
service under Windows - I forget the name, but it's the thing which Python uses
for os.urandom
________________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20100911/600e61e2/attachment.html>
More information about the liberationtech
mailing list