i2p Discussion: Discussing migrations/coexistence

[whom]

We've all had a number of threads going across various non-Security forums that always end up on the topic of i2p, so I thought I'd try to combine some of the more technical posts into this thread.   Mostly to avoid spamming every other board with obscure technical discussions.   

It's not crazy to think that at some point, large hidden services may exist outside of just Tor.    And while the Tor client/server concept is familar to most of us here, I'm starting to wonder how i2p changes that picture. 

i2p's model is just *different*.  Will post some of the things I'm wondering about below.. wanted to quote at least two of the more specific threads from the past week to open up a more technical discussion on i2p.

Can't speak to markets, but I know a bit about i2p.

It's not all that different from Tor, but some of the differences are appealing:

1. Every i2p user (who wants a decent experience) routes traffic for other i2p users.  This makes it more difficult for adversaries to identify what traffic *you* are sending, since your IP is also sending traffic for me.
2. Peer to Peer works much better.   Tor is built on a model where you are either a client OR a server.   i2p blurs that line to a greater degree.
3. It's built for hidden services.. that's really what it's made for. 
4. It has large amounts of torrent traffic running across it.  Which is decent cover traffic.
5. It has some interesting services built on top of it.  i2p bote is an intriguing messaging option. 

The user experience is a little different.   Fire-and-forget clients don't fare as well on i2p.. if you're not willing to stay connected nearly 24/7, you don't get much bandwidth, and the whole experience sucks.   So instead of firing up Tails at a coffee shop to hop on Tor, serious i2p users are connected, from home, 24/7.

Security-focused clients on Tor tend to focus on isolation.. making sure your browser stays within Tor.  But since i2p doesn't do a good job getting you to the clearnet (there's no concept of exit nodes.. and I think they're down to one out-proxy), users will have to rethink how they set things up.   It's not too hard to set up a hybrid solution that will get you to i2p, and send all your other traffic via Tor.

What I like about i2p's model (everybody routes for everybody) is that everybody pays their own way, without exchanging cash.   Contribute more bandwidth, get better service. Don't want to contribute any bandwidth?  That's weird, it sucks.

It's also more resource-intensive.  i2p is written in Java, so it uses significantly more resources (memory in particular) than a compact, C-based Tor process.   The Java-based server code probably has more attack surface than the Tor process..

Security-wise, i2p is more of an unknown.  It hasn't had the academic focus that Tor has, so there isn't a lot of information available like there is with Tor.   i2p should be somewhat more difficult for a passive global adversary to monitor effectively.  But not significantly hard *enough* that they couldn't do it if they set their minds to it.   It's not a silver bullet, but it's different enough that they'd need to retool some things if they wanted to stalk it like they do Tor.   

It's every bit as succeptible to Sybil attacks (basically, standing up a shitload of malicious nodes) as Tor is, probably more in some ways.   At the old forum, kmfkewm made a comment that the recent Tor botnet could have chosen to fully deanonymize every user if we were talking about i2p, and he was right about that.

I don't think it's worse than Tor, and I think it has some advantages.  But it has some downsides, too.

Part of a great post by cerdo in the main Discussion forum:

One thing that I am curious about is why we don't hear more about I2P. So far, I have not heard of any markets making use of the I2P network. There is a general lack of penetration testing and security auditing when it comes to I2P compared to Tor, but I would really like to see more interest in I2P. The way this war will be won is ultimately through decentralization. Unfortunately, the technology for a truly decentralized market is just not quite there yet (although there is some interesting progress being made, none of which is public yet, which I think is a double-edged sword).

I2P certainly provides a faster and more robust network, and it was designed from the beginning with the goal of hosting anonymous services. Tor is exactly the opposite; being designed to anonymize users and happens to have a feature to allow those anonymous endpoints to host services.

It seems that the packet-switched nature of I2P (vs the circuit-switched nature of Tor) and its fully distributed nature makes it a much better candidate overall...

On the downside, two big things I2P has against it:
*) Serious lack of peer review/auditing
*) No idiot-proof out-of-the-box browser bundle (wouldn't be hard to build such a thing though)


Has anyone thought about making use of I2P for a next-gen black market?

Does anyone have any thoughts on I2P vs. Tor?

Sorry for the long, rambling post... Those dexies are talkin' to a nigga...

[whom]

Some things I've been thinking about regarding the right i2p client model.  I'm awful about posting fifty questions at once, so if anybody thinks they have an answer to even part of one of them, feel free to pick and choose.

The usual Tor client model (TBB<Tails<Whonix<Qubes<Physical Isolation) has to change somewhat with i2p.

1. How secure/insecure should we all view the i2p Java router process as? It's definitely miles more code than Tor, and it's Java.   Should it be isolated from the host machine more than the Tor process is?

2. i2p is easy to mix with Tor.  A proxy server (privoxy/etc) can send *.i2p requests to the i2p router, and everything else to Tor.   Or a browser can do it with FoxyProxy or the like.   Are there anonymity implications to being on both networks at once?

3. At the point where users are staying connected to i2p 24x7, what's the right setup for clients?   How much should they isolate?

I almost wonder if, given the complexity of dual i2p/Tor for many users, it's not easier to pick a cheap hardware platform (Raspberry Pi / CubieBoard / BeagleBone Black) and build a middlebox Tor/i2p node for physical isolation. 

Has anybody played with i2p bote?  I don't care at all for the idea of the messaging app on the i2p router, but it looks like a decent Kademlia DHT-based messaging system.  Just looks like it'd make isolating the i2p router complicated.

[Wonton]

i2p Bote was an interesting concept, but no one seems to be talking about it much since bitmessage became popular. Can only be used within the i2p network also. Because i2p is more difficult to use than tor and really needs to be left on 24/7 it will never become as popular as tor.

[kok]

I2P simply is not secure, especially not for vendors. BitMessage is also not secure, it is even worse than I2P in many ways.

[Dread Pirate Roberts]

From a market perspective, I2P is not very beneficial. It is stated above that I2P favors clients who offer bandwidth to the overall network and therefore will discriminate those unable to do so, particularly when we consider most Tor users simply log in and then turn it off when they are done since I2P needs time to propagate throughout the network to pick up "circuits" as the Tor comparison. Therefore users who are not always connected will find it more difficult to connect to a market site which can significantly deter a new userbase or those not involved in the community and simply want to make a purchase.

I2P is also designed for activities such as hidden sites, torrenting and a manner of other issues you wouldn't want to do over clearnet and for this reason could be further portrayed in the media as a true darknet which has limited purpose for legitimate establishments. If the network is unable to maintain a legitimate cover also this can very easily pit politicians against it and could eventually put it in the same position torrenting is in for example whereby ISP's will threaten to cut connections if users are found as part of the network, where Tor would be a harder structure to do this against since it can blend into regular traffic better than I2P at the moment.