This is Fine: Optimism & Emergency in the P2P Network - A New Design Congress Essay
newdesigncongress.org
Centralised power and decentralised communities are on the verge of outright conflict for the control of the digital public space. The resilience of centralised networks and the political organisation of their owners remains significantly underestimated by protocol activists. At the same time, the peer-to-peer community is dangerously unprepared for a crisis-fuelled future that has very suddenly arrived at their door.

This collection of networks offers no end to end encryption. Anyone with administrator access to an Instance can read anything that travels through that Instance’s infrastructure – including direct messages. The level of risk correlates with the number of cross-Instance interactions between users. If users from different Instances communicate, an attacker need only compel one Instance to reveal the direct messages between all of the interacting accounts. The centralised equivalents – Twitter, Tumblr, etc – can cloak their users through governance and resources. In a peer-to-peer network without encryption, there’s no structure, no agreed-upon governance, and absolutely no protection. Compromising or compelling an Instance or its staff means that all of network traffic is laid bare to its assailant.

I’d love to have a discussion on this (now fairly old) article which IMO has yet to provoke the kind of much-needed action on this topic that we, as a community of cypherpunks, are capable of.

  • udunadan@infosec.pubEnglish
    1·
    1 year ago

    Well, the malicious actors can setup their own instances as well and exploit the inherent trust between the participants by design. P2P sold as security property in the scenario where participants are unknown and multiple in numbers is misconception. It does not square well with basic security mindfulness, and shouldn’t be taken as improvement in that regard.

    I think that federation and all this stuff is not about improving security, it is a form of grassroots communication based on certain principles. If you need security, you use other tools, and treat these things as public, hostile spaces.

  • fraksken@infosec.pubEnglish
    0·
    1 year ago

    While I agree that to the layman this may sound freaky, I would imagine it not being ao much different than google/twitter/… where admins/moderators being much more plentiful with full access to your accounts and data (no references, this is an educated guess). it’s the same with hosting e-mail for yourself and onboarding users. full disclosure to the users: disks are encrypted, but messages are stored in plain text. like the peer comment mentioned, for true e2ee, you’d use different tools than mail or pm messages on any message board.

    I do celebrate security and encryption, but best use them where it counts.

    • cyph3rPunk@infosec.pubOPEnglish
      1·
      1 year ago

      I agree, actually. However, I do think PM’s are problematic in their current state because some users will send confidential information through those channels without realizing how easy it is for an admin to view that data in plain text.