>Each friend-to-friend connection is identified by their usernames and a shared secret.
Showstopper. I wanted to ASK how this beats retroshare. But without asymmertic keys you're kinda fd.
>On session establishment, temporary salted authentication and encryption keys are derived from the shared secret by each peer. The current implementation uses PBKDF2-HMAC-SHA512 (10000 iterations) for key derivation.
Please describe in more detail. Form what I read it highly depends in a really good implementation here to provide perfect forward secrecy.
>where secret exchange is made on our servers. Then a code is sent to both you and your friend so that your Teapotnet instance can fetch the secret through HTTPS.
Why don't you just do (authenticated) diffie hellman? Then your Server wouldn't need to know the key.
Sorry but just Form those few sentences i have to assume your crypto is shit and cant be trusted. I'm mobile right now so i didn't look at the source. After that I also probably won't.
Edit: german autocorrect while typing english is REALLY annoying. Sorry for all the typos.
Edit2: What The fuck? Why are there own sha512 and AES implementations? Use openssl! For nie i'd strongly advise Tod avoid until someone more skilled than me has reviewed this. But für crypto Reilly seems horrible.
Yeah, this looks like exactly the type of software you avoid if you actually need cryptographic security. Non-library versions of cryptographic primitives is a serious WTF, that stuff is abstracted for a reason.
What I've seen so far isn't a complete waste, but I'm still reviewing since I have nothing better to do this morning.
So far I've looked at how a crypto-secure schared secret is established with the "original method." It works just as you would expect. The author even made an attempt to ensure that different pairs of peers using the same input wouldn't generate the same secret by xoring the two usernames together. Of course, collisions are easy to generate and I don't see that the tracker's domain is included anywhere, but no serious attacks come to mind through this vector.
I'm not going to bother looking at the Facebook or email methods because the security there reduces to how much you trust your email provider or Facebook.
How is this conceptually different than, say, RetroShare?
edit: also, you keep comparing to DropBox, however, I can't find the crucial info - are the data saved somewhere outside the computer or not? If not, why the comparisons with DropBox?
I set up Retroshare on my home server and sent details to a dozen coworkers and friends (all in IT) that had previously used IRC / ftp for similar purposes. Not a single one decided to use it after varying degrees of trying it.
It seems like nowadays all of these services are trying to one-up each other on privacy and promises of good intention. My parents couldn't care less about their online privacy - they were storing their files by emailing them one-by-one as attachments. Anything is better than that system, so Dropbox really did wonders. This solution is hardly a Dropbox-killer, because its not made for the 99% of people who use email attachments to save their files.
I saw an ad for a product Western Digital is coming out with in this realm:
the "My Cloud" product itself is apparently total crap, but the idea will certainly be refined to serve a purpose similar to that of teapot. That is, glorified network file access.
it is impossible to setup and use without deciphering thirdparty guides. and even then it is awkward and painful to use. I wish they would restart with a useable GUI and highly limited but well working feature set.
Give permisson someone to download data on my computer. Simple as that. I don't understand why they compare themselves to DropBox and Google Drive. Furthermore this helps software/game/music/film... piracy.
Frankly, if I imagine a good piece of software for transferring legitimate files, with appropriate privacy/security and a good featureset, it would also be excellent for piracy.
[+] [-] lawl|12 years ago|reply
Showstopper. I wanted to ASK how this beats retroshare. But without asymmertic keys you're kinda fd.
>On session establishment, temporary salted authentication and encryption keys are derived from the shared secret by each peer. The current implementation uses PBKDF2-HMAC-SHA512 (10000 iterations) for key derivation.
Please describe in more detail. Form what I read it highly depends in a really good implementation here to provide perfect forward secrecy.
>where secret exchange is made on our servers. Then a code is sent to both you and your friend so that your Teapotnet instance can fetch the secret through HTTPS. Why don't you just do (authenticated) diffie hellman? Then your Server wouldn't need to know the key.
Sorry but just Form those few sentences i have to assume your crypto is shit and cant be trusted. I'm mobile right now so i didn't look at the source. After that I also probably won't.
Edit: german autocorrect while typing english is REALLY annoying. Sorry for all the typos.
Edit2: What The fuck? Why are there own sha512 and AES implementations? Use openssl! For nie i'd strongly advise Tod avoid until someone more skilled than me has reviewed this. But für crypto Reilly seems horrible.
[+] [-] tga_d|12 years ago|reply
[+] [-] bren2013|12 years ago|reply
So far I've looked at how a crypto-secure schared secret is established with the "original method." It works just as you would expect. The author even made an attempt to ensure that different pairs of peers using the same input wouldn't generate the same secret by xoring the two usernames together. Of course, collisions are easy to generate and I don't see that the tracker's domain is included anywhere, but no serious attacks come to mind through this vector.
I'm not going to bother looking at the Facebook or email methods because the security there reduces to how much you trust your email provider or Facebook.
I'll keep updating you guys if anyone cares.
[+] [-] 300bps|12 years ago|reply
[+] [-] runn1ng|12 years ago|reply
How is this conceptually different than, say, RetroShare?
edit: also, you keep comparing to DropBox, however, I can't find the crucial info - are the data saved somewhere outside the computer or not? If not, why the comparisons with DropBox?
[+] [-] hnha|12 years ago|reply
[+] [-] 300bps|12 years ago|reply
[+] [-] primitivesuave|12 years ago|reply
I saw an ad for a product Western Digital is coming out with in this realm:
http://www.pcmag.com/article2/0,2817,2424967,00.asp
the "My Cloud" product itself is apparently total crap, but the idea will certainly be refined to serve a purpose similar to that of teapot. That is, glorified network file access.
[+] [-] f_salmon|12 years ago|reply
- 100% decentralized/p2p (no central server)
- (public key) encrypted
- open-source
- does: file sharing, "emailing", chat, VoIP, forums, etc.
[+] [-] hnha|12 years ago|reply
[+] [-] ekianjo|12 years ago|reply
[+] [-] mknits|12 years ago|reply
Also Peerblock bloked access to this website.
[+] [-] harunurhan|12 years ago|reply
[+] [-] Malician|12 years ago|reply
[+] [-] infocollector|12 years ago|reply
[+] [-] re1ser|12 years ago|reply
Win7 x64
[+] [-] grishma|12 years ago|reply
[+] [-] Nux|12 years ago|reply
[+] [-] kseistrup|12 years ago|reply
[+] [-] httpteapot|12 years ago|reply
[+] [-] alupo|12 years ago|reply