I looked briefly into messenger and its peer-to-peer concept relying on certainly has some side-effects. Just by running an OpenDHT node one can get an idea of what users are on the network and look up their names (some chose to use their full names).


I'm not sure what percentage of user IDs you will see passing by. Another concern is however that the majority of the OpenDHT traffic appears to be originating at OVH-hosted nodes, not actual users. These should be able to associate your user ID and IP address.

And not just that, these nodes (presumably run by the project) can see who is talking to whom as they deliver messages.

What if NSA or somebody else decided to run a dozen nodes? How much of the network graph would they see this way?

Show thread

That's the issue I see here: end-to-end encryption is great, but a setup where any party can start collecting metadata fairly easily probably isn't too privacy-friendly. And the issue is known of course, so devs recommend using VPN or Tor.


Show thread

Note that with a central server instance one has many of the same concerns - but compromising a server is a bigger hurdle than running a bunch of OpenDHT nodes, and there is also a higher chance that some irregularities will be noticed.

Show thread
Sign in to participate in the conversation
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.