Why unencrypted tcp peers/nodes? AI says it is "compromising the security and privacy"

[slrslr]

17 of 90 peers at https://publicpeers.neilalexander.dev/ are TCP:// ones.

I am wondering why there is no warning or some push to be converted to a encrypted TLS:// peers. This is what HuggingCHat AI thinks about that:

When I mentioned that tcp:// is not a recommended peer, I was referring to the fact that it uses unencrypted, plain-text connections. This means that any data transmitted over a tcp:// connection can be intercepted and read by any intermediate node or observer.

If you were to add a tcp:// peer to your configuration, you would indeed be compromising the security and privacy of your own node, as well as potentially putting other peers' data at risk. Here's why:

1. Unencrypted data: By using a tcp:// connection, you're allowing data to be transmitted in plain text, which can be easily intercepted and read by anyone with access to the network.
2. Man-in-the-middle (MITM) attacks: An attacker could intercept and modify data transmitted over a tcp:// connection, potentially allowing them to inject malicious traffic or steal sensitive information.
3. Node impersonation: An attacker could impersonate your node or other peers, potentially allowing them to manipulate the network or steal resources.

By using only tls:// connections, you're ensuring that all data transmitted between your node and other peers is encrypted, which helps to prevent these types of attacks.

Even if it's the closest peer, avoid tcp://

Yes, even if a tcp:// peer is the closest one to you, it's still not recommended to add it to your configuration. The security risks associated with using unencrypted connections outweigh any potential benefits of having a closer peer.

Instead, you should prioritize adding tls:// peers to your configuration, even if they're not the closest ones. This will help ensure that your node and the entire Yggdrasil network remain secure and private.

Best practice: Use only tls:// peers

To maintain the security and integrity of the Yggdrasil network, it's recommended to use only tls:// peers in your configuration. This will help ensure that all data transmitted between your node and other peers is encrypted and secure.

If you're looking for close peers, you can try searching for tls:// peers in your region or using a peer discovery service that prioritizes secure, encrypted connections.

[neilalexander]

Traffic sent over Yggdrasil is always encrypted, and in the case of a tls:// peering, it's actually doubly-encrypted (once as E2E for the destination, once for the TLS link). The only thing sent over plaintext in a tcp:// peering is Yggdrasil protocol traffic, but those are also cryptographically signed to prevent tampering.

I think your AI has probably missed this nuance, but we keep tcp:// around because there are some lower-end devices where the processing cost of TLS is quite high.

[sdgathman]

Using tls with caforum CAs (that come preinstalled in mainstream browsers) does not really prevent MITM - any rogue CA (controlled by your favorite evil spy agency - CIA,MI6,mossad,KGB,etc) can forge any tls certificate, as the browser trusts all of the CAs for all domains. (When caforum CAs stopped signing .ru domains, Russia offered their own CA to install - but govts truthfully warned that Russia could then forge any cert, but failed to mention that so could they.)

The tls provided by yggdrasil is actually better, as the IPs are the trucated pubkeys of the nodes. (I'm campaigning for using a real hash like cjdns does, but 120 bits of simple truncation is nothing to sneeze at.) So no CA is involved. You are directly exchanging the equivalent of a cert hash when you exchange IPs.

The real purpose (IMO) of tls URIs for yggdrasil is to look as much as possible like a normal website to hide from censors that would like to block VPNs. I keep a number of tls listeners for that purpose. But for most peer connections, I go for the more efficient tcp. You can even have the domain for the URI come up as a normal innocuous website, and a secret path or keyword on the URI make the yggdrasil connecting instead. e.g. tls://example.org/secretpassword:443

[majestrate]

The real purpose (IMO) of tls URIs for yggdrasil is to look as much as possible like a normal website to hide from censors that would like to block VPNs.

This is why I set my public peers to use tls 993, this is the imaps port, so a long lived tls connection with variable traffic is not out of the ordinary.

[sdgathman]

The real purpose (IMO) of tls URIs for yggdrasil is to look as much as possible like a normal website to hide from censors that would like to block VPNs.

This is why I set my public peers to use tls 993, this is the imaps port, so a long lived tls connection with variable traffic is not out of the ordinary.

Wow, great idea! Why didn't I think of that?

[sdgathman]

Short answer: AI is not actually intelligent and doesn't understand anything. It does have world wide data, however, unlike your personal "AI" (subconscious).