Protocol characterisitics causing censorship ? Has it been taken into consideration?

image

This is how ZeroNet deals with censorship, using a self-signed TLS connection. I know there is wss transport, which probably works too. But why don’t we have a libp2p-tls too, as an alternative.

IIRC when the stream is not encrypted, it contains /multistream directly. This sounds like an easy target for censors. However changing the transport should be better, since encryption erases uncommon characteristics completely.

How is transport chosen when connecting a peer ? Could it be better if censorship-proof transports are preferably chosen when connecting to peers in censored regions ? Are there any other unencrypted handshakes that cause peers to banned ?

What should one do if she’s going to add a transport ? Fork js-ipfs ? sounds dirty.

In any case, I don’t mean making drastic changes against censorship, but isn’t it great to consider it.

1 Like

I launched jsipfs daemon with default config. The traffic seem to have no TLS stream at all. (No one uses Wss somehow ? Or does js-ipfs support Wss in the first place ? Or I have to enable it ?)

Most packets are fine, but about 2% of the packets are RST. Some of them are certainly GFW’s RST attack.

And even inside China there’s RST attack

Edit: There are discussions on TLS, but I didn’t find any news on TLS of js-ipfs

If you are worried about government censorship, you can use a vpn, if popular ones are banned then make your own proxy software – it’s simple, don’t use tcp, and do whatever you want

What if VPNs themselves are weaker than decentralized solutions in the first place ?

So?
ipfs is just a software to get resources like you can download a file with magnet links

It isn’t actually. They have bigger goals

It’s just their marketing, but it’s the same thing, the fact that they are not going to help you bypass governmental restriction of the freedom to access information on the internet despite they say their software is ‘interplanetary’ proves they actually just marketing the product to you.

You could say that, but theoretically they are independent. You can’t be completely pessimistic about humanity. Moreover, IPFS doesn’t technically belong them. If they fail to meet the goals, others will pick it up.

First the connection is always encrypted (there do exists an insecure mode but it is only used in testing, not in production).
The /multistream thingy you see is use to negociate which muxer and security is gonna be used:
Security:

  • secio (deprecated, not even provided by default you need a custom build)
  • noise

Muxer:

  • multistream (in the path of removal, like secio)
  • yamux (better)

Also QUIC does not do that, the quic transport have tls like properties, as far as you can see, it just negociate the security first.

HOWEVER.
Using TLS just to hide this wouldn’t change anything, because a bad actor could just try to contact the node and see if it respond libp2p things.
Secondly, you can scan the network and get a list of all / most nodes in the network.

Having more discrete transports wouldn’t help much because if I can just find you the DHT, that useless.

A more privacy friendly version would need to use an overlay network like tor or i2p.

Sadly, you are right, but maybe using TLS could make censors work a bit harder

Harder yes but I don’t even think that is worth the enginering effort. Given that they can just contact the node and try a libp2p handshake or browse the DHT.