From @longears on Thu Jun 09 2016 17:23:42 GMT+0000 (UTC)
I understand that the current IPFS implementation is not focused on privacy and anonymity. That being said, what could be done about this attack:
- You visit a web page on your local gateway
- Javascript on that page requests various known hashes from other pages. By timing how long it takes to load, it learns what’s already cached and what isn’t.
- The web page now knows what other pages you’ve visited via IPFS, and possibly when (if that page has content that changes often).
Some mitigations could be:
- Add a command line flag for the daemon automatically clear your cache (
ipfs repo gc) every N minutes. This might interfere with other things you were doing at the same time (e.g. adding files using the new files API doesn’t pin them immediately) - Add a command line flag to disable the cache completely (don’t keep blocks that are unpinned)
- Add a command line flag to add a random latency to the local HTTP gateway
Mitigations that wouldn’t work:
- Running IPFS behind Tor would hide your ip address but wouldn’t stop this attack. This might even be a way to de-anonymize Tor users by examining their browser history. Should Tor users clear their IPFS cache after each page load?
- At first it seems that this attack wouldn’t be useful because if anyone else has already attacked you, your cache will be full of known hashes and later attackers will think that you’ve visited every single one. But a site may contain so many hashes that each attacker could use a different one.
Copied from original issue: https://github.com/ipfs/faq/issues/132