Search Mailing List Archives

Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] Introduction --- Haystack

Bram Cohen bram.cohen at
Sat Sep 11 20:48:12 PDT 2010

Hey Daniel, thanks for posting this. I have some questions and comments.

I strongly urge you to use a BSD-style license rather than GPLv3. Using GPLv3 
would ensure that nothing you ever released could be useful to other censorship 
resistance or anonymity tools, which I don't think is your intent.

How efficient is your http-based obfuscation code? That is, how much larger is 
the obfuscated traffic than the non-obfuscated traffic?

How do you plan to block a malicious web site from grabbing info about the 
client's IP address? For example, a flash applet can look up the local machine 
IP and communicate that back.

Why do you have client authentication? Your plans for that sound rather DRMish, 
which is both unlikely to work and sounds counter to the goal of having lots of 
users. If your goal is to limit information about the network which an attacker 
can get from compromising one client, that should be done by having secrecy be 
in the form of secret keys rather than secret code.

What is the reason for having separate exit nodes? They require extra bandwidth, 
and don't block any obvious threats.

To be politically correct you should really use sha-256 rather than sha-1

You should get your random data from /dev/urandom instead of using mersenne 
twister. /dev/urandom doesn't have the ridiculous blocking properties that 
/dev/random does, but is still cryptographically strong. There's an equivalent 
service under Windows - I forget the name, but it's the thing which Python uses 
for os.urandom


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the liberationtech mailing list