In Thali identities are public keys. But typing in a 4 Kb RSA key or even a 512 bit EC key isn’t exactly easy. So how do users securely exchange their keys? Our original approach was using QRCodes. But lining up the phones, scanning the values, etc. is all a serious pain. So if ultimate security isn’t a requirement our backup plan is to use a variant of Bluetooth’s secure simple pairing with numeric comparison which itself is just an implementation of a coin-flip or commitment protocol
. The main downside of this approach is that it provides a 1:1,000,000 chance of an attack succeeding.
[Updated on 3/9/2015 with a new appendix, the last two questions at the end are new.]
Continue reading How do we exchange identities in Thali without making our users hate us?
base communication mechanism is Tor hidden services. This enables Thali devices to reach each other regardless of what NATs or Firewalls are in their way in a manner that is resistant to traffic analysis. But what happens when one isn’t on the Internet at all? We still want Thali devices to be able to communicate so a goal has been to support some kind of ad-hoc communication mechanism. That is, if two Thali devices are close enough to reach each other directly via a technology like Wi-Fi or Bluetooth they should be able to communicate securely and privately.
Ideally however we would go a step farther and use a technology that supports ad-hoc mesh networking. We list below some candidates but it is a bit early to jump on the mesh bandwagon. More on that in future articles.
The purpose of this article is to collect information on what appear to be the main players in the ad-hoc connectivity and mesh building contest.
[Note: This is a complete re-write of the existing Mesh Mess article.] [4/19/2017 - Updated with changes to BLE in Bluetooth 5.0]
Continue reading Thali and the Mesh Mess
I’ve joked for over a year now that if there ever was a HTML 6 its marquee feature would be Node.js. In other words I should be able to write a packaged app that sits on a device that has one part running in a browser/webview and another part running a local Node.js instance that I can use to accept incoming request. Furthermore I need to be able to build and deploy HTML 6 packaged apps on at least (but not at most) - Android, iOS, Linux, OS/X, Windows desktop and Windows RT. The purpose of this article is to lay out my nefarious plan for making HTML 6 packaged apps real.
Continue reading Making HTML 6 Packaged Apps Happen
The good news is that Node.js does run on Android. The bad news is that at least at the time I’m writing this the build process requires a few extra steps. Nothing too scary though. See below for details.
Continue reading Building and running Node.js for Android
Zooko’s triangle proposes that a global naming system can be human meaningful, distributed or impersonation proof - pick 2. Below I look at Pet Names, the traditional way of handling Zooko’s triangle. Then I look at proposals that claim to actually solve Zooko’s triangle and show several attacks that these systems don’t appear to solve and so argue that Zooko’s triangle still stands.
Continue reading Zooko’s triangle – I don’t think it’s solved in the real world
Investigated how well Java runs on iOS. The answer is - it runs. But it seems like there are issues. I enumerate them below.
Continue reading Investigating Java on iOS