N reasons why the spooks love Tribler

Great security analysis of promises-to-make-bittorrent-anonymous app Tribler

TLDR: Do not use this if your threat model includes active attackers, adversaries versed in cryptography, those with lots of money, or if you wish to be anonymous.

Many problems come from using sources of “random” numbers that are pseudorandom (ie. not really random) and inappropriate (dangerous!) for cryptographic use.

Most of the fixes require major revisions to the wire protocol.
As it appears that there is no versioning, how that will be done is left as an exercise for the student.

A junior developer worth his laptop shouldn’t create a protocol (or an API!) without versioning. One wonders about the thought process of the development team.

Hat tip to MadBitcoins for the link.

  Updated
Larry Salibra

About

I'm an entrepreneur and Engineering Partner at Blockstack where I'm building a new internet for decentralized apps. More about me.