What is the trust model?

[dcousens]

I haven't read too much into this project yet, but what is the trust model in use? Is there any way to verify [other than GitHub obviously] that you have been served the right repository?

[cjb]

what is the trust model in use?

@dcousens Here's a walkthrough:

Someone tells you "my username on gittorrent is dcousens".

You (a script running on your behalf) look in Bitcoin's blockchain and see which user ID owns 'dcousens'. This isn't something it's possible to disagree on without forking bitcoin.

You ask Gittorrent's DHT for the user profile (publication to a mutable value) for that user ID.

The user ID is a public key hash. You get a message signed by the private key corresponding to that (elliptic curve) public key, so you know that the user ID owned by dcousens published it.

The message contains the latest HEAD sha1 for each of dcousens' projects' branches on Gittorrent. You ask Gittorrent's DHT for the Git repo containing that sha1. Someone you don't know serves it to you. You verify that they gave you the right commits by checking that you ended up at the sha1 that dcousens published and signed as being correct, after your Git checkout of the objects you received is done.

Does that make sense? There is no trust required in me as a server operator, other than to keep the network running. I can't lie to a user who's read your signed message about what data they're getting, because they'll check against the signed payload themselvess.

(Oh, I should be clear that there are two modes here -- the above describes Gittorrent-only cloning, no interaction with github.com at all. Doing a clone from github is easier than the above, since we just trust github to tell us what the latest known sha1 for a repo is. But that loses the decentralization.)

In case you haven't seen it, http://blog.printf.net/articles/2015/05/29/announcing-gittorrent-a-decentralized-github/ tries to be an accessible description of how everything works.

[dcousens]

Right, so the DHT could still be a DOS vector [albeit difficult and probably unlikely, see below], but that should be the only vector since you rely on the signature associated with the user ID for the latest sha1.

The only DOS hazard I could see is in the event a repository made some critical security updates and published them; and if, as part of a [targeted] attack, a malicious entity sybil attacked the DHT network such that the target would receive an out-dated message, the target target could therefore miss the security update.

[cjb]

Yes, exactly. Specifically, I think that:

• An attacker could perform a Sybil attack on the DHT to return themselves as the only peers for your requested sha1, and then list themself as your peer and serve you garbage data forever (which you'll reject eventually).
• An attacker could perform a Sybil attack on the DHT and then just refuse to answer your request for nodes, leaving you without any legitimate nodes to talk to.

I think there are ways to make these attacks statistically unlikely (of course, they're already unlikely to actually happen) -- I need to read up more about things like DHT quorums, and what percentage of legitimate nodes is required to defeat defective nodes with high probability.

Another thing an attacker could do is serve up files that compress well but expand to fill all of your disk space very quickly, before you've had a chance to see what sha1 you ended up at. If that becomes a problem, seems like you could finesse it by having the signer publish the uncompressed file size along with the sha1, and then terminating decompression early if you exceed that size.

[dcousens]

@cjb could you use a merkle tree for 'chunks' of the download signed by the author?

[cjb]

@dcousens Sure -- or even just a list of chunks rather than a tree. Bittorrent already has some features like that. We have a limitation on signed-statement size (1000 bytes per DHT lookup) at the moment which makes it difficult to experiment with. You can make a linked list out of the statements (sign the hash of the next statement in the list into the first message) but it's cumbersome.

[cjb]

@dcousens Want to close out this one? Any more questions?

[dcousens]

Nope, this answered my question perfectly! Thanks :+1:

[ericwooley]

@cjb In regards the hard drive filling attack, sha1 is block based, so you could get one block of data hash it, then when it's wrong, throw that data out. without needing to fill your entire drive. Or am I missing something?

[cjb]

@ericwooley I was assuming the publisher of the repo would only give you one sha1 value, corresponding to "after you've downloaded every git object and applied it to your tree, your Git HEAD sha1 should be (x)". Adding extra sha1s to the "signed-statement" is expensive due to the 1000 byte limit, so that's why I was going for only sharing a single value. Does that make sense?

[ericwooley]

@cjb Ah i see. That would be on git to deal with wouldn't it?

[cjb]

@ericwooley Yeah, that's right -- we still need to have it in the signed-statement so that we can tell our Git client what sha1 to look for, but once we've done that then Git will treat the download as corrupt if it's sent objects that don't lead to that sha1.