Request to include information about peer discovery mechanism

[pagalsurd]

Sorry if this is redundant but I tried reading everything. Since, I am new to javascript I couldn't dig into the code much. Also, kindly pardon if this is not the right place to place this request.

Could you please include information about how freedomjs discovers peers?

(My personal interest is in doing so specifically without a social graph like in the queuing tutorial. Since a social network essentially provides a mechanism for authentication, can a cryptocurrency blockchain be used as such mechanism because it provides a bitcoin address which would be equivalent to username and private key equivalent to password? This way we can have a truly open decentralized social network. Even then how to discover other IP addresses? Is the social graph doing more than just authentication and somehow has peer discovery built in?)

[agallant]

Thank you for your interest - this is absolutely the right place for such a request. Peer discovery is definitely very important, and we are also interested in various ideas for more open/decentralized social networks.

Regardless of the social network mechanism, freedom.js handles peer discovery and communication via a social provider - which basically just means some .js file that implements the social interface. For example, the "take turns" app specifies its social provider here: https://github.com/ryscheng/taketurns/blob/master/manifest.json#L12-15

Which corresponds to https://github.com/ryscheng/taketurns/blob/master/external/social.ws.json and https://github.com/ryscheng/taketurns/blob/master/external/social.ws.js - an implementation of the social interface using websockets and depending on a simple server.

An example implementation of the websocket social provider server in Python is: https://github.com/freedomjs/socialrouter

We are also working on a more scalable backend using node.js (https://github.com/freedomjs/radiatus-providers). You can think of Radiatus as "freedom.js in the cloud", with a goal of being easy to set up and run.

But in either case, this social provider is still centralized - it just doesn't require any account. Any freedom.js social provider will have to have server-like properties (basically be generally available and respond to an API) - it doesn't necessarily have to be centralized, freedom.js doesn't care as long as it implements the social API. For reference, that API is: https://github.com/freedomjs/freedom/blob/master/interface/social.json

The idea of using a blockchain to implement a social provider is interesting - I suspect it can help with validating identity, but would probably be difficult (or at least very slow) to use for message passing. It could still be an important element of a decentralized social provider - maybe a way for users to announce their identity and point to a specific protocol/address (e.g. websockets, https://tox.im/ etc.) for more timely communication. For instance, I know that Keybase uses the Bitcoin blockchain to durably record various social identity announcements: https://keybase.io/docs/server_security/merkle_root_in_bitcoin_blockchain

Ultimately, I believe a decentralized social network will only really work when it is easy enough for a large enough group of people to run servers themselves. It doesn't need to be everybody (it'd be nice, but realistically it'll probably be the "geek" of a given family/social group that manages it), but it should be a large enough group that the federation really means something. So it's almost more of a social problem than a technical one, which is why Radiatus is trying to be easy to use, and also the motivation behind e.g. https://sandstorm.io/ and other projects.

Anyway, I hope the above helps, and please feel free to ask more questions. The tutorial is a work in progress so it's very useful to hear what information would be good to add. As I said above, we're also very interested in more robust/decentralized social networks, and believe that freedom.js would work very well with such a network to enable developers to create decentralized applications. One other resource is a recent paper that proposes a possible "private presence service" (https://github.com/uProxy/uproxy/issues/755 links to the PDF and a talk). Definitely an interesting idea, though still a bit untested.

[pagalsurd]

Thankyou! This information was very comprehensive and informative.

So a simple answer to my question is that freedomjs discovers peers through a central server such as p2pbr.com as mentioned in the snippet above. Alternatively, one can implement one's own server using router.py.

My aim was to discover a mechanism that truly decentralizes peer discovery. I was thinking something like this:

1. I introduce you to a truly peer to peer website. This introduction involves me giving you two things:
   • The entire website as a package(html+js)
   • my bitcoin address 'A'
2. When you open this page in your browser, you input 'A' and your own bitcoin address 'B'. Using already available public blockchain apis, the page queries the coinbase or output scripts of the last transaction done by 'A'. This script holds an encrypted message : My ip address.

Once you know my ip, you could webRTC to me, I suppose. The above is only one time handshake so should not slow things down. Whenever I login from somewhere else (i.e, A's ip address changes) the web page detects it and declares so by sending coins, so that B can discover A correctly etc. and so on.

You see some logical flaw in this?

[agallant]

I don't see any inherent flaw, though I do think that the blockchain message is public (encrypted in the sense that you can verify it is from a given address but not in the sense that others can't read it), unless you also exchange some other keypair to encrypt the message with. It's not necessarily a problem that the message is public - just announcing an IP address to the world without context isn't terribly problematic for most threat models, and may even be desired (a "directory" of identity).

The other thing worth noting is that there will be the standard transaction delay when updating status, which isn't a dealbreaker but just a natural cost of the decentralization. I'm sure you're well aware of it, but probably good to make it clear to users that information may take ~10mins to propagate.

Overall though I like the idea, and agree that it could be a nice option for users to have. As I'm picturing it, one eventual goal could be to build a service that makes it easy to use a blockchain-backed social provider (sort of like what Keybase is trying to do with PGP), with likely only "power users" directly using the bitcoin-layer logic (e.g. independently verifying authenticity in the blockchain, etc.). I still think this would be a healthy ecosystem though - even if most users depend on others to handle the blockchain logic, having a system that is based on open and decentralized standards benefits everyone (e.g. the situation of email is imo better than the situation of social networking). And certainly it is fair for an initial use case to develop to your taste - I look forward to seeing where you take this idea, and feel free to continue chatting or sharing your progress. Good luck!

[willscott]

Unless you're doing verification of the blockchain yourself, you're trusting one of the centralized entities like coinbase in much the same way that you would be trusting router.py - your reliability is based on the availability of its API, and you're trusting it to give you complete information.

If you already know the other person's bitcoin address, or have a trusted channel that you can learn it through, you can re-use that for verification, which prevents man-in-the-middle attacks, and lets you create a secure channel. That's super valuable, and similar to the type of thing namecoin is aiming to capitalize.

On Fri, May 22, 2015 at 1:22 PM, soycode notifications@github.com wrote:

I don't see any inherent flaw, though I do think that the blockchain message is public (encrypted in the sense that you can verify it is from a given address but not in the sense that others can't read it), unless you also exchange some other keypair to encrypt the message with. It's not necessarily a problem that the message is public - just announcing an IP address to the world without context isn't terribly problematic for most threat models, and may even be desired (a "directory" of identity).

The other thing worth noting is that there will be the standard transaction delay when updating status, which isn't a dealbreaker but just a natural cost of the decentralization. I'm sure you're well aware of it, but probably good to make it clear to users that information may take ~10mins to propagate.

Overall though I like the idea, and agree that it could be a nice option for users to have. As I'm picturing it, one eventual goal could be to build a service that makes it easy to use a blockchain-backed social provider (sort of like what Keybase is trying to do with PGP), with likely only "power users" directly using the bitcoin-layer logic (e.g. independently verifying authenticity in the blockchain, etc.). I still think this would be a healthy ecosystem though - even if most users depend on others to handle the blockchain logic, having a system that is based on open and decentralized standards benefits everyone (e.g. the situation of email is imo better than the situation of social networking). And certainly it is fair for an initial use case to develop to your taste - I look forward to seeing where you take this idea, and feel free to continue chatting or sharing your progress. Good luck!

— Reply to this email directly or view it on GitHub https://github.com/freedomjs/tutorial/issues/5#issuecomment-104719891.

[pagalsurd]

@soycode You mention 2 concerns:

1. The IP addresses need not be public. A can encrypt it using B as public key and since B has private keys only they can view it. Thus no other key pair is required.
2. It is just a one time process, required only when the ip changes. It need not be 10 mins because we can use other blockchains, for eg litecoin in 2 mins, some even in seconds. In fact I wouldn't wanna use bitcoin due to multiple reasons.

There is something un-parallel here: what if your email address was a public key and somehow your password was the private key to it? That ways, I wouldn't need PGP because my client would simply encrypt the email with your email address as key and only you could read it decrypting it with your password!

Thankyou for you kind words. I am new to programming so how do I go about writing such a handshake layer on freedomjs? Any help is appreciated.

@willscott I did not mean the company Coinbase but bitcoin coinbase. For example if you look at the details of first block ever generated take the string in the "coinbase" field there and convert from hex to ASCII to get the first ever embedded message.

The basic issue is that you can’t allow ‘random open’ peer-to-peer connections because it’s insanely insecure for arbitrary web pages that get to slide past the firewall to open TCP ports to whatever is on your local network. (“bigbooty.com accessing admin:admin@10.0.0.1…”) That turns every web page into a trojan virus, and that would be BAD.

Hence the ‘handshake’ process, mediated by a trusted coordinator. If you don’t have someone willing to introduce you, perhaps you’re not meant to talk.

Our bitcoin addresses can provide this introduction handshake. A could encrypt their IP with B's address and thus only people with B's private key can view it.

Yes namecoin is very similar but too complex. It needn't be. The protocol I propose is much simpler and for free (namecoin requires namecoins)

[willscott]

While bitcoin allows for decentralized trust, its unclear to me that it can be fully done in the browser. To take advantage of it, you need to run a full client - both for getting blockchain consensus, and to pull the whole multi gig history in order to know the state of coins in order to verify transactions.

So I guess there are two pieces wrapped up in bitcoin:

• reliability, which you can decentralize by participating in the real protocol, rather than a centralized api
• trust of complete information, which you can assure with varying levels of certainty based on how much of the protocol you're running locally. On May 23, 2015 1:22 AM, "pagalsurd" notifications@github.com wrote:

I did not mean the company Coinbase but bitcoin (coinbase)[ https://en.bitcoin.it/wiki/Coinbase] For example if you look at (the details of first block ever generated)[ http://blockexplorer.com/rawblock/000000000019d6689c085ae165831e934ff763ae46a2a6c172b3f1b60a8ce26f] take the string in the "coinbase" field there and convert from hex to ASCII to get the first ever embedded message.

— Reply to this email directly or view it on GitHub https://github.com/freedomjs/tutorial/issues/5#issuecomment-104788478.

[pagalsurd]

It can be done in the browser, because APIs are available to query the blockchain.

For example, consider address 1GRtrEGKPwXJTqS3jp8JbZDkLNpZjagCCb (I don't know whom this belongs to but this address writes a lot of stuff in the blockchain) You can query its transactions : https://blockchain.info/rawaddr/1GRtrEGKPwXJTqS3jp8JbZDkLNpZjagCCb

Now simply convert the "out" field's "script" value from hex to ascii and you will see "Its Singapore baby!"

[willscott]

But you are trusting the server at blockchain.info to give you the correct data for that block. If that server goes down, you can't get the info in the same way you couldn't send messages across facebook if facebook was unavailable. On May 23, 2015 5:17 PM, "pagalsurd" notifications@github.com wrote:

It can be done in the browser, because APIs are available to query the blockchain.

For example, consider address 1GRtrEGKPwXJTqS3jp8JbZDkLNpZjagCCb (I don't know whom this belongs to but this address writes a lot of stuff in the blockchain) You can query its transactions : https://blockchain.info/rawaddr/1GRtrEGKPwXJTqS3jp8JbZDkLNpZjagCCb

Now simply convert the "out" field's "script" value from hex to ascii and you will see "Its Singapore baby!"

— Reply to this email directly or view it on GitHub https://github.com/freedomjs/tutorial/issues/5#issuecomment-104901558.

[pagalsurd]

Yes but facebook is one company. Here you can query literally hundreds of such apis and cross-verify to your heart's content.

Let me try to write it. Thanks a lot for your help & I shall seek more support in future. Freedomjs is awesome.