We are looking for security experts to double check/triple check/audit our protocol designs.<p>So if you know your crypto and you are intimately familiar with Alice and Bob, please lend us a hand and take a look at the protocols. Our discussion forum has a special section for security and protocols where you can post your comments.<p>Thank you!
This looks to be very similar to Freenet[1] - basically a specialized, distributed network that runs on top of the internet but has its own server/client infrastructure.<p>Does Avatar serve pages over plain HTTP(S) like Freenet, or is there some other magic here?<p>[1] <a href="https://freenetproject.org/" rel="nofollow">https://freenetproject.org/</a>
I think this would be a much more interesting project if it was to put a great interface on top of the Freenet protocol. Encryption and anonymization on P2P is very hard, and building on Freenet as a basis for the plumbing would speed the time to a deliverable and build on existing technologies rather than reinvent the wheel.
Do I understand correctly that browsers obtain source code through bridge (local HTTP server?) from Avatar network or is it downloaded traditionally?<p>EDIT (from here to end):
to clarify - my question is to assess security of the 'runtime' - if it's downloaded from the server what is there to stop malicious party from compromising the server and sending modified verification code?<p>Would it be downloaded through the bridge then (and only then) verification with block chain could be done on received updates (providing first d/l wasn't compromised). User browser would then access files exposed by the bridge.<p>At least this is how I imagine it but the OP overview is light on details.
It's interesting that they're using secp256k1 (as Bitcoin does) for performance reasons (regarding Bitcoin, Satoshi mentioned in early messages that he did choose EC because it would help keep the size of the blockchain not too big). I wonder if Bitcoin's use of EC is "giving a boost" to EC...<p>Anyway... TFA states this:<p>"We are aware of theoretical weaknesses in secp256k1"<p>What are the theoretical weaknesses in EC secp256k1?
I wrote a clarification about how Avatar is an operating system and about how it runs on a browser at <a href="https://discussions.avatar.ai/topic/18/what-makes-avatar-an-operating-system" rel="nofollow">https://discussions.avatar.ai/topic/18/what-makes-avatar-an-...</a> - I hope this clarifies a bit what we are trying to accomplish with Avatar.
I like the initiative to tackle against what the NSA is doing, but I'm seeing many projects that just seem to overdo it.<p>You will have better results by going out and educating people about how technology works than inventing a internet-obscurity-security sort of thing.<p>On top of it, if the NSA can detect who encrypts its traffic the most, who use what OS, what browser, if that person has used PGP, etc, it just needs to monitor this person a little bit more.<p>I don't want to sound cynical, but I wish I could see programmers work on solving real problems, like economical ones: you'll be surprised how miscommunication and lack of information spreading can worsen situations.<p>Many people seems to criticize facebook, why am I not seeing anyone reinventing the social network ? I'm not talking a website like diaspora or google+, but anything which is designed for making the economy work better. Like a craiglist for masses, but more efficient and relevant.
Wait, so this is a browser-in-a-browser?<p>How the fsck is that in any way an OS?<p>>"We believe it's not your job to keep track of what social networks your contacts use. With Avatar you simply just write a message and the system takes care of delivering the message to your friend. You can use your Avatar to communicate "cross-border" with other social networks like Facebook or Twitter."<p>I saw someone mention this yesterday on HN for another service, but I'll say it here. This seems like a huge WTF, as people separate services for a reason. If I want to talk to someone on facebook, I might not via email, or via a different email address to the default. See: Google recently outing a trans person who used different services for different identities.
Can you link to your source code? Have you given any thought to using the GNU Naming System to smooth over some of the usability problems with public keys? Are you familiar with unhosted.org, and their use of Oasis.js to partially solve the problem of running untrusted js in the browser?
I worry about storage performance. Why use a DHT? Could you get away with using cloud storage to host the signed and encrypted data? Also, are you worried about Sybil attacks on the DHT?
Technically I love new plans in this space.<p>However, it seems that this requires a lot of people using it to be useful (network effect)? Is there a plan for getting this used by people?
<i>The guiding goal has been to create a portable, easy-to-use layer on top of a browser</i><p>I can't help thinking they're looking at this the wrong way round.