Having a backup is important, don't get caught without one! : Dread | Torhoo darknet markets
The amount of request for PGP purging on Dread because user's forgot to backup their PGP is far too high! If you don't have a backup, you should make one right now. While we are talking about backups, due to the rise in DDOS attacks, you should all also have a backup of Dread URLS.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Dread's URLs are:
Tor: http://dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion
I2P: http://dreadtoobigdsrxg4yfspcyjr3k6675vftyco5pyb7wg4pr4dwjq.b32.i2p
Signed by https://torhoo.cc/go.php?u=TDNVdlVHRnlhWE09#'s PGP key
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEbfleES3oPdbct1q5DE1JcU+sN9gFAmLDj+0ACgkQDE1JcU+s
N9js2w/9GWLKhsx9WNT4HwvHrdki35/7xFypAsnEEaLtDMoe94ERm1+ecM8EZHiR
5kPMfSejqvTP5tL/HlLcrQM0H2soz5o/HoN/swez5t3LlCwwr1e2H+SCDvgrXKNi
y4KxevySJtvTxMtd2C8grUHtS+JNDFOS6vlmsapyey3/kKd9KFIzYqo8V0473N0B
0gGAVBQzX+GJup4u0Vf+TxyB2ELDZIY7L7GwNCxjhif2lPanS6LHe9Joro5KhkGR
YVWJcgwz7x7m0e7EqCqEeOITt4qIn3wkAAHb7S8rqkcg4SrFUvuwlkUss+l3RS6g
plv3oVQtsh6kJ9rAhgmUOBrLY8oBxxPmZSUQYmcXtAQes13pfSY9lwFKkPDvmT4H
nxK10oh3h+gO2Z0c9FYeUn7VNY/MFQoZfYBAyiFn/i32UJj2fuuK8Wju0fIoYS63
ykV0zniiqdn3kwL1VEk6X29DJZGgIRfb4WyZs4XjaQZyFD32PecfsnixEQRQl+z+
pYdo+niY/tPNKdOzxLCfHOBj6cVCmdRSAz0chfozo4pF79mm1edLBHKi2XxEcXfq
pCiu/rLb2fKwJOYHEMxWuAkRx+UBx3TvdlojOyuqrxWWa4tZ3PlicjXQCS9wqFo9
DJyeRaEjQg+AT2uv0TrbFZvPhJLood6Xkg53vWHkZdThmIsaixY=
=7RuG
-----END PGP SIGNATURE-----
Dread is accessible both on Tor and I2P. Being that the attacks are all on Tor's hidden service side this post will focus on how to get setup on I2P the easy way. The vast majority of people who visit Dread do so on the Tor Browser. Did you know there is a I2P browser as well? It's true.
https://torhoo.cc/go.php?u=YUhSMGNITTZMeTluYVhSb2RXSXVZMjl0TDFCMWNuQnNaVWt5VUM5cE1uQmtZbkp2ZDNObGNnPT0=#
Getting setup is super easy! You can go to either the
⚠️releases⚠️ section to grab the latest version or compile it yourself if you are inclined (for non-windows versions make sure to update the build script firefox version). If you are on windows the fastest way to start is download the .exe version, run, and extract to a directory. You can then boot it up just like the Tor Browser. That's it. Due to how the I2P network works the longer you use it the faster it becomes for you. So it might be slow at the start but if you give it an hour or two it will start to load faster.
Best part? No EndGame captcha on Dread's I2P version. Plus with the forever cookie set you won't need to sign in again if you do close the browser. It is far more convenient.
There is a warning though. I2P's network works completely different from Tor. When you are on Tor you only directly connect to a small amount of nodes. Your request goes in and a request comes out. This means your surface area to those who know you are connected to Tor just the authority servers (you get the descriptors from) and your guards. You are a user of the network but not apart of it. I2P has a different system that is closer to P2P torrenting. This has a lot of benefits but also some drawbacks. Unlike Tor which tries that mask you are using Tor (bridges, limited guard nodes, and all that) I2P
does not hide you are using I2P.
By running I2P on your system it becomes apart of the I2P network. If you don't want people to know you are using I2P you need to proxy it locally from another server or use a VPN. The network is completely distributed and self organizing. It is specifically designed for hidden service connections and can be much faster and more resistant to DDOS attacks assuming equally high participants and capacity in the network. By running I2P you are increasing the network capacity and resistance to attacks. Unlike Tor where the more users creates more drain on limited network's resources.
I did the math today. If just under 10% of the users on Dread daily ran a I2P server we would have a larger footprint than the totality of the Tor network. That doesn't mean we would have the same capacity but due to the reduced load on the I2P network, compared to Tor, the connection would be more reliable and likely much faster. There are a lot of benefits to it. Give it a chance just to check that the backup works as planned if the Tor site goes down.
I get the appeal of I2P (better reputation/less well known, darknet-first design, greater functional utility and flexibility, etc), and the problems with Tor (ONI/14 eyes funding, exit node surveillance, likelihood that majority of nodes are compromised, large amount of attention from NSA/GCHQ/etc)
However, that said, I feel there are some big drawbacks to I2P from our perspective.
For starters, there is no dedicated secure/sandboxed browser. By contrast, TBB is pretty adequate, and available on all linux/BSD flavors without any serious compatibility or usability issues.
Another thing is the untested nature of the I2P network security. Tor, for all its drawbacks or concerning issues, is pretty well battle tested. We know its strengths and limitations. I2P, however, could have all kinds of 0days that just aren't known yet due to lack of use etc. The project is at an earlier stage of development, adoption, and visibility...and that cuts both ways. It's a blessing, and a curse, depending on the aspects you look at.
I2P is also primarily meant to share files as a slow, but more anonymous alternative to torrenting. The relevant result of this is that I2P isn't really designed or intended for high security applications, as much as it is intended for use cases prioritizing anonymity (and privacy to a lesser degree). Security is no less crucial than anonymity and privacy when it comes to darknet activities. So, this may be a conflict of design goals. However, there is no perfect triangle when it comes to P/S/A
I2Prouter is also meant to be running all the time. This isn't necessarily a bad thing, but it can mean that DNM related activity of an end-user (customer, vendor) can potentially be more exposed to the network than when that end-user uses Tor.
These are just some abbreviated thoughts I have. What do you all think about this?
BTW fuck the main i2p java implementation. It is complete trash. They need to stop putting future resources put into that version. It's far too dated and too unperformant to be used in modern computer systems.
i2p was released back in 2003. While i2pd was released in late 2014. These are not early stage developments that have no tests. They are mature programs built on dated and detailed specifications. The logic behind their network is sound and if properly integrated (which from what I see they do so) it's a reasonably secure network. I wonder where you are getting these main use cases from. I2P's first development was for private IRC chats (which is still functioning almost 20 years later). It is a universal anonymous network layer. What you choose to do on it is really up to you. But unlike Tor, which is designed to anonymize where clearnet traffic is coming from, that made onion sites as a example you can build things on top of the network; i2p was designed for traffic WITHIN the network. It doesn't treat hidden sites as a kind of second rate feature. It is a first class citizen within the network. As more people use i2p the network gets more resistant against attacks while becoming more performant. The reason why you can't torrent over Tor is not only because torrenting does leak information (via the clients) but also is because there is a finite amount of resources on the network constricted within a relatively small pool of nodes. The more people who use it, the more the weight of the traffic weighs on the network. Until it collapses on itself.
i2p is designed to be run as much as possible because every single person who runs it provides extra protections and bandwidth. It also helps masks their own traffic when they do start using i2p occasionally. Think of it this way. Unless you are connecting to a bridge or VPN (which would just put monitoring on the VPN end) your ISP can see that you connected to a tor guard node at a specific time and place. While they can't tell what you are doing, they can see how long you have been using it and how much bandwidth you used. To me that makes you more exposed in the event your ISP is spying on you to make profit off your traffic or by order of your local government. It also makes it possible just to block connections to any tor node on the network (which many authoritarian governments do). All tor nodes are public to block.
This isn't the same for i2p. By just running it you are providing a real benefit to both yourself but other participants in the network. With enough scale it would be impossible for people to get a complete graph of the i2p depth. So if you really think about it, end-users are better protected against these traffic timing attacks and exposure.
Now I won't say there isn't potential of 0days (there is always potential 0days). But that is the reason why you run it on a separate sever and just connect into it when you need it. It should be professionally audited? Yes. But it also should be written in Rust before that point.
On the point of not running torrent over Tor, are you concerned about attempts to route I2P over Tor (e.g., running it on Tails)? Is this overkill? Is this good practice? Seems to me it will stress the Tor network more with little in return.
It's just that people, don't want to step out of their comfort zone.
Just like people, in the beginning, didn't want to believe in BTC.