Portability of safecoins (to other devices or other users)?


Hi, let’s say i want to run a vault just at home, but not on my mobile phone. Is it still possible to benefit on the mobile while on the go from the safecoins accumulated at home ?
Secondly, let’s say i want to communicate with a friend who - f.ex. for security reasons - can’t permit himself to run a vault at all, not having an Internet connection at home and it being to dangerous for him having one run on his mobile. Is there a way for me to transfer to him some of my own accumulated safecoins so we can stay in touch ?


Yes, your account can be accessed from any device.

Yes, transfers to any account (even temp accounts) are free.


great, so how does this work in concreto (i guess he still has to create an account) ?
Secondly, let’s say this doesn’t pass censorship. Is there a way to hook up to safenet through let’s say some kind of obfuscated (but not prohibited) connection like domain fronting ?


Can you rephrase that, I have no idea what it means :smiley: :smiley:


I mean what does the other side have to do in order to get my safecoins ?


Just let you know the address they have created. You send the coins to that and it is complete. If they are creating an account they can use that address to complete that process or they can accept the coins to any address in their account and swap between those as well. The addresses can be private or public, all depending on your use case. It is also possible to have multiple addresses per account, some private and some public. Therefore you have all the freedom you require to be as private or public as you wish, per address.


Btw, slightly related:

Someone had the idea of sending safecoin somewhere, which can be claimed by using a code, and which at the same time pays for setting up the account needed to claim it.

This seems to me like a very practical solution to the hen and egg problem.

What do you think @dirvine?


ok, so I suppose this is an option built in the safebrowser ?

Is there anything scheduled in safenet in case of censorship ? Any plan B ? Something like bridges as for Tor or anything the like ?


I cannot follow what you mean here, SAFE is the project to avoid censorship, this is why the current crust tests and focus is on encryption and home devices traversing firewalls and NATs securely. A huge part of the reason to exist is freedom in a digital world, aided by the privacy and security the network offers. It should be well beyond TOR or VPN’s.


well, the thing is, how do you know it’ll be able :

  1. to bypass DPI which knows how to distinguish between Tor flux, https and SSL (VPN).
  2. to be able to do so without arousing suspicion from censors.


This is a wee bit of a hostile way to ask chap, just FYI.

There are many ways to “hide” in other traffic, but here

you even suggest using some of those transports (I assume you do not mean those full services) and that would be an additional way, as you suggest.

Are you suggesting that DPI can do a deep analysis of entropy or similar to categorise the encryption mechanism and then infer the service in use? Or do you mean something else?


Well i really didn’t mean it that way. The way i intended was : how can you be sure on forehand ,as the network hasn’t really been tested out in those settings yet. We’re on one side, the DPI is on the other. The problem is that the mere fact of just trying it out, by trial and error, can already be compromising for certain people if the safe traffic is being detected as something anomalous, especially because most of those people have just their cellphone, and as such, even when connecting to a public wifi, their IMSI and EMEI is already known and so is their identity, because one can’t get a SIM card without an ID card.

Yes, DPI can distinguish between different types of traffic. It’s powerful enough to distinguish a ‘normal’ https connection (as for commercial transactions) from SSL (used by VPN’s). In the latter case, if the VPN isn’t already blocked (it will be…), it knows you’re using one, even though your traffic is encrypted. You’re already giving yourself away, and again, when doing so on a cellphone, it’s exposing yourself…

F.ex. Tor ‘over there’ is prohibited. The only way to get into the Tor network is by the meek_bridge, using Azure servers as domain fronting. It gives some degree of security as the DPI thinks you’re just connecting to one of those permitted servers, while in reality they’re a relay for the Tor network and act as the entry node. Obfs4 bridges are much more dangerous, as you can’t know on forehand which one is already blacklisted or will be in the future (and in the latter case, censorship can trace it back to you retroactively).

So as you see, even if safe would work OOB when it’s launched (because it isn’t known yet), as everything is logged, once it’s detected as being a censorship bypassing means, it can be traced back to the ones that did test it out in the beginning. So basically is it possible to use Safe in an anonymous way even for the DPI ?

Censorship resilience, from a ‘real-life-case’ point of view is not merely

  • the technical ability to punch holes in an omnipotent firewall (which is a prerequisite of course)
    but especially
  • the ability to do so in a way that it stays ‘unnoticed’ by the DPI and not just on the spot, but also retroactively, and this - IMHO - is actually quite a challenge…
    But it would cause me sleepless nights suggesting ‘safe’ means to people ‘on the other side’ (even if they don’t run a vault themselves and just getting safecoins) transforming them in potential guinea pigs just to test that out.

So i was just wondering whether this had been addressed when forging the safe network, that’s all…


Cool, no worries.

That was not my question really.

Yea, this is all a cat and mouse thing though, many changes happening with aws azure etc. to prevent them from being used like this. We should not get involved in that game.

Yes, I believe that it is. There is a lot can be done, but it starts with what we are doing, encrypting everything, multiple routes and dynamic bootstrap nodes etc.

I think you can take it as a given we all know this :wink:

It is for sure, but again I say it needs the foundations in place.

Nobody is going to do that. However your OP was about getting safecoins to people, that can be done via many mechanisms. This tangent into IDS is interesting though, but not new. It is an ongoing issue to consider, but dynamic bootstrap nodes, multiple routes, differing entropy scores and so on all make a huge difference.

Yes, I hope you will see, at some length. It is a super important matter and there is so much more in the tubes right now with bulletproofs, starks and the like. I am sure it will evolve, but well beyond a cat and mouse game. We defo do not wish to mask/get uncovered and repeat.


ok, well, I’m crossing my fingers…

Correct me if I’m wrong, but I understood Safe will actually be using ‘ordinary’ https connections, is that right ?

Concerning the safecoin transfers, can you give us a bit more information about how this could be done ? I suppose the ‘normal’ way would be some kind of transaction over two online safebrowsers, is that correct ?

Any details (wihout saying too much) about this ‘dynamic bootstrapping nodes’ ? How should I conceive those?


No, it doesn’t use any of that. The browser handles ‘safe:’ protocol requests by routing then through SAFE’s own totally encrypted routing protocol. Suggest you read the safenetworkprimer.com as it answers this and similar questions.


Ok, i recall having read that document a while ago.
So, for exemple on p. 17, it is stated that a client or vault will have to connect to a Maidsafe bootstrap server, run by Maidsafe. This sounds very similar to the Tor directory servers. The encryption for this hashed chunks is AES right? The public keys are hardcoded in the client software. Ok, but how will this request appear to the DPI ? Why would it not appear as something anomalous as it’s a proprietary protocol it doesn’t identify as being something permitted ?
Let’s imagine for a moment it does get blocked. Then what ? How should i understand the expression ‘dynamic bootstrapping nodes’ ? Is this like how psiphon works, like having thousands of VPN serves scattered over the world with a double connection : one SSL and and an obfuscating outer layer as an http request in order to spoof the DPI ?
Thanks for any light on this.


Not really, these hard-coded nodes are akin to the skype bootstrap nodes patter. Used only for new installs and never again. Even then they do not need used at all if you are given a bootstrap cache file form a friend etc.

There are really huge amounts of threads on this forum going into this is some great depth if that helps.

They 100% will through time.

Think skype and how they collected bootstrap node information.

No worries.


ok, so for that matter it’s actually more akin to obfs4 private Tor bridges ?

Ok, so if they do get blocked progressively, may i infer from that that you do conceive them being detectable and thus identifiable as Safe bootstrapping nodes (either seed nodes or endpoints) ? If so, won’t we run into the same problem we’re having precisely with those obfs4 private bridges, i.e. not knowing on forehand whether they’ll work or not and if the latter, meaning they’re already blacklisted, and if the former, they can be so later on and be traced back to the one that used them when they were still whitelisted ?

As you stated before, this is basically a never ending cat and mouse game, but i rather not be the mouse… :wink:


They will be likely published in the code of the binaries or config files and detectable.

Well in a way we will. The key here is to be able to receive the info on bootstrap from many sources you trust and do so easily.


Well, wouldn’t that make them resemble the integrated obfs4 bridges in the Tor Browser Bundle itself? Those are the very first ones that get blacklisted for sure !
Maybe this is where it might be interesting if maidsafe could maintain a number of private, hidden and hashed bootstrapping nodes one could obtain f.ex. through a captcha using domain fronting.

That makes me ring a bell. Basically, the only really sure way in that case would be to manually set a seed- or user node you trust, i.e. the one that’s from a friend running a vault outside the DPI. That would be a similar setting to a obfs4 bridge for Tor a friend would run.