Solving Sybil attacks in the Web of Trust


#1

Since I’m a big fan of MaidSafe myself, and am really looking forward to a more decentralized, secure, and privacy-friendly Internet, I wanted to share this information with anyone at MaidSafe who might be interested in this topic.

Currently Martti Malmi (first dev after Satoshi) and myself are working on Identifi [1], a decentralized and privacy-friendly alternative to identity management and/or centralized parties who handle our reputation (especially in the future… I’ve seen some pretty scary promo videos of the year 2020 thus far). It is currently in its alpha phase [2].

We believe that Identifi solves Sybil attacks on the Web of Trust (read: online trust among humans) through
white-listing, identifier verification, rating, and reputational incentive (== financial incentive).
All of this without using Bitcoin’s blockchain, though it is a fork of the Bitcoin daemon. This means that it does use Bitcoin’s crypto, CLI, etc.

Since I don’t want to be advertising Identifi itself too much over here (I could talk about it for hours), and am here to explain how we think Sybil attacks on WoTs can be solved, I’m now willing to answer any of your questions!

[1] GitHub: https://github.com/identifi/identifi
[2] Alpha version: http://identi.fi/


Reputation Systems
#2

Where does information get stored?

Also, how do you and/or Martti see Identifi fitting into MaidSafe as an app?

It is interesting to see this.

Also, how do these fit in with the security/decentralization model? (fb, twitter, google)


#3

It’s a decentralized P2P network.

The idea is that users choose which nodes to trust, and only on these nodes their identifiers & ratings (identities & reputations) will be stored. In the future we’d like to make this distributed, so that any device can run as a node. In that case, you could store your data only on devices of the people you trust.

At the moment it’s still in alpha, so the data is stored on our node, unless you decide to setup one yourself.

It uses Bitcoin’s crypto, so I’d say that’s pretty secure. Next to that, the system doesn’t need to store any sensitive information, since it only bundles already publicly available info.

MaidSafe could either setup their own Identifi-node, or simply apply the same technique we apply. It’s open-source.


#4

Yes, perhaps even storing the data in a distributed maner on SAFE network, this way people could access their trust connections without needing to trust the storage location this would prevent tons of compromise.


#5

Great example :slight_smile:

The SAFE network could at the same time use it to decide whom to propagate data to / accept data from.


#6

ps: We’re planning on implementing BitAuth; one-way authentication, which is much more privacy-friendly than what we currently use.


#8

Thanks for posting Tim, much appreciated. My question is more high level. Why do you prefer a web of trust model as opposed to a trustless model? We have also give some consideration to sybill attacks on the SAFE Network, did you have time to review this?


#9

Thanks for sharing that. I’ve just read it and want to conclude with: If you can use a trustless model (i.e., Nakamoto consensus), definitely use the trustless model. At any given time.

Though when it come to humans trusting humans, for example, it’s very hard to automate that. This is why we came up with a white-listing principle, whereas most other systems try and detect Sybil nodes through black-listing and search & discovery.

In the case where you’re dependent on human trust, this can’t be fully automated yet. Therefore, we chose to start with the white-listing principle, to then add algorithms to help you find the people you trust.
This way, we organize/bundle already (publicly) available information and make it easier for anyone to help them finding parties they trust, through the verification of identities they already trust themselves. I sometimes jokingly call this “Proof of Human”.


#10

One idea for the SAFE network, could be that nodes can choose what other (groups of) nodes to trust. This way, it’ll only accept specific instructions from the already trusted nodes. Finding more trustworthy nodes to propagate info to should become much easier this way.

Next to the attack avoidance that’s being proposed there, you could add a white-listing principle + algo like we’re doing, or simply attach one or several Identifi nodes to the network. It’s not a matter of either one or the other; it could be an additional check/verification.


#11

@Tim I’m not sure you realise that SAFE already uses a trustless model (non-blockchain technology called ANT Tech for Autonomous Network Technology).

I still see your WoT feature as useful at the human level - for apps. There are already threads on the forum debating the value of “reputation systems”, but very little so far on how it might work. So I hope your ideas can find a place there, even they are not needed to secure the network itself.


#12

I am very interested in MaidSafe, though I haven’t had the chance to study all of the whitepapers + documentation yet. I’m still learning and love to learn more about both MaidSafe and ANT Tech.

I do see a future application where the Identifi network uses MaidSafe’s Proof of Resource to help allocate data (identities & reputation) on devices of people you trust yourself. I’ll get back on this once I’m more familiar with your project, and a bit further with our own.

Thanks for all of your feedback thus far, I’ll go look for the topics on “reputation systems”!


#13

David Irvine explains MaidSafe - Seattle Google tech Talks this is a great video explaining MaidSafe by David Irvine in 2008.


#14

Thanks for all your input Tim. Our documentation is quite spread and the network design and concepts quite vast. In the interests of giving interested parties explanations of the network quicker, we have been working on revising our system documentation which consolidates much of the network explanations. This will be useful for you and should be live in about 1 week. I’ll create a new thread and post the link there as soon as it is available.


#15

First of all, great video by David Irvine, to which @dallyshalla referred. It gave me a few new insights into the philosophy behind MaidSafe. It sounds logical, and relevant, for a system that’s so dependent on organic growth.

Next to that, I’ve continued, and will continue reading into MaidSafe and all of its documentation. I’ll make sure to find the more relevant topics (already found a few, still reading through them), and then see if there’s something practical I could do to help out.

Thanks so far for all of your constructive feedback, and again, keep up the good work!