Some people assume that if you use a file-sharing BitTorrent-like program, then you must intend to pirate something. That’s hardly true, as one of the first instructional steps when taking an online penetration testing class is to download uTorrent to handle some “large” programs you will need for ethical hacking classes. It’s not required, as you can otherwise download security tools, just suggested. But no matter what you what want a BitTorrent client for, you – via your IP – are not anonymous when using it without taking additional steps such as using a VPN or proxy.
Tribler, created by Delft University of Technology researchers about a decade ago, is now conducting a public test of its BitTorrent client aimed at providing anonymity. To accomplish anonymous downloading, Tribler has incorporated Tor-like onion routing. “We now support a subset of the TOR onion routing protocol,” Tribler explained. “Our custom onion network is enhanced to allow everyone to function as a relay. Even people behind a restrictive NAT box can join and help others protect their privacy.”
Tribler leader Dr. Johan Pouwelse told Torrent Freak’s Ernesto, “The Tribler anonymity feature aims to make strong encryption and authentication the Internet default.”
BitTorrent users have no privacy protection. In explaining how Tribler works, the team noted in step two, “By using one proxy layer, all downloads now go through other computers. All direct contact with the Bittorrent swarm is gone. The proxy layer is simply a set of computers that relay messages between you and the Bittorrent swarm. However, you need to fully trust all these selected proxies, they can see exactly what you download. The proxies encrypt the data, only you can read it.”
Tribler added three layers of proxies to enhance privacy as explained in step three. “Three layers of protection make it difficult to trace you. Proxies no longer need to be fully trusted. A single bad proxy can not see exactly what is going on. The first proxy layer encrypts the data for you and each next proxy adds another layer of encryption. You are the only one who can decrypt these three layers correctly. Tribler uses three proxy layers to make sure bad proxies that are spying on people can do little damage.”
Several “darknet streaming” functionality goals were previously listed in Pouwelse’s comments on GitHub, which include eventually making the seeder anonymous as well. Seeders are currently unprotected, but in future “fixes” to Tribler:
Uploading is just as anonymous as downloading with hidden seeding. We will add proxy layers for the seeder, similar to steps 2 and 3 above. The beauty of hidden seeding is that it can encrypt the content already in such a manner that only the downloader can read it (end-to-end encryption). This creates a darknet that is quite safe.
Almost 2.5 years ago, Tribler’s lead researcher told Torrent Freak, “The only way to take it down is to take the Internet down.” As Ernesto put it, “Even if all torrent sites were shut down today, Tribler users would still be able to find and add new content.” Add enhanced privacy to the point of anonymity to that mix and surely it’s something worth supporting by participating in the Tribler test?
Trbiler is not using the Tor network; using BitTorrent services over Tor can be done – even when using Popcorn Time – but it is generally not a good idea (pdf). Some people suggest trying it over I2P, but in July it was a vulnerability in I2P that allowed Exodus Intelligence to de-anonymize Tails users.
There’s no guarantees, of course, and that goes for staying “anonymous” with Tor as well, such as was pointed out in “Users Get Routed: Traffic Correlation on Tor by Realistic Adversaries” (pdf). But if you like the idea of darknet streaming and anonymity, then it would be great if you help Tribler test the anonymous download feature.
The disclaimer warns, “Do not put yourself in danger. Our anonymous download feature is not yet finished. This version of Tribler automatically downloads a single 50MByte test file anonymously. We are sharing the design and code so that the community can test and evaluate it. This helps us make sure that it’s as secure as it needs to be before people start relying on it.”