From 7c728f25036c6b039b19429e380d62368c5d9109 Mon Sep 17 00:00:00 2001 From: Aditya Shankar Date: Mon, 3 Aug 2020 17:44:35 +0530 Subject: [PATCH 1/2] improved README to include events/mitm warning --- README.md | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 3c14142..d763a52 100644 --- a/README.md +++ b/README.md @@ -15,6 +15,10 @@ Works in both browser & node environment. * JSON messaging system * Send & Respond to messages in a chain using Promise +## MITM warnings + +- **ensure** you use trusted trackerAnnounceURLs/keep the communication encrypted by some other means, notorius entities could put deceptive trackerAnnounceURL's and read the data that goes through + ## How Does It Work ? The [amazing WebTorrent](https://webtorrent.io/) library created a new kind of Torrent Trackers called "WebSocket Trackers" also known as "WebTorrent Trackers". Some torrent clients can use these new trackers to share files. @@ -30,7 +34,21 @@ How do we find peers for torrent to download ? We use a magnet link. That magnet Similarly, to build our apps, we use a identifier. This identifier is converted to a valid Info Hash and sent to our **WebTorrent trackers** who will give us a list of **web peers**. These web peers would be the other users also using our app : ``` -var p2pt = new P2PT(trackersAnnounceURLs, 'myApp') +// Find public WebTorrent tracker URLs here : https://github.com/ngosang/trackerslist/blob/master/trackers_all_ws.txt +var trackersAnnounceURLs = [ + "wss://tracker.openwebtorrent.com", + "wss://tracker.sloppyta.co:443/announce", + "wss://tracker.novage.com.ua:443/announce", + "wss://tracker.btorrent.xyz:443/announce", +] + +var p2pt = new P2PT(trackersAnnounceURLs, '') + +// some available events, to see all events/an in depth documentation see https://github.com/subins2000/p2pt/blob/master/api-docs.md + +p2pt.on('trackerconnect', (tracker, stats) => ...) +p2pt.on('peerconnect', peer => ...) +p2pt.on('msg', (peer, msg) => ...) ``` And that is how P2PT works. @@ -48,4 +66,4 @@ Add yours here ! Send a PR ! ### Simple Example -Open [this webpage](https://codepen.io/subins2000/pen/MWKwRYJ) in two separate browser windows. You'll see the messages. It's a codepen, you can fiddle with the code there. \ No newline at end of file +Open [this webpage](https://codepen.io/subins2000/pen/MWKwRYJ) in two separate browser windows. You'll see the messages. It's a codepen, you can fiddle with the code there. From 34775489981116fec6ed6b0257ca86df6f62f214 Mon Sep 17 00:00:00 2001 From: therealadityashankar Date: Fri, 28 Aug 2020 18:26:51 +0530 Subject: [PATCH 2/2] added mitm prevention alternative --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index d763a52..498bea5 100644 --- a/README.md +++ b/README.md @@ -17,7 +17,9 @@ Works in both browser & node environment. ## MITM warnings -- **ensure** you use trusted trackerAnnounceURLs/keep the communication encrypted by some other means, notorius entities could put deceptive trackerAnnounceURL's and read the data that goes through +- **ensure** you use trusted trackerAnnounceURLs/keep the communication encrypted by some other means, notorius entities could put deceptive trackerAnnounceURL's and read the data that goes through via an mitm attack + +- alternatively, create multiple P2PT connections to the same person via the same identifier but different trackerAnnounceURLs, then ensure that connections are sending the same message, then optimize this connection by exchanging a public key on both sides, ensuring the same public key has been sent via all connections, and then creating an encrypted connection over one of the connections. (TODO, create an option that does this de-facto, and easily) ## How Does It Work ?