Help and Support
Ask a question, report a problem, request a feature...
<<  Back To Forum

Stop using RC4 encyrption

by Guest on 2022/10/18 02:50:13 AM    
On the front page of it lists RC4 encryption as an added benefit of Tixati. Stop using RC4. Although it is simple indeed, it is subject to multiple security holes in the algorithm itself. Use AES-256 instead. Using RC4 puts Tixati users in danger.
by notaLamer on 2022/10/18 12:58:23 PM    
Hello, dear reddit user.
I'd like to bring to your attention that your awesome idea may only have success if you create a new Bittorrent Enhancement Proposal (BEP) and contribute to all other open source clients to update them to use a newer encryption standard.
Furthermore, it would be enlightening for you to read what the goal of this RC4 encryption was back in the day (hint: it was not security).

Kind regards,
by Guest on 2022/10/18 04:36:57 PM    

Thanks for your post. I am another Tixati user.

Yes you are absolutely correct RC4 is a terrible encryption algo.

It would be completely unacceptable in a business environment too.

RC4 within the BitTorrent Protocol is not meant to be used as encryption for any sort of 'Privacy' - well not as such!
NB: Virtually no privacy can be expected when you are using any Torrenting software and some companies enjoy monitoring BitTorrent for the perverse desire of a "clinically clean Internet"

When BitTorrent was new, it was all exchanged in cleartext. ISP Internet bandwidth was suddenly used up by this new protocol once it became increasingly popular.

ISP's fought back and installed 'Man-In-The-Middle' machines which sniffed for BitTorrent Protocols and EITHER used throttling or injected RST (reset connection) messages.
This caused your download to grind to a halt and peers keep disconnecting as the ISP's were repeatedly injecting "hang up" messages to you or your peer etc.

Under Net Neutrality rules this was simply disgraceful - but it happened.

What the BitTorrent protocol creator did was add a basic 'cheap on CPU usage' encryption RC4

A BitTorrent user and peer choose to download a torrent essentially identified via an "infohash" fingerprint which is a 40-hexadecimal-characters

This key is used between two IP addresses as data exchange which renders the 'Man-In-The-Middle' ISP sniffing machine useless as it would need to 'crack' this key in realtime to see your traffic.
Essentially all you need is to hide your BitTorrent protocols from ALL the ISP's (to prevent ISP throttling / receiving ISP injected connection resets) and RC4 is still ok in 2022 for this task.

There isn't any real need to switch to a different encryption stream, the BitTorrent 'payload' (pieces) are not confidential, it is public domain, RC4 is purely to defeat ISP tampering.

Hope this explains why BitTorrent still uses RC4
by Guest on 2022/10/18 08:51:20 PM    
Stop using RC4. Although it is simple indeed, it is subject to multiple security holes in the algorithm itself.
While this is true, that is not the point of RC4. It's purpose is to obfuscate BitTorrent traffic to avoid ISP throttling.

Use AES-256 instead.
Then it would not be compatible with other clients.

Using RC4 puts Tixati users in danger.
RC4 or BitTorrent obfuscation is not a replacement for a VPN. Torrents aren't private and this won't make you anonymous or prevent you from getting a letter. When you download public torrents, your IP is shared using DHT, PEX and trackers. Adding encryption such as AES won't help. If this is a concern for you, use a VPN or private tracker instead.


Connection Obfuscation
This extension allows the creation of obfuscated (encrypted) connections between peers. This can be used to bypass ISPs throttling BitTorrent traffic.

This web site is powered by Super Simple Server