BitTorrent and End to End Encryption

An anonymous reader writes "As ISPs like Shaw and Rogers throttle their bandwidth to counter the growth of BitTorrent, BitTorrent developers are fighting back with end to end encryption. Oddly enough, Bram Cohen, the original brains behind BitTorrent, doesn't support this direction. Is there really anything he can do about it?"

Encryption isn't the solution we need, or want..

[takeya]

The bigger problem is customers paying their ISPs, many of whom hold a local monopoly, and then the ISPs go around and turn their backs on the customers, leaving them without services like bittorrent that have a clear and growing legal use. Perhaps a boycott of ISPs that do that would be in order... except for that whole monopoly thing.

To answer "anonymous reader"'s tag question...

[ajwitte]

No.

Wrong Solution

[Hatta]

The proper solution when your ISP is deliberately crippling your service is to get another ISP. You paid for that torrent traffic, and if they don't carry it that's as good as stealing. Let your ISP know how you feel, and don't do business with crooks.

The Goodness of Open Source

[imoou]

Bram said he suspects that some developer has gotten rate limited by his ISP, and is more interested in trying to hack around his ISP's limitations than in the performance of the internet as a whole.

Isn't this what Open Source is about? The ability to make changes to a software to suit one's need? And if there are enough users, followers, developers and contributors (see Ubuntu from Debian), the new branch because a thing of its own.

So the day Bram opened his code, BT is subject to the same kind of treatment and only users can decide which way it will go.

Aren't there cases where someone compiled a BT client to act like a seeder with high ratio but is an ultimate leecher?

Re:Encryption isn't the solution we need, or want.

[Dr. Evil]

ISPs are happy to lose those customers.

Encryption won't work anyhow

[LunaticTippy]

The ISPs will simply throttle anything encrypted unless it pays extra, or something similar. If we accept this situation, or find short-term workarounds it will become worse and worse.

My connection is severly throttled by my pathetic aDSL upload speed, but that's another bitch entirely.

Here's my take on the whole Bram Cohen thingy...

[perigee369]

Bram may not like it, but one of the best things about sharing the source code, is that the 'market' so to speak will determine now where this protocol goes. If Bram doesn't like it, that's his right, but I expect the masses are going to use the program that best offers the features they want. And uTorrent and Azureus are the two 'big boys' on the block right now. And if someone can improve it further on down the road, the whole bittorrent history has shown that users will try it, especially if they aren't happy with the 'old' program they use.

What are ISPs selling?

[MrNougat]

So when I buy an internet connection from an ISP, who says the connection is 4mb down and 256K up, and then I actually want to use all of the bandwidth I have been sold - then the ISP wants to crack down and limit my usage?

Someone should sue [insert favorite ISP here] for bait and switch. If what they're providing is 4mb/256K burst speed, with lower rates for continuous, then that's what they should say in their advertising. This is hardly a far cry from the shady camera outfits online (i.e. PriceRitePhoto). You pay every month for a service, and the service you're actually provided differs greatly from what you thought you purchased.

Asymmetric connections

[Ambush Commander]

Don't forget part of the problem is that our connections are assymetric. 100+ kb/sec for downloads, but ~10 kb/sec for *any* uploading is the best you can hope for.

Re:Wrong Solution

[Hrothgar The Great]

Most people have only one or two choices for ISPs, and MAYBE three if they're lucky. In my area, I have one cable provider, one telco providing DSL, and I think there's some satellite company that is expensive and has extremely horrid bandwidth. Basically, your cute idea that everyone should just up and switch ISPs is a pipe dream at best.

Of course he can't do anything...directly.

[Pantero Blanco]

He released it as an open source project. He can't do anything about people modding it any more than Linus Torvalds could do anything about someone modding the Linux kernel--not that he would.

However, also like LT and most other major project figureheads, he holds a certain amount of political sway. His disapproval may be enough to keep some developers from pursuing certain paths. Of course, not everyone will care about what he thinks, but he does have SOME power.

Re:Encryption won't work anyhow

[Yaztromo]

The ISPs will simply throttle anything encrypted unless it pays extra, or something similar.

And how is the ISP supposed to be able to detect the difference between encrypted and non-encrypted binary data? What detection routine do you use to detect between, say, encrypted BitTorrent data, unencrypted VOIP data, an FTP file transfer, and random data?

Traditionally, you can filter the ports -- but nothing prevents software from changing what ports it uses, and there are several applications which can handle a dynamic port exchange. How barring just blocking or filtering on specific ports, how do you detect that data is encrypted, when the purpose of encryption is to make the data appear to be random to an outside adversary?

Yaz.

statistics

[pocopoco]

>Most ISPs don't do such shaping

I wonder if he just pulled this out of his ass or something. Not only does my ISP traffic shape BT, they also block all the common ports that trackers use (you can change your client's ports easily, but the tracker owner has to change in this case).

There have been actual studies showing P2P traffic represents over 50% of consumer ISP traffic. An ISP would have to be stupid not to shape P2P.

Re:BitTorrent's image

[lilmouse]

Nonsense. Is using ssh guarenteeing illegal activity? Not at all. If I want to use my ISP to download the latest Ubuntu (and I will soon), I damn well want it via BitTorrents. And if I encrypt it, that's my business too!

--LWM
 

Technology isn't the solution we need, or want.

[Anonymous Coward]

"...leaving them without services like bittorrent that have a clear and growing legal use. "

If BT has a "clear and growing legal use"? Then the flip side is that it also has a "clear and growing illegal use" as well.

"Perhaps a boycott of ISPs that do that would be in order... except for that whole monopoly thing."

I'm certain all you geeks with your big brains will come up with a solution. You do it all the time here.

Encryption or obfuscation?

[fpepin]

People seem to be confusing the 2 issues.

Encryption here is just a mean, they don't care if the ISP sees WHAT they're sharing, they only care that the ISP recognizes that they ARE sharing (and throttling their connection accordingly).

I find the argument agains the tracker taking care of it quite silly. The guy from uTorrent says that the ISP would simpy find or modify the packet saying that obfuscation is wanted.

I would guess the ISP would just throttle all encrypted traffic going to random ports before it starts identfiying specific packets. They're as justified to limit it to BT as they are to do it with all unrecognized traffic.

BT is costing them a large amount of money so they start to throttle it. That means that they're not going to sit idly and not respond if it becomes obfuscated/encrypted.

I don't think it's an arms race that BT can win at all. If the ISP wants to limit the amount of bandwidth you're using, they will limit it, one way or another. For example, the ISP might throttle everything after a threshold per month is exceeded.

That's the main point that Bram is making, and I find it difficult to disagree with him.

Re:I'm a Shaw BT user

[abscissa]

I'm a Rogers user and I have found BT to be unusable because of this.

However, nothing personal, I REALLY REALLY wish that people who wanted to download TV shows, movies, apps, music, warez, etc. would use USENET.

USENET is a bit more difficult to use at first but it is fast as fast can be if you get the right server, and you are far less likely to run into trouble with anyone. I could (if I wanted) grab an entire season to a TV show in less than two hours. Probably more like 45 minutes even... (seriously... Rogers is fucking fast)

Using USENET would also really really really cut waaaaaay down on that traffic that is bothering the hell out of the ISPs... (epecially for the cable providers since it all but eliminates the upstream)

Sadly, Rogers no longer offers Usenet services because they are really cheap and greedy, so you have to pay for a premium news server, which is like $9 a month.

Re:Encryption won't work anyhow

[interiot]

Answer: Easy.

As TFA notes: encrypted or not, you're still pushing a massive amount of upload and download traffic. That in itself is enough to get noticed.

Second, the more data there is to analyze, the easier it becomes to distinguish noise from data.

Third, Again as TFA notes, if a lot of connections are being made, they can analyze the first chunk of data sent by both sides. If it's an unencrypted connection, you'll see a roughly consistent set of data being sent across at the beginning. If even the headers are encrypted, and you use BitTorrent a lot, eventually it will be pretty obvious.

One or two? Try none.

[thepotoo]

A lot of people live in rural areas, and don't have anything. Not even dial up. On /., you don't hear a lot from these types, but they're out there.

I live in an area where the best I've got is dial-up (and 28.8k at that). Once an ISP gets out here, I'll be the first to switch to them. ON ONE CONDITION: They allow bittorrent traffic.
Seriously, everyone I know who has gotten broadband has done so for P2P. Warez kiddies ^W^WLinux distro hunters are the cable companies biggest subscribers.
They are shooting themselves in the foot by not supporting us.

Re:Encryption isn't the solution we need, or want.

[Anonymous Coward]

So, yeah, needless to say, they abuse their monopoly like crazy. I don't have to deal with it anymore because switched to Sprint.

Monopoly...switched. The words don't quite mesh.

Re:Encryption won't work anyhow

[qwertphobia]

There's MUCH more to bandwidth management than just blocking ports. Modern bandwidth management solutions go past layer 3 and detect which applications are running across a network flow.

Even if a system can't understand the data being transmitted, there's a good chance that the system can understand either what type of encryption is being used, what application is sending the data, or even both.

In order for applications to communicate they need a well-documented set of rules for communications. Open Source applications and standardized applications use public and well-documented sets of rules.

Re:North Continent

[Big_Al_B]

You forgot "No $40/month broadband".

I work at an ISP. We pay $50 per meg per month measured at the 95th-percentile of our monthly usage. We can use our bandwidth in essentially any legal way, and we get a pretty rock-solid SLA for our money.On the flipside, our providers should not go bankrupt supporting the service we buy.

I buy cable broadband at home. I pay $40/month flat rate and I agreed to a pretty restrictive AUP that allows no servers or P2P applications on my end of the connection. I could violate the AUP, like I'm sure many do. But if I did, I would not whine and complain when my ISP addresses the issue. Oh yeah, if I paid at home what I pay at work, I would be paying about $120/month for internet access. But then I could use P2P...whoop-dee-do!

Networks are very, very expensive. If my broadband provider doesn't stay in business, I won't be able to use P2P--or any other 'net application.

Re:Encryption won't work anyhow

[DigitAl56K]

And how is the ISP supposed to be able to detect the difference between encrypted and non-encrypted binary data? By performing a MITM attack during the public key exchange when any connection is first established (the details of the exchange necessarily being part of the bittorrent protocol). The ISP is perfectly situated in terms of routing to do this and because keys must be exchanged early on in the session there is probably not too much overhead associated with doing so on a large scale (i.e. for many customers and many connections per customer). I could see it becomming a feature on high-end network hardware. Maybe wiretap laws might prevent it, or the DMCA, but IANAL so I don't know for sure.

Re:BitTorrent's image

[swilver]

Encrypted traffic will eventually become the dominant traffic over the internet, no matter what happens really. Encryption is cheap and easy, and IMHO the main roadblock to it being used for almost everything is the fact that the HTTPS protocol with its certificates and signing authorities (and the yearly fees you have to pay them) is total overkill for most websites.

A simple encrypted HTTP protocol without all the certificate crap would be JUST FINE. Just negotiate some form of encryption, exchange some random keys and do your stuff (like SSH basically does everytime you make a connection) -- this can be done complete secure, the only thing you donot have is a 100% guarantee that the website your talking to is really who they say they are -- in other words, just like normal HTTP, except that your ISP can't see what you are doing, nor can anyone else except the destination site (whoever that may be).

Having the option to use encrypted HTTP should involve nothing more than a flip of switch, just like having your HTTP stream gzipped compressed

Re:Encryption isn't the solution we need, or want.

[kenthorvath]

Let's imagine a water company which has two types of customers: some who use water when they need it and some who leave the water running all day, the sprinklers on the lawn all night, etc.

Well, except that in this case, you're not paying the ISP for the water but for the capacity of the pipes. The water is coming from sources outside of the ISP and thus isn't a scarce resource. In fact, when you signed up for your pipe-service, you understood that you were paying for the maintenance and capacity of the pipes, which is often claimed to be "unlimited", but upon having them installed, you notice that the same pipe is feeding both your home and your neighbor's home, and their neighbor's home.

you were the first type of customer, wouldn't you be annoyed if you found out you were paying the same as the second type? Wouldn't you expect them to pay more, or perhpas face some restrictions?

If the first type of customer gets upset at the second type of customer, then they should also get upset at buffets that charge the same amount of money to every customer regardless of the amount that they intend to eat. But then, that is the whole concept of a buffet, isn't it? You enter into an agreement with the provider knowing that you are getting a service that you value appropriately enough to pay for. If you think you should be getting a better deal because some people consume more per unit price than you do, then nothing stops you from trying to make your own arrangements, but if the business is not willing to enter into such an agreement with you, then you are free to find another who will. This is the market place at work, and how other people choose to spend their money has no impact on how you should choose to spend yours.

Re:Encryption won't work anyhow

[An Onerous Coward]

Man in the middle doesn't work against Public Key Crypto.

Alice wants to send an encrypted message to Bob, so she encrypts her message with Bob's public key. Thereafter, the only way to decrypt the message is using Bob's private key. Since the private key never gets exchanged, the ISP never sees it, and therefore cannot decrypt the message. When Bob wants to send Alice a response, he encrypts it with her public key, which makes the message decryptable only with Alice's private key (which she never sent).

In PK, there is no "key exchange" in the usual sense of the term, because in standard crypto algorithms, the exchange needs to be made without the key falling into the hands of those who shouldn't be listening in. What actually happens is more akin to "key publishing," because the public key can be made available to anyone. All they can use it for is to create messages that only you can decrypt.

Your buffet example reminds me of a story...

[Kelmenson]

Back in the 60s, my uncle was a poor college student, participating in the "field" portion of "track & field" (discus, hammer, javeline, etc). He needed to eat lots of food, and didn't have much money to pay for it. The solution he and his teammates came up with was going to all-you-can-eat buffets.

Needless to say, the poor restaurant owners were not real prepared for a dozen 250+lb college students to come in and eat many platefuls of food, and the owners were not very happy. They asked them to leave, and when they said "no, it's a buffet, we are just eating 'all-we-can-eat'", the owners called the cops on them.

Well, the cops showed up, and listened to the complaint, and talked to them. And decided against the owner! "If the sign says 'all-you-can-eat', you can't kick them out just because they can eat more than you want them to eat."

Not really applicable to the topic, but just seemed an appropriate anecdote. Not only internet companies want to cut off people who use over the average!

Re:I remember...

[JahToasted]

The proper reaction is to make the price something like $20/month + $1/GB downloaded. So if you just check your email you pay $20. If you download 5 or 6 movies you pay $26. If you have your system downloading 24/7 you would end up paying something like $80 per month.

They can't have it both ways. If they advertise it as a flat rate / unlimited, people are going to use it that way. If some people are using more bandwidth than others, then have your price reflect that. Then people will be a little more frugal in their downloading.

Just keeping the flat rate and prohibiting people from using their connection for what they want just makes people angry and is just stupid.

Re:Also because

[ArbitraryConstant]

Why not just give people a limit on how much bandwidth they're allowed to use and leave it to them to decide how much of that goes towards P2P?