What's the network level privacy for rostra users?

[k4r4b3y]

Using on the clearnet, I am assuming there is no protection against traffic observance/surveillance. Is it on the cards for rostra to have some sort of tor hidden service integration, ie, connect to the friends'/peers' .onion URLs or something like that.

[dpc]

Ha! That's a great question.

So while the p2p traffic is e2e encrypted, by definition everything posted on Rostra is public as Rostra is fundamentally meant to facilitate public interactions.

Also p2p connections do expose IP address.

Having said that I did some thing and experimenting and the plan is as follows:

• For stuff that should be private/secret, encryption can be used. Currently I'm thinking about things like personal notes, drafts, settings, DMs.
• I tried before and Iroh/Pkarr connectivity does work over Tor, including orjail so it's possible to host host a fully anonymous identity.
• Users might want to host their own personal node on a server, and interact with it over https (just like https://rostra.me , just stripped down to personal accounts).
• I also have a plan for a "private" node mode, where e.g. user's node might only connect to designated "public" nodes (either hosted by themselves, or someone trusted) so that they don't leak their IP to strangers. Thanks to the synchronization model it's all relatively simple to implement.

[trosel]

Would there ever be a way to do a “friends only” type of post? I think that’s a major strength of existing social media; that the reach and exposure is understandable.

SSB is understandable because it works on gossip. So if you reach someone, you know them through someone else. Facebook is understandable because they just have a setting for “global” or “friends” and the friends have things like a “friend request”.

Seemingly a “friend request” in rostra could be an action where you exchange decryption keys. But then you’re also needing to potentially rotate keys when a change to the friend list is made, etc.

[dpc]

Rostra is meant to be for public communication. It's kind of like SSB. If you see some content it has to be directly or through an existing connection.

[trosel]

Ok, that makes sense. Maybe DMs and group chats are just better for “friends only” stuff in that case.

Could you ever expose in the UI how/why content is being shown? Like if it’s two hops away, show the people that are in the hop path?

One thing I can foresee is that if you follow someone and they follow people you don’t like, the only way to get rid of those people is to unfollow the person you do know and like. Might be nice to have some kind of “direct follow only” setting so you don’t necessarily start pulling in all their network.

[dpc]

DMs are relatively easy, and could be done in Rostra. One would just publish an event with DM encrypted to one of their followers. And then the followers would attempt to decrypt messages like that with their own keys. The UX of it would be kind of meh - because being able to message only own follower ... is weird.

Chat groups, especially encrypted, are a huge complexity and UX story, and I'm not touching it. Spam, abuse, etc.

Also - Rostra data model is replicating very lazily, assuming no need for low latency.

The DMs/chat groups could be be added as a different protocol in an end user app. E.g. a user's social profile could contain Matrix identity, and then DMing could happen.

the only way to get rid of those people is to unfollow the person you do know and like.

Yes. The whole "Persona" model ties into that. Eventually user will be able to to define their own "Personas" (sub-identities), and then when following the followee will get assigned to a personas too (so e.g. my "Dev" persona will be following all interesting tech people), and then somewhere there there might be a way to customize the transitive following behavior.

[k4r4b3y]

by definition everything posted on Rostra is public as Rostra is fundamentally meant to facilitate public interactions.

I understand that. But public posts doesn't mean that my local ISP, or other network observers, see my connection to some other peer in the France, or some other country. Am I presenting a somewhat accurate picture if I say that currently with rostra, I am making it visible to the network observers that my machine is making a connection to the person I am following's country? What more can a network observer (by looking at the coming and going internet packets, not the public post contents) deduce?

[dpc]

Am I presenting a somewhat accurate picture if I say that currently with rostra, I am making it visible to the network observers that my machine is making a connection to the person I am following's country?

Yes, in default configuration the node will directly connect to people you're following.

What more can a network observer (by looking at the coming and going internet packets, not the public post contents) deduce?

Everything e2e encrypted and authenticated, so that's kind of it, but Rostra by itself is not an anonimization software, and does not attempt to obfuscate or prevent any privacy leakage one might deduce from timings etc.