ONJava.com -- The Independent Source for Enterprise Java
oreilly.comSafari Books Online.Conferences.

advertisement

AddThis Social Bookmark Button
Article:
  It Doesn't Pay to be Popular
Subject:   Yes, but the problem is not specific to BitTorrent
Date:   2003-05-31 15:58:35
From:   eggboard
Response to: Yes, but the problem is not specific to BitTorrent

You're reading the context wrong, and it is, in fact, different with direct download.


In the article, I cite the general problem as: "In peer-to-peer systems, however, you can't necessarily be sure that a given file is the same an author meant to upload, that the file has been vetted for viruses, or that each version of the file throughout a network is the same as every other file." Then I mention BitTorrent's method of crypto as a specific example of trying to solve one part of the problem that doesn't actually verify or vet the file. So that's a general-to-specific example, not a condemnation of BitT above other P2P.


Second, many sites do employ a variety of methods including MD5 and public key signing to ensure that a direct download is as promised. MD5, of course, only ensures that a file matches what's said on a Web site or in an email or newsgroup posting. If you use the methods recommended to obtain the verification of public keys used to sign downloads out of band (that is, not via a Web site or through email directly), then when you download a file, you can verify that the person or organization that you think created the file did, in fact, sign the file and it's been untampered with. (The cases in which this is a problem involve a lack of out-of-band confirmation of the public key, and so were more like just checksumming not ensuring integrity.)


So you're definitely RIGHT in that the problems are P2P based, but they're exacerbated by a distributed mechanism in that the "author" doesn't define where the downloaded file is authoritative from.


Obviously, a way to make this work better would be to tie in Web sites or subsites on a Web site that managed the crypto: signed files, etc., and have a streamlined method of obtaining keys or keys signed by other keys, so that any file in BitTorrent had to have some identity confirmed at the end of a chain, not just crypto hashing confirmation of the individual file.


It's definitely a global problem, but it's "solved" in the sense that sites like apache.org or sendmail.org use mechanisms that allow verification. If those files are then distributed through BitTorrent those same methods of verification work.


1 to 2 of 2
  1. Yes, but the problem is not specific to BitTorrent
    2003-06-02 14:34:31  anonymous2 [View]

  2. Yes, but the problem is not specific to BitTorrent
    2003-06-02 14:34:09  anonymous2 [View]

    • Yes, but the problem is not specific to BitTorrent
      2004-02-01 02:41:56  susy_miller [View]

    • Yes, but the problem is not specific to BitTorrent
      2004-02-01 02:38:39  susy_miller [View]

    • Yes, but the problem is not specific to BitTorrent
      2003-06-13 05:58:22  anonymous2 [View]

    • Yes, but the problem is not specific to BitTorrent
      2003-06-13 05:55:53  anonymous2 [View]

1 to 2 of 2