I2P support forum

moneymonero7 wrote:Tor vs I2P Review

Tor and I2P are the main privacy routing networks that we have to hide IP addresses other than basic VPN connections. There are other projects too but they are either new or not that popular so they are less effective as anonymity scales by the number of users. I am going to give my honest opinion and compare the two:


I2P Features:

• Designed for hidden services which are faster and more efficent than Tor 1
• Distributed, P2P, decentralized and self organizing 2
• Packet switch instead of circuit switch, provides higher level of anonymity
• Unidirectional tunnels, doubling the security / node than Tor
• Tunnels are shorter lived than Tor
• All peers participate in the network 3
• Bandwidth requirement is low
• Built in Java 4
• Free and Open Source

1. I am not sure whether the onionv3 system would be more superior than this. While Tor wasn't designed for hidden services and it's just a plugin, with the onionv3 system it's getting there.
2. Although it's much more decentralized than Tor, their claims are misleading. They still have directory servers and I guess the development team has a lot of power over the project, it's not like a blockhain which is fully decentralized, so this is misleading. Though it's more decentralized than Tor in either case.
3. This makes I2P use very risky, especially connecting to it directly, as if somebody is doing something illegal, it would put every node there in danger and suspects of that same crime. Police I guess is not well experienced with this ,and due to the low user count ,this makes it very dangerous to use. Though connecting to I2P from Tor or from a VPN is less risky.
4. Java is a very flawed language with a history security bugs, and the way the website mocks C in favor of Java makes them look ridiculous. This is a massive red flag for me.

Tor Features:

• More users hence bigger haystack of anonymity
• More security audits and academic reviews on it
• Has solved the scaling issue
• Centralized 1
• Has more funding and workforce working on it
• Is censorship resistant, it doesn't assume clear access to internet like I2P 2
• Adaptive to DDOS attacks
• Higher degree of plausible deniability and smaller risk of usage
• Low usage of resources on clients but big usage on servers 3
• High bandwidth throughput reaching the throughput level of an average VPN service
• Free and Open Source
• Supposedly resistant to Sybil attacks 4

1. This is a big problem, the development and the infrastructure is very centralized, which would increase the risk of it being shutted down or censored, as it has a few points of failure. I think about 9 directory nodes exist now, which means that blocking only those 9 IP addresses worldwide would cripple the network. The use of bridges and proxies can help, but this issue needs to be addressed.
2. While I2P assumes that you can connect to the internet, Tor assumes that you are censored, which is better. Tor has a bridge feature which allows to bypass any censorship other than total blocking of the internet. It can connect even through a HTTP proxy and it molds the traffic to be hard to distinguish from normal browsing by packet inspection. Though I2P can be used through Tor, so it's not a big drawdown, Tor still needs to do this, so perhaps the two systems complement eachother.
3. It's balanced towards higher user experience by outsourcing the work to servers, but this increases centralization which is not good.
4. It is supposedly resistant against Sybil by it's mechanism is picking trusted nodes, but due to it's centralized nature, operators could be coerced or coopted to become informants, so I don't think this works as well as advertised.

Conclusion

While I think I2P has more potential in it, being more granularly designed and having a next generation architecture, I am very dissapointed in it's current state. I can't take any software seriously which is written in a bug-ridden language that promote's itself as a secure anonymous tool.

Now if I2P would transition over to C++ then that would be a good start, but even then it would have a long road to go.

Obviously Tor is better by far, it's not even comparable. Tor is much more tested and widely used, as it's much better written and has a lot of bugs already fixed and engineering issues addressed. Tor is not going to go away any time soon.

Though the two can be used in complementary mode, speficially Tor->I2P, not the other way around, I think this would increase the latency more than if you would just use Tor with more than 3 nodes.

But then again supposedly Tor can be deanonymized if the entry and exit nodes are correlated, and since exit nodes are not encrypted it defeats the whole purpose.

At this point there is no secure way to merge the two together, and I2P is not adequate for anonymity yet in my opinion, so using Tor alone or with Bridges is the way to go in the present in my opinion.

- https://www.reddit.com/r/privacy/commen ... 2p_review/

moneymonero7 wrote:

• Designed for hidden services which are faster and more efficent than Tor
• Packet switch instead of circuit switch, provides higher level of anonymity
• Unidirectional tunnels, doubling the security / node than Tor
• Tunnels are shorter lived than Tor
• All peers participate in the network
• Bandwidth requirement is low
• Built in Java
• Free and Open Source

moneymonero7 wrote:2) Although it's much more decentralized than Tor, their claims are misleading. They still have directory servers and I guess the development team has a lot of power over the project, it's not like a blockhain which is fully decentralized, so this is misleading. Though it's more decentralized than Tor in either case.

moneymonero7 wrote:3) This makes I2P use very risky, especially connecting to it directly, as if somebody is doing something illegal, it would put every node there in danger and suspects of that same crime. Police I guess is not well experienced with this ,and due to the low user count ,this makes it very dangerous to use. Though connecting to I2P from Tor or from a VPN is less risky.

moneymonero7 wrote:4) Java is a very flawed language with a history security bugs, and the way the website mocks C in favor of Java makes them look ridiculous. This is a massive red flag for me.

moneymonero7 wrote:

• More users hence bigger haystack of anonymity
• More security audits and academic reviews on it
• Has solved the scaling issue
• Centralized
• Has more funding and workforce working on it
• Is censorship resistant, it doesn't assume clear access to internet lik I2P
• Adaptive to DDOS attacks
• Higher degree of plausible deniability and smaller risk of usage
• Low usage of resources on clients but big usage on servers
• High bandwidth throughput reaching the throughput level of an average VPN service
• Free and Open Source
• Supposedly resistant to Sybil attacks

moneymonero7 wrote:1) This is a big problem, the development and the infrastructure is very centralized, which would increase the risk of it being shutted down or censored, as it has a few points of failure. I think about 9 directory nodes exist now, which means that blocking only those 9 IP addresses worldwide would cripple the network. The use of bridges and proxies can help, but this issue needs to be addressed.

moneymonero7 wrote:2) While I2P assumes that you can connect to the internet, Tor assumes that you are censored, which is better. Tor has a bridge feature which allows to bypass any censorship other than total blocking of the internet. It can connect even through a HTTP proxy and it molds the traffic to be hard to distinguish from normal browsing by packet inspection. Though I2P can be used through Tor, so it's not a big drawdown, Tor still needs to do this, so perhaps the two systems complement eachother.

moneymonero7 wrote:3) It's balanced towards higher user experience by outsourcing the work to servers, but this increases centralization which is not good.

slumlord wrote: ↑01 Jun 2018 07:23 This is the first time I have heard of the phrase "Haystack of Anonymity". I don't know what it means but it sounds cool and I want it on a t-shirt.

slumlord wrote: ↑01 Jun 2018 07:23It seems like the source of such concerns lies with Java's usage as a plugin within web browsers and the sandbox that is used for this purpose.