NewNode Vulnerability Mitigation Overview
NewNode is an open-source peer-to-peer content delivery system that enables censorship- and shutdown- resistant communication and access to information. NewNode Kit helps to prevent the content from being blocked by traffic filters imposed on the network or dropped due to connection issues.
As with any technical system, potential hostile actors can pose a risk to the system and its users. NewNode prioritizes mitigating potential risks to both end users and to the technology itself. We have developed a threat model that addresses the likelihood and impact of these potential risks, which are categorized by type and then ranked by priority depending on their potential consequences. This threat model is in process of being audited and validated by a third-party security firm, and will continue to guide us in our essential work to protect our partners’ safety and address any concerns.
The full protocol spec can be found here. Below we outline some key points and processes to be aware of.
Potential peer node-based threats: The NewNode network operates via peer-to-peer information sharing, meaning that content goes from one peer node to another to expand the availability of information on the network. This creates several possible opportunities for disruption by a hostile adversary. A node could present as a legitimate NewNode Kit peer, but instead be working for disruptive or misleading purposes by passing on information incorrectly or tampering with traffic (by either attempting to flood the network with too much information or to pass on inaccurate or inappropriate data). This is called a rogue node. By technical design, NewNode mitigates a significant number of these risks. The NewNode network typically relies on multiple peers to and chooses its routes in a way that's nearlty impossible for any rogue node to manipulate and – so a rogue node will rarely succeed at tampering given verification requirements. Separately, for HTTPS traffic, the technology will automatically generate an error when faced with rogue nodes. When NewNode detects such an error, it will consider that path to the server invalid and attempt to establish a connection to the server via a different pathThe way NewNode works is either by peers populating content into the network or via an injector that can seed information onto the network. In cases where this functionality is used, note than another possible threat is that the default injector can be spoofed by an adversary. This risk was dramatically reduced by almost universal shift to HTTPS
Potential server-based threats: NewNode’s users access information that is stored on web servers. Imposter servers, meaning those that are pretending to be legitimate but are actually trying to disrupt the network, pose several potential risks. Imposter servers can return forged or modified results, disclose unauthorized information, or attempt to flood the network with too much information (via a denial of service attack). Mitigations for these risks exist for HTTPS traffic (meaning web traffic that is encrypted in transit and has a valid certificate that verifies this). Faced with an imposter server, the client will return an error message. Additionally, with NewNode VPN has “try first” enabled, the algorithm will seek out an alternate path that bypasses imposter servers.From a process standpoint, DHT nodes pose a similar potential threat. A rogue DHT node could pose as a legitimate note and return altered or false information. Additionally, a DHT node could leak information about queries made by one or more nodes.
Potential threats to statistics and data validity: For network optimization, NewNode collects some network usage data, ranging from IP information about existing peer nodes to usage statistics about network activities. The location information obtained from ipinfo.io contains approximate coordinates of the client (derived from the client's IP address). Only the ISO country code and an indication of the client's Internet service provider are reported to NewNode's stats serverTo achieve this, NewNode uses a web service called ipinfo.io that returns geolocation information based on source IP addresses of requests. A possible risk is the service returning false or incorrect information – or an adversary blocking access to the service thus resulting in incomplete or incorrect geolocation data. NewNode reports its usage statistics stats.newnode.com server. Such reports are encrypted using https, and https also ensures that those reports are not rerouted to false servers. A potential identified threat is that information could be exfiltrated and could reveal information about users (either individually or for specific groups). This threat is mitigated by protecting the stats.newnode.com server from unauthorized administrative access by robust server protections. Another potential risk, though unlikely, is the intentional upload of bogus information to stats.newnode.com to create false statistics. This risk stems from the open source nature of the NewNode project.
Potential risks concerning data storage: Several components of NewNode rely on stored information in order to function reliably. This stored information includes local logs (generated by Local User’s Node, i.e. individual users’ machines), secret keys (used for signing or encryption), and peer lists (a list of connections that have previously been identified by the Local User's Node).Potential risks to this include exfiltration of any of this data by an adversary – as well as corruption or tampering of secret keys or stored peer lists. The mitigation of these risks is largely on the user side. Users need to have strong passcodes on their devices or phones, and to protect those passcodes from prying eyes.
Potential risks concerning path validity: Users get to specific websites by typing in a web address (aka a “domain name” or a “URL”). A domain name server (DNS) translates and routes those to the correct location. A potential risk is that an adversary could try to block traffic to a server via a rogue DNS that produces incorrect routing information. Mitigation for this risk exists for HTTPS traffic (meaning web traffic that is encrypted in transit and has a valid certificate that verifies this). Faced with an imposter server, the algorithm will seek out an alternate path that bypasses rogue DNS servers. If an unimpeded path is not identified, the connection will time out.
Overall, NewNode is committed to mitigating potential risks and ensuring that its network is secure and reliable for its users and partners. Our threat modeling has not identified any risks that would severely affect the network’s function or user safety – and the risks that we have identified we are working proactively to mitigate.
As with any technical system, potential hostile actors can pose a risk to the system and its users. NewNode prioritizes mitigating potential risks to both end users and to the technology itself. We have developed a threat model that addresses the likelihood and impact of these potential risks, which are categorized by type and then ranked by priority depending on their potential consequences. This threat model is in process of being audited and validated by a third-party security firm, and will continue to guide us in our essential work to protect our partners’ safety and address any concerns.
The full protocol spec can be found here. Below we outline some key points and processes to be aware of.
Potential peer node-based threats: The NewNode network operates via peer-to-peer information sharing, meaning that content goes from one peer node to another to expand the availability of information on the network. This creates several possible opportunities for disruption by a hostile adversary. A node could present as a legitimate NewNode Kit peer, but instead be working for disruptive or misleading purposes by passing on information incorrectly or tampering with traffic (by either attempting to flood the network with too much information or to pass on inaccurate or inappropriate data). This is called a rogue node. By technical design, NewNode mitigates a significant number of these risks. The NewNode network typically relies on multiple peers to and chooses its routes in a way that's nearlty impossible for any rogue node to manipulate and – so a rogue node will rarely succeed at tampering given verification requirements. Separately, for HTTPS traffic, the technology will automatically generate an error when faced with rogue nodes. When NewNode detects such an error, it will consider that path to the server invalid and attempt to establish a connection to the server via a different pathThe way NewNode works is either by peers populating content into the network or via an injector that can seed information onto the network. In cases where this functionality is used, note than another possible threat is that the default injector can be spoofed by an adversary. This risk was dramatically reduced by almost universal shift to HTTPS
Potential server-based threats: NewNode’s users access information that is stored on web servers. Imposter servers, meaning those that are pretending to be legitimate but are actually trying to disrupt the network, pose several potential risks. Imposter servers can return forged or modified results, disclose unauthorized information, or attempt to flood the network with too much information (via a denial of service attack). Mitigations for these risks exist for HTTPS traffic (meaning web traffic that is encrypted in transit and has a valid certificate that verifies this). Faced with an imposter server, the client will return an error message. Additionally, with NewNode VPN has “try first” enabled, the algorithm will seek out an alternate path that bypasses imposter servers.From a process standpoint, DHT nodes pose a similar potential threat. A rogue DHT node could pose as a legitimate note and return altered or false information. Additionally, a DHT node could leak information about queries made by one or more nodes.
Potential threats to statistics and data validity: For network optimization, NewNode collects some network usage data, ranging from IP information about existing peer nodes to usage statistics about network activities. The location information obtained from ipinfo.io contains approximate coordinates of the client (derived from the client's IP address). Only the ISO country code and an indication of the client's Internet service provider are reported to NewNode's stats serverTo achieve this, NewNode uses a web service called ipinfo.io that returns geolocation information based on source IP addresses of requests. A possible risk is the service returning false or incorrect information – or an adversary blocking access to the service thus resulting in incomplete or incorrect geolocation data. NewNode reports its usage statistics stats.newnode.com server. Such reports are encrypted using https, and https also ensures that those reports are not rerouted to false servers. A potential identified threat is that information could be exfiltrated and could reveal information about users (either individually or for specific groups). This threat is mitigated by protecting the stats.newnode.com server from unauthorized administrative access by robust server protections. Another potential risk, though unlikely, is the intentional upload of bogus information to stats.newnode.com to create false statistics. This risk stems from the open source nature of the NewNode project.
Potential risks concerning data storage: Several components of NewNode rely on stored information in order to function reliably. This stored information includes local logs (generated by Local User’s Node, i.e. individual users’ machines), secret keys (used for signing or encryption), and peer lists (a list of connections that have previously been identified by the Local User's Node).Potential risks to this include exfiltration of any of this data by an adversary – as well as corruption or tampering of secret keys or stored peer lists. The mitigation of these risks is largely on the user side. Users need to have strong passcodes on their devices or phones, and to protect those passcodes from prying eyes.
Potential risks concerning path validity: Users get to specific websites by typing in a web address (aka a “domain name” or a “URL”). A domain name server (DNS) translates and routes those to the correct location. A potential risk is that an adversary could try to block traffic to a server via a rogue DNS that produces incorrect routing information. Mitigation for this risk exists for HTTPS traffic (meaning web traffic that is encrypted in transit and has a valid certificate that verifies this). Faced with an imposter server, the algorithm will seek out an alternate path that bypasses rogue DNS servers. If an unimpeded path is not identified, the connection will time out.
Overall, NewNode is committed to mitigating potential risks and ensuring that its network is secure and reliable for its users and partners. Our threat modeling has not identified any risks that would severely affect the network’s function or user safety – and the risks that we have identified we are working proactively to mitigate.