Why unencrypted tcp peers/nodes? AI says it is "compromising the security and privacy"

[slrslr]

17 of 90 peers at https://publicpeers.neilalexander.dev/ are TCP:// ones.

I am wondering why there is no warning or some push to be converted to a encrypted TLS:// peers. This is what HuggingCHat AI thinks about that:

When I mentioned that tcp:// is not a recommended peer, I was referring to the fact that it uses unencrypted, plain-text connections. This means that any data transmitted over a tcp:// connection can be intercepted and read by any intermediate node or observer.

If you were to add a tcp:// peer to your configuration, you would indeed be compromising the security and privacy of your own node, as well as potentially putting other peers' data at risk. Here's why:

1. Unencrypted data: By using a tcp:// connection, you're allowing data to be transmitted in plain text, which can be easily intercepted and read by anyone with access to the network.
2. Man-in-the-middle (MITM) attacks: An attacker could intercept and modify data transmitted over a tcp:// connection, potentially allowing them to inject malicious traffic or steal sensitive information.
3. Node impersonation: An attacker could impersonate your node or other peers, potentially allowing them to manipulate the network or steal resources.

By using only tls:// connections, you're ensuring that all data transmitted between your node and other peers is encrypted, which helps to prevent these types of attacks.

Even if it's the closest peer, avoid tcp://

Yes, even if a tcp:// peer is the closest one to you, it's still not recommended to add it to your configuration. The security risks associated with using unencrypted connections outweigh any potential benefits of having a closer peer.

Instead, you should prioritize adding tls:// peers to your configuration, even if they're not the closest ones. This will help ensure that your node and the entire Yggdrasil network remain secure and private.

Best practice: Use only tls:// peers

To maintain the security and integrity of the Yggdrasil network, it's recommended to use only tls:// peers in your configuration. This will help ensure that all data transmitted between your node and other peers is encrypted and secure.

If you're looking for close peers, you can try searching for tls:// peers in your region or using a peer discovery service that prioritizes secure, encrypted connections.

[neilalexander]

Traffic sent over Yggdrasil is always encrypted, and in the case of a tls:// peering, it's actually doubly-encrypted (once as E2E for the destination, once for the TLS link). The only thing sent over plaintext in a tcp:// peering is Yggdrasil protocol traffic, but those are also cryptographically signed to prevent tampering.

I think your AI has probably missed this nuance, but we keep tcp:// around because there are some lower-end devices where the processing cost of TLS is quite high.