‹ Back to the blog listBaking the Security Cake



Imagine the internet as a cake. Everyone enjoys 'frosting' like WhatsApps, Google, and Facebook. In fact, for many people such services are the Internet - they don't realize that they're free only because they're paying with their privacy instead of money.

Of course, cakes are more than just frosting. There are billions of connected devices running numerous communication protocols, and billions of people who use those devices. The sheer number of people using the internet today reveals an undeniable fact: the internet was not designed for so many users.

I'm not saying that the internet cannot handle them on the level of technology; no, it's that it cannot handle them securely.


In the beginning

The internet started off as an engineers' pet project: early designs actually stated that "security issues shall not be considered." In those days it was simply a bunch of geeks like me exchanging data.

Nobody worried about security because it could always be added later. Besides, who was listening anyway? But then the internet grew. Fast.

Today, protecting people on the internet is difficult because the underlying technology was not designed with security in mind. Just think of the recently discovered SSL vulnerabilities Heartbleed and POODLE as the latest symptoms.

Or look at how ridiculously difficult it is for the average person to use encryption technology like PGP.  It didn't take us long to realize that we wouldn't get far in protecting people's privacy simply by building on what's already there. Band-aids wouldn't do it.


A new approach

We've built a completely new kind of network, one that enables anyone to protect their privacy with the latest encryption technology.

It's reliable and extremely robust against any form of attack, and it's something people can use anonymously without trade-offs.

You might think, "That's impossible!". I admit that it was not easy, but we did it!  Merlin is capable of all of that.

Let me give you an idea of how.


Weaknesses and strengths

Many people are familiar with peer-to-peer (P2P) networks like BitTorrent. Perhaps you use one to 'obtain' files, or share stuff with other people? 

That's great for users, but content producers and copyright owners hate it when people copy music or movies for free.  They've tried every technical means at their disposal to stop it, but nothing has worked: By their very nature P2P networks are highly distributed and therefore have no central point to be challenged; it's what gives P2P networks their robustness and strength.

There are also anonymizing networks like Tor. Tor encrypts and routes your internet traffic across enough nodes that the recipient cannot tell where the message came from.

This is a clever idea and it's very secure, but it has a fundamental flaw: anyone can run a Tor node. And that's a problem because Tor works well only if the number of trusted nodes is much larger than the number of malicious ones.

These days, it's very likely that intrusive organizations are now running a substantial fraction of the Tor network and use the knowledge so gained to map the chain of connections of many Tor users. This destroys Tor's anonymity.


Merlin and Kahuna™ are better

Merlin uses the Kahuna™ network to connect you with other Merlin users.  In Kahuna™ we've adapted the design of peer-to-peer systems to create a globally distributed network in which the servers themselves are the peers, which we call a server-to-server (S2S) network.  It's a completely new kind of 'internet within the internet'.  We've combined cutting-edge encryption technology, such as an adaptation of the TextSecure protocol developed by Open Whisper Systems, with our new S2S topology to create a network with total encryption and a higher degree of anonymity than Tor.  

Plus, Kahuna™ is extremely robust because it's massively distributed, and because servers can join and leave the network autonomously — just like computers in a P2P network.  This allows us to run it on a zero-knowledge basis, which means we don't know who is using Kahuna™ and we don't and can't know anything about the data they exchange.  Put simply, Merlin over Kahuna™ is both encrypted and anonymous - only the users have the keys.


1 http://en.wikipedia.org/wiki/Heartbleed

2 http://en.wikipedia.org/wiki/POODLE

3 http://blog.cryptographyengineering.com/2014/08/whats-matter-with-pgp.html

4 http://www.bittorrent.com/

5 https://www.torproject.org/

6 https://github.com/WhisperSystems/TextSecure/wiki/ProtocolV2


Published on 2021-03-12 by:
Dr. K
Director of Networking

All things Kahuna™... and much more.