The release of the anonymous network i2p 2.3.0 and the C++-client i2pd 2.48.0 took place. I2P is a multilayer anonymous distributed network that operates on top of the regular Internet and uses end-to-end encryption for anonymity and isolation. The network is built in P2P mode and does not rely on centrally controlled servers.
The I2P network allows users to create web sites and blogs, send instant messages and emails, exchange files, and organize a P2P network. To utilize the network, I2P clients, such as the basic Java-based client that is compatible with various platforms, are used. Additionally, there is an independent implementation of the I2P client in C++ known as I2PD, which is available under the modified BSD license.
In the recent release, a vulnerability (CVE-2023-36325) that allowed the determination of the router through which a specific user is connected has been fixed. This vulnerability was a result of an error in the implementation of the Bloom filter, which is used to filter out messages with duplicate identifiers. The issue arose from the use of a shared Bloom filter for both the clients and the routers. This allowed attackers to send a specially designed message with a unique identifier to a user, and based on the router’s reaction, determine if the message had passed through it before. The problem has been resolved by separating the Bloom filters for the router and client tunnels.
Other notable changes in this release include:
- Optimization of the search in Netdb and the limitation of package sending intensity (Rate-Limit).
- Improvement of the behavior of routers operating in FloodFill mode.
- Addition of an additional default I2P provider – not_bob.
- Provision of the ability to set the maximum lifetime of records in the blacklist of blocked IP addresses.
- Addition of an API to customize the graphic DTG interface through plugins.