GUIDE

What is I2P – An Idiot’s Introduction

The Dark Web

VPN and Tor are two ways to stay anonymous and preserve your privacy when online. Each has its strengths and weaknesses, which we discuss in some detail in this article, but the bottom line is that Tor is extremely secure but very slow and unsuitable for P2P downloading, while VPN is less secure because it relies on trusting your VPN provider, but is much faster, is great for P2P downloading, and generally provides a better web browsing experience.

What both these technologies have in common is that they are primarily concerned with accessing the publicly indexed ‘visible’ (or ‘surface’) web. There is however another internet out there known as the Dark Web (or Dark net, Deep web etc.), which includes all the websites not indexed by search engines.

How big this Dark web is no-one really knows, although Mike Bergman, founder of BrightPlanet and credited with coining the phrase Deep Web, famously estimated that ‘the Deep Web is currently 400 to 550 times larger than the commonly defined world wide web’ back in 2001, and is still regularly cited today,

The Deep Web is the fastest growing category of new information on the internet … The value of Deep Web content is immeasurable … Internet searches are searching only 0,03% … of the [total web] pages available.” (Micheal K. Bergman).

Much of the so-called Dark web simply comprises of private websites (some of which have taken active measures to avoid being listed by search engines), IIRC chat forums, Usenet groups, and other perfectly legitimate web use. There also exist publicly accessible ‘darknets’, secure networks that can be accessed by the public, but which allow users a very high level of anonymity. The best known and most used of these are I2P and Freenet (we will discuss Tor in a moment).

Traditionally (and notoriously) the preserve of pedophiles, terrorists, drug dealer, gangsters and other people and material that most right-headed internet users would want nothing to do with, increasing awareness of pervasive government surveillance (thank you Mr Snowden) and ever more draconian copyright enforcement measures are fueling a surge of public interest in an internet that is ‘off-grid’.

Tor as a Darknet

Tor sits in a slightly odd position, as it was designed primarily to access the visible internet anonymously. This however is one of its primary weaknesses, as there are a limited number of exit nodes, which makes it easy to block these exit nodes, to set up ‘honeypot’ exit nodes to monitor traffic (although the way in which the onion router works should still ensure that the end user remains anonymous), and to perform ‘end-to-end-timing’ attacks to uncover the identity of Tor users.

In response to this, Tor has developed its Hidden Services protocol, which allows Tor-only websites (.onion) and services to exist entirely within the Tor network, so that users do not have to access the visible web through potentially dangerous exit nodes at all. Tor Hidden Services therefore also acts as a Darkweb, and is by far the most popular such service.

However, because Tor was not originally designed as a Darknet, alternatives such as I2P and Freenet, which were designed from the ground-up as Darknets, offer distinct advantages.

What is I2P?

The Invisible Internet Project (I2P) is a decentralized anonymizing network built using Java on similar principles to Tor, but which was designed from the ground up as a self-contained darknet. As with Tor, users of I2P connect to each other using peer-to-peer encrypted tunnels, but there are some key technical differences:

  • Unlike Tor, which uses a centralized directory to manage the overall ‘view’ of the network, as well as gather and report statistics, I2P uses a distributed peer-to-peer model
  •  Unlike Tor Onion routing, I2P uses Garlic routing, which encrypts multiple messages together to make it more difficult for attackers to perform traffic analysis
  • Unlike Tor, I2P tunnels are uni-directional, so incoming traffic and outgoing traffic are completely separate, which improves anonymity
  • I2P uses packet switching instead of Tor’s circuit switching, which means transparent load balancing of messages across multiple peers, rather than a single path. Essentially, all peers participate in routing for others
  • I2Ps uses its own API rather than SOCKS which is used by Tor. This helps to make I2P more secure than Tor.

The end result is that if using hidden services, I2P is both much faster than using Tor (it was designed with P2P downloading in mind), more secure, and more robust.

Just as Tor is primarily a tool designed to anonymously access the visible web, but which can be used as a Darkweb, I2P is a Darkweb tool that can also be used to access the surface web anonymously through ‘Outproxy’s’ (which are equivalent to Tor Exit Nodes). I2P Outproxies suffer similar weaknesses to Tor Exit Nodes however, and the fact that there are far fewer of them (as I2P has a much smaller user base) means that they are potentially more open to attack.

One thing to note is, as with VPN and Tor, I2P does not hide the fact that you are using the service, but does make it very hard to discover what you get up to when connected to it.

What can I do with I2P?

Still need I2P explained a little bit more? Don’t worry. I2P is effectively an internet within an internet, and once connected you can send email, browse websites, use blogging and forum software, host websites, take advantage of decentralized file storage, engage in anonymous real-time chat, and much more. As noted, you can also surf the open web anonymously, but I2P is probably not the best tool for the job in this regard.

VPN vs Tor vs I2P – Which should I use?

The simplest answer is that it depends on what you want to do. Fortunately, there is nothing stopping you using all three depending on the task at hand, which is the approach we would advocate.

  • VPN – for general internet use VPN is fast and easy to use, while providing a high degree of privacy. We firmly believe that people should VPN all the time by default to prevent dragnet surveillance by the likes of the NSA. It is also ideal for P2P downloading.
  • Tor – if you need to interact with the outside world as anonymously as possible (for example you are a whistleblower wanting to contact a journalist) then Tor cannot be beaten (and a further layer of anonymity can be added by connecting to Tor through a VPN service). If you want to surf the internet anonymously for free then Tor is also good, but it can be frustratingly slow. Although Tor Hidden Services are not as secure or fast as I2P, their relative popularity can make them more fun, and may be important to website owners looking for visitors. It is also older, has more developers, and is better funded
  • I2P – is technically the superior option is you want to access the Dark web, and is our tool of choice for this. Although not as popular as Tor Hidden Services, it is still very sociable (and much more so than rival Freenet), and is an excellent choice for P2P downloading. Like Tor, it is a good free option for accessing the visible web anonymously for free (and may be faster), but the limited number of Outproxies mean that it is also much less anonymous when used in this way.

Check out our article on How to use I2P: An idiot’s guide, and look out for our upcoming article on Freenet.


Douglas Crawford I am a freelance writer, technology enthusiast, and lover of life who enjoys spinning words and sharing knowledge for a living. Find me on Google+

Related Coverage


33 responses to “What is I2P – An Idiot’s Introduction

    1. Hi Boo,

      Indeed, although you will also suffer the combined speed hit of using both networks (which are slow to start with).

  1. HI Douglas I wanted to get your input on two things. One what’s your opinion of Cryptainer encryption software from Cypherix software? and what is the best firefox extension for passwords both for creating passwords, storage and use.
    Thank you
    Cyberzyme

    1. Hi ralremr,

      That depends on what you are looking for. IMO VyprVPN provides the best technical performance, but is not so hot on privacy. AirVPN provides excellent privacy and performance, but is definitely aimed at techies (BolehVPN is in many ways similar, and is also an excellent choice, especially for users in Asia and Australia etc.) ExpressVPN strikes a good balance between performance, privacy, and user-friendliness…

    1. Hi ravinder,

      I no longer have I2P installed on my PC, but do not remember any particular when uninstalling it. Are you having problems using the standard Windows “Program and Features” uninstall procedure?

  2. Hi Douglas,

    Have you receive a response from AirVPN, yet? Or, have you otherwise been able to ascertain any more information on whether or not 3rd parties (in the EU specifically) would be willing to provide information to national authorities?

    As a Systems Engineer, I created my own VPN using a ”well known” Cloud service, and connect over that. From there, when I so choose, I can connect to TOR to browse anonymously and receive the double-benefit that you refer to in this article. Tonight’s challenge? Setup I2P, and connect to it over my VPN tunnel. 🙂

    And, for true anonymity, the old saying remains true: If you want something done right, do it yourself. Whether it be a VPN service, an alternative to Dropbox / Google Docs (BTSync), or your email (self-hosted email [1]), we should all be taking back control over our privacy. Self-hosted solutions are readily available as Free Open Source Software, and there are tons of tutorials on how to properly set them up, and configure them to protect one’s self. For the true over-achievers, you can also host your own TOR exit nodes on a Virtual Private Server (VPS), and disable logging so that there are no records to be ascertained with a warrant.

    One other suggestion for you and your readers is to use an Operating System that was intended for anonymity; TAILs was the “go to” for a long time, but a new solution (which I have yet to test, but looks quite promising) is Subgraph OS [2]: An operating system that was not only built with security in mind, but is extensible and intended to be as user-friendly as possible. Not many security solutions out there take into account usability, but this operating system sounds like it is doing a good job at covering both bases.

    [1] http://sealedabstract.com/code/nsa-proof-your-e-mail-in-2-hours/
    [2] Hi Douglas,

    Have you receive a response from AirVPN, yet? Or, have you otherwise been able to ascertain any more information on whether or not 3rd parties (in the EU specifically) would be willing to provide information to national authorities?

    As a Systems Engineer, I created my own VPN using a ”well known” Cloud service, and connect over that. From there, when I so choose, I can connect to TOR to browse anonymously and receive the double-benefit that you refer to in this article. Tonight’s challenge? Setup I2P, and connect to it over my VPN tunnel. 🙂

    And, for true anonymity, the old saying remains true: If you want something done right, do it yourself. Whether it be a VPN service, an alternative to Dropbox / Google Docs (BTSync), or your email (self-hosted email [1]), we should all be taking back control over our privacy. Self-hosted solutions are readily available as Free Open Source Software, and there are tons of tutorials on how to properly set them up, and configure them to protect one’s self. For the true over-achievers, you can also host your own TOR exit nodes on a Virtual Private Server (VPS), and disable logging so that there are no records to be ascertained with a warrant.

    One other suggestion for you and your readers is to use an Operating System that was intended for anonymity; TAILs was the “go to” for a long time, but a new solution (which I have yet to test, but looks quite promising) is Subgraph OS [2]: An operating system that was not only built with security in mind, but is extensible and intended to be as user-friendly as possible. Not many security solutions out there take into account usability, but this operating system sounds like it is doing a good job at covering both bases.

    HTH.

    [1] http://sealedabstract.com/code/nsa-proof-your-e-mail-in-2-hours/
    [2] https://subgraph.com/

    1. Hi Anonymous,

      1. Oops… sorry. This slipped my mind,

      About Data Retention Directive transpositions in Member States, as well as any other law of course (with *maybe* exceptional exceptions in the field of civil contractual agreements, if any), our servers activity applicable law is the law of the country in which the server is physically located.

      The Data Retention Directive has been declared definitely invalid since its birth by the CJEU, so all of its transpositions are invalid as well:
      curia.europa.eu/jcms/upload/docs/application/pdf/2014-04/cp140054en.pdf

      (The reason is infringement of fundamental rights, so any similar law will have to be checked carefully, because infringement of human rights is probably the most monstrous consequence a law can achieve.)

      About jurisdiction vs. applicable law in the field of data protection in the Information Society, please see:
      ec.europa.eu/justice/policies/privacy/docs/wpdocs/2010/wp179_en.pdf

      There is also a very wide jurisprudence that shows how the applicable law for a server located in a Member State territory is the law of the country in which the server is located.

      D.Lgs you cite and subsequent modifications are invalid due to the CJEU decision, but that’s irrelevant for the above “applicable law”reasons, because we have no VPN servers in Italy (and no web servers).
      ….
      ‘Some EU Member States never implemented Data Retention or canceled it as unconstitutional years before the CJEU decision (Germany, Romania; Belgium, although for different reasons).

      Other EU countries have abrogated their data retention laws soon after the CJEU decision (the Netherlands, Austria, Bulgaria, Ireland etc. etc.) please see
      http://www.openrightsgroup.org/assets/files/legal/Data_Retention_status_table_updated_April_2015_uploaded_finalwithadditions.pdf

      In UK the law scope does not seem to cover VPNs, but we’re not sure: the law is ambiguous.

      Any other non-complying legislation such as the one in UK (if it can be applied to our service) has no value for us, the CJEU has higher authority and we have more than enough resources to challenge any government up to the CJEU should any entity require us to perform activities breaking fundamental right according to the CJEU decision. We do not log, monitor or inspect clients traffic in any of our VPN servers.

      Basically, as far as I can gather, EU counties powers to monitor VPN connections has not really been to the test…

      2. Self-hosted solutions are in general a good idea, but most people do not have the technical expertise or interest to implement them so good ready-made solutions still have great value. Look out, however, for more articles on self-hosting services. I will note that self-hosting VPN does not provide as much anonymity as using a good no-logs commercial services as the VPS address is directly traceable to the owner (unless you, as you have done, further steps are taken to improve anonymity/privacy).

      3. Subgraph OS looks interesting and I will look into it further, Thanks for the tip!

    2. Anonymous,
      how do you create a VPN on a “well known” cloud server?

      And am I correct in assuming that all traffic can only be traced back to the cloud server?

      Were you able to achieve the I2p over the VPN? if so how?

      1. Hi Cyberzyme and Anoymous,

        Please be aware that running your own VPN on a cloud server is not as anonymous as using a privacy-oriented commercial VPN service. Not only do these services use shared IP’s (many customers using the same IP address) to make it difficult to associate any internet activity with any individual user, but they are also setup with the aim of protecting users privacy. A cloud storage providers, on the other hand, will have no qualms at all about handing over your details to the authorities or closing your account when served with a DMCA notice…

  3. Yes. You got the point, if the VPN service provides access to the Internet (which is the case of AirVPN) it should, in my opinion, fall in the second of the four categories contemplated in the mentioned law, therefore obliged to keep all user data pertaining his internet access for up to two years.

    If, on the other side, the VPN doesn’t provide access to Internet, then they shouldn’t be obliged to keep those user data.

    That’s why VPN as service per sé is in my opinion not mentioned.

    Please ask them and let me know.

    Of course we are just discussing about not being obliged to keep those data, not about being obliged of not keeping those data, which is what should really matter in terms of our privacy.

    As far as I know, this kind of protection, in Europe, is only available in Gibraltar.

    1. Hi Rosario,

      As a British Overseas Territory, I would not trust Gibraltar. For a lengthier(if a little old) discussion on this subject, please see Data retention, VPN logging and internet surveillance in Europe, but in general we usually consider Bulgaria, Luxemburg, Netherlands, Romania and Sweden good locations for VPN because the DRD (or local versions of it) have not been applied to VPN providers in those countries (as far as we can tell – deciphering often often arcane, little discussed, and poorly worded laws that are usually only available or even discussed in the local language makes getting hold of hard facts a somewhat frustrating exercise). I will let you know what AirVPN’s reply is is.

  4. Dear Douglas,

    The Italian law covering the matter is the “decreto legislativo n. 109” of May, 30th 2008.

    You can download it at the following link:

    http://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/export/1607282

    At page 3, article 3, paragraph 1, subparagraph a.2, it states clearly that all data pertaining user access to Internet have to be monitored and kept for two years.

    Since their VPN provides access to Internet, indeed they keep your data.

    I agree with you, unless we have access to the device drivers of the baseband chips, we cannot be secure. But we can still do something, like using only open source community developed (and financed) code.

    As for trusting technology financed by the government, I have my doubts. I would rather use i2p instead.

    Please check more about textsecure and the other technology….

    1. Hi Rosario,

      Thank you for that link. As far as I can see, however, ‘page 3, article 3, paragraph 1, subparagraph a.2,’ relates to ‘Categories of Data to Be Retained by Telephone and Electronic Communications Operators’ and says ‘… electronic mail… and says, ‘the IP address used and the electronic mail address as well as any additional ID related to the sender’ . (Official English translation here).

      Scanning through the legislation, the most relevant phrases that I can find are:

      f. “user ID” shall mean a unique identifier allocated to persons when they subscribe to and/or register with an Internet access service or Internet communications service;
      g. “uniquely allocated IP (Internet protocol) address” shall mean the (IP) protocol address enabling direct identification of the subscriber and/or user performing communications on the public network. (Section 1 Definitions)

      and

      5. The providers of publicly available electronic communications services that make available Internet access services (Internet Access Providers) shall ensure that IP addresses are available and allow unique identification by ninety days as from the date of entry into force of this decree. (Section 6 Transitional and Final provisions)

      Am I missing something (I may well be)? Nothing that I can see specifically includes VPN providers in the law (I do not think that VPN providers count as an ‘Internet access service or Internet communications service’, but I could be wrong. I shall contact AirVPN and see what they say.

      As for funding of projects, as long as they are community developed and open source, where the money come from should not really matter.

      I will investigate TextSecure etc. further.

  5. Dear Douglas,

    Air VPN is provided by a company located in Italy.

    Italy, like almost all the countries in the European Union, is subject to a law that incorporated the EU/2006 directive (declared null in 2014) which obliges all the companies providing any sort of access to the Internet to keep detailed logs of their users for a minimum of six months up to two years.

    Therefore in some respects even worse than the Patriot Act.

    We may argue that a general VPN service doesn’t provide per se access to Internet. Can we say so about Air VPN?

    How easy is for an US agency to access those logs?

    Extremely. US arrived in Italy in 1945 and never left.

    As for Tor/textsecure/redphone, did you know that they are financed by the US intelligence at the speed of several millions of USD per year?

    Check my blog on Facebook for the references (www.facebook.com/isherclub) or search about the investigation made by the journalist at Pando.

    To be clear Switzerland is subject to even more strict laws concerning telecommunication data retention, meaning they keep those records for longer.

    When you purchase a service look first where they are located and which laws applies in such countries, examining even their constitution if you can.

    I usually do so.

    Have a great day
    Rosario

    1. Hi Rosario,

      As I understand it, the EU Data Retention Directive is not applied to VPN’s under Italian implementation of the law (which has now been declared unconstitutional by the European Court of Justice, although no EU country has taken much action on this front). As for the NSA, well… it is certain that the NSA has targeted Italian communications, and Italy is among the NSA’s ‘Fourteen Eyes’ spying partners. How far this means it can interfere with ordinary Italian services such as AirVPN, however, is difficult to tell, but AirVPN has always shown admirable dedication to users’ privacy.

      That Tor is partly funded by the US military is well-known, but this does not seem to make it easier for US intelligence services to compromise users (it’s all in the way its setup). I plan to investigate TextSecure and Redphone further, but I would consider manufactures’ root access to all smart phones via the baseband processor to be a bigger worry (although as I currently understand it, these represent the most secure communications options currently available). They are open source, so can be checked for backdoors etc. Expect an article on this subject very soon…

  6. I signed up for a ProtonMail account, and currently on the waiting list. I read your review and done some research on them. They seem like one of the few viable email service providers that account for privacy in a major way. Tutanova I haven’t looked into, however will check them out so I can compare the 2. Also Douglas is there any way to use Tor in Google chrome/Firefox instead of the tor browser but with all the tor functionality?

    Thanks

    1. Hi billy,

      Both ProtonMail and Tutanota have their advantages and weaknesses, and both are evolving new features all the time. The Chrome browser is fatally flawed when it comes to privacy, as it sends lots of information back to Google (Chromium is not immune to this either). The Tor Browser is basically Firefox with all the security settings maxed out, plus HTTS Everywhere and NoScript pre-installed., and Disconnect used as the default search engine. The Tor Browser is now the only recommended way of using Tor (past versions of Tor could be used separately from the browser, but this setup has been dropped for security reasons).

      1. Hi Douglas thanks for reply!!

        You noted in one of your earlier replies that you use a number of browser plugins such as (HTTPS Everywhere, Self-Destructing Coolies, uBlock, BetterPrivacy, Privacy Badger). How do you use them in TOR, chrome or firefox?

          1. Hi billy,

            Admittedly I do. The system Firefox used to use for syncing bookmarks etc. was much more secure (end-to-end), but it confused too many users (who could also not retrieve their passwords once lost). The new system (very similar to the Chrome system, with bookmarks stored on a server with a retrievable password) is much less secure, but is so damn useful that I am guilty of using it (it is up to each individual to assess their threat model, and the extent to which they are willing to sacrifice functionality for security).

  7. Hi Douglas

    Just to say as I’m becoming more and more accustomed with Internet security, your articles have been great help in unveiling this analog blanket from my digital eyes!

    How would you use all 3 to further security/anonymity? And what methods do you use to obscure your identity online?

    Thanks

    1. Hi billy,

      Thanks! By ‘all 3’ do you mean VPN, Tor and I2P? If so, VPN over Tor provides a very high degree of anonymity when online (although this will slow down your internet connection considerably). I am not aware of a way to combine I2P with the others. I personally use AirVPN at all time, plus a number of browser plugins to prevent cross-site tracking etc. (HTTPS Everywhere, Self-Destructing Coolies, uBlock, BetterPrivacy, Privacy Badger). If I could convince more friends and family to get on board I would also use TextSecure (Signal for iOS devices) and Redphone for secure comunications. I am currently planning to migrate my email to either ProtonMail or Tutanova (I am still testing both services).

  8. I concur that I2P is way slower. But I am not sure that I have configured it correctly or something. Anyway i couldnt figure it out as I was having a hard time with my stupidity itself.

    1. Hi n30,

      I2P can definitely be quite intimidating and user-unfriendly. Have you read Part 2 of this article, where I try to cover the basics of getting up and running with it?

    1. Hi defcon,

      I would not normally reply to such a rude post, but as you may have a point relevant to our readers, I will make an exception this time. I have done some research, but can find nothing on a 20-50kb/s limit due to the streaming library, so if you would care to explain and/or provide some references, I would be grateful.

      1. Hi Douglas,

        I just thought I’d address this little post for your readers’ benefit (since it’s the first comment to appear), so that nobody ends up confused by defcon’s rude comment:
        I2P is *NOT* limited to a mere 20-50 kb/s, and most certainly is faster than Tor. The reason he and countless others mistakenly-think that it is, is because 20-50 kb/s is the default bandwidth speed I2P is set to when you install it; to avoid being set too high for those with low monthly bandwidth limits or speed.
        Upon installation of I2P, the user is supposed to open any browser and access their router control panel – where I2P configuration options now show – and manually adjust the bandwidth limit to line-up with your default set-up.

          1. Source (clearnet): http://echelon.i2p.xyz/i2p/i2pspeed.txt
            Source (i2p): http://echelon.i2p/i2p/i2pspeed.txt

            Quote:
            As most traffic on I2P (www, torrent,…) needs ack packages until new data is sent, it needs to wait until a ack package returns from the server.
            In the end: send data, wait for ack, send more data, wait for ack,..
            As the RTT (RoundTripTime) adds up from the latency of each individual I2P node and each connection on this roundtrip, it takes usually 1-3 seconds until a ack package comes back to the client.
            With some internals of TCP and I2P transport, a data package has a limited size and cannot be as large as we want it to be.
            Together these conditions set a limit of max bandwidth per tunnel of 20-50 kbyte/sec.
            But if ONLY ONE hop in the tunnel has only 5 kb/sec bandwidth to spend, the whole tunnel is limited to 5 kb/sec, independent of the
            latency and other limitations.

Leave a Reply

Your email address will not be published. Required fields are marked *