It is an an exciting time for The Invisible Internet Project (I2P). We are completing our migration to modern cryptography across all of our transports, ( Java and C++), and we have recently gained a high-capacity and professional outproxy service, and there are more applications integrating I2P based functionality than ever. The network is poised to grow, so now is a good time to remind everyone to be smart and be safe when obtaining I2P and I2P-related software. We welcome new applications, implementations, and forks with new ideas, and the power of the network comes from its openness to participation by all I2P users. In fact, we don’t like to call you users, we like to use the word “Participants” because each of you helps the network, in your own way by contributing content, developing applications, or simply routing traffic and helping other participants find peers.
You are the network, and we want you to be safe.
We have become aware of attempts to impersonate I2P’s presence on the web and social media. To avoid offering momentum to these campaigns, we will not mention the actors affiliated with them, However, in order to help you recognize these campaigns should you encounter them in the wild, we are documenting their tactics:
- Copying text directly from the I2P Web Site without acknowledging our license requirements in a way that may suggest endorsement.
- Involvement or promotion of an Initial Coin Offering, or ICO
- Crypto-Scam like language
- Graphics that have nothing to do with the textual content
- Click-farming behavior, sites that appear to have content but which instead link to other sites
- Attempts to get the user to register for non-I2P chat servers. We come to you or you come to us, we will not ask you to meet us at a third-party service unless you already use it(Note that this is not always true for other forks and projects, but it is true of geti2p.net).
- The use of bot networks to amplify any message on social media. I2P(geti2p.net) does not use bots for social media advertising.
These campaigns have had the side-effect of “shadow-banning” some legitimate I2P-related discussion on Twitter and possibly other social media.
Our Sites
We have official sites where people may obtain the I2P software safely:
Invisible Internet Project Forums, Blogs and Social Media
Hosted by the project
- I2P Forums - I2P Mirror
- irc: #i2p-dev on Irc2P(127.0.0.1:6668 in a standard I2P installation)
Hosted by Others
These services are hosted by third-parties, sometimes corporations, where we participate in order to provide a social media outreach presence to I2P users who choose to participate in them. We will never ask you to participate in these unless you already have an account with them, prior to interacting with us.
Forks, Apps, and Third-Party Implementations are Not Evil.
This post attempts to provide ways of vetting the source for obtaining the Java I2P package represented by the source code contained in https://i2pgit.org/i2p-hackers/i2p.i2p and https://github.com/i2p/i2p.i2p, and which is available for download from the web site https://geti2p.net/. It is not intended to pass judgement on third-party forks, downstream projects, embedders, packagers, people experimenting in laboratories, or people who just disagree with us. You are all valued members of our community who are trying to protect, and not compromise, the privacy of others. Since we are aware of attempts to impersonate I2P project community members, you may wish to review the download, verification, and installation procedures which you recommend to your users in order to document your official sources and known mirrors.
Authors Note: An earlier version of this blog post contained the TLS fingerprint of each of the services operated by the I2P Project. These were removed when a certificate renewal caused the fingerprints to become inaccurate.