Whisper

Whisper is still a prototype and the implementation details are changing from day to day. When more stable, the technical specifications here will be more elaborate.

Topology

Whisper tries to connect to all friends it can reach. In two cases this will not succeed. First, if he or she is offline, it will of course fail. Second, if the friend is behind a closed firewall.

Assume four friends A, B, C and D. A and B are behind (separate) firewalls or NAT devices, and C and D are connected directly to Internet. This means there is no way for A to connect to B or vice versa. But since both A and B can connect to the mutual friend D, this node can relay the message from A to B. Similar mechanisms are also used if B is offline. Common friends are acting as dynamic store-and-forward nodes.

Ports and protocols

Whisper uses TCP/IP for communication and defaults to port 20819/tcp. If this port is not available, it will try the next few ports. Next time, Whisper will default to the last port used, since it is of vital importance that as many peers as possible keep their contact information (host and port), increasing the number of possible ways of communications. When a Whisper peer goes online, it will both connect to and be connected to by your friends, depending on the network topology (nat’s, firewalls etc).

To increase the number of friends you can peer, make sure your firewall or NAT device allows incoming traffic to you on port 20819/tcp.

IPv6

To mitigate the problems with NAT devices, Whispers tries IPv6 if available, since an IPv6 address have no need for NAT. If your home network is behind a NAT, instead of relaying (DNAT) the Whisper port (default 20819/tcp), you can just open it over IPv6, making your machine connected to the IPv6 Internet without NAT.

You can run IPv6 even if your ISP do not support it, by running a 6to4 tunnel, since every IPv4 address maps to 2⁷² IPv6 addresses (this is … a lot!).

• How to setup a 6to4 tunnel on Linux

Of course, Whisper works without IPv6 as well.

Security

When you first register your Whisper account, it will create a digital certificate for you. This is used to sign all your messages in the Whisper network. This way no one else can impersonate you. The drawback is that if you lose your certificate or password, you have locked yourself out of the network and need to register a new account. Make sure you take a backup copy of your certificate (~/.whisper/keystore), write down your password and store them at a safe place.

All this is done in the background by the Whisper software, and the user do not need to bother about certificates at all. Not using certificates signed by a third trusted part is not a problem, since the only thing guaranteed by owning a certificate, is that you are owning that certificate. The Whisper identity is equivalent with the certificate. Also, the Whisper network itself act as a PKI (Public Key Infrastructure) or WoT (Web of Trust), implicitly signing friends certificates. The only way to get hold of someones public key, is via a message from a common friend, and this message is signed by your friend, as is every message transmitted in the Whisper network.