Embeddable SDK
dApp Store
Explore Web3 & Metaverses intuitively with Saakuru App
Created by
Saakuru-MetaOne App logo

Orchid Protocol

A Decentralized Marketplace
Saakuru-MetaOne-Saakuru-MetaOne Category
Developer Tools
Orchid Labs Inc.
What is Orchid Protocol?
Orchid is a platform that enables an onion routing network incentivized by OXT and a multi-hop VPN client. The Orchid community believes in Open Source software and that Orchid can enable a brighter, freer and empowered future.

Orchid’s mission is privacy, and privacy is a human right
Privacy and freedom are not in conflict; they are one and the same. Privacy is an easy target for those in power who say, “if you have nothing to hide, you have nothing to fear.” This is a lie. The truth is that the people in positions of power have the least to worry about being private. We stand in solidarity with causes dedicated to privacy and to other fundamental human rights. Movements that fight for freedom and equality, that fight against oppression and censorship, that help by creating the tools to level the playing field for all.

The Orchid protocol: A tunneling protocol incorporating payments
Orchid has a new VPN protocol developed to work in concert with nanopayments to provide payments at networking speeds. The protocol runs on top of WebRTC for firewall traversal.

The Orchid server: Configuring nodes for service exchange
Providers on Orchid run the Orchid server which accepts connection requests and provides service in exchange for immediate payment via the nanopayment system.

Orchid Accounts The cornerstone of the nanopayment system
Orchid Accounts hold the funds that are sent through Orchid’s scaling nanopayment system. Users are responsible for managing their accounts on the blockchain within the Orchid DApp. Alternatively, fiat users can utilize a Prepaid Access Credits Account managed by Orchid. Each account is composed of a public/private keypair, a special funder wallet that controls the account, and the account makeup (deposit & balance), which determines how efficient the account is at transmitting payments.

Nanopayments: Layer 2 scaling that enables high-frequency, trustless interactions
Orchid uses off-chain probabilistic payments to create a highly liquid marketplace for buying and selling bandwidth. Payments at packet scale allow for trustless interactions by reducing implicit floated balances between buyers and sellers. Marketplace participants can send & receive payments at networking speeds.

Orchid account manager: A simple application for managing funds on the layer 2
The Orchid dApp is a hosted front-end for creating and managing Orchid accounts. After connecting a wallet, users can move funds in and out of the layer 2, along with making modifications for account makeup, payment efficiency and ticket sizing.

Multichain support: Make payments on an expanding list of EVM-compatible blockchains
Multi-chain compatibility gives users an alternative to high gas prices on Ethereum by allowing them to pay for service on other chains. A system for multiple chains allows users and providers options to find lower transaction fees, and helps provide the most competitive network fee pricing to users everywhere.

Decentralizing trust between buyers and sellers
The VPN market is exploding with worldwide growth as users fight to regain privacy and break out of state controlled firewalls. OXT is Orchid’s native ERC-20 digital asset that providers use to compete for user payment flow.

STAKING & STAKEWEIGHTING: Algorithmic, incentive-aligned server selection
Providers on Orchid run the Orchid server which accepts connection requests and provides VPN service in exchange for immediate payment via nanopayments. Orchid providers stake OXT tokens in an Ethereum smart contract (the directory) to advertise their services to clients. Orchid clients then select providers randomly, weighted by proportional stake, so that the probability of picking a particular provider is equal to their fraction of the total stake. Users benefit by getting a provably randomized server from a pool of providers while providers have a mechanism to advertise for users through OXT stake.

An advanced VPN client built on the Orchid platform
The Orchid VPN app is a demonstrated use-case of Orchid’s decentralized marketplace, tunneling protocol, and the networks other interconnected components. The client provides protection from snooping ISP's, unblocks websites cutoff by firewalls, and many other privacy benefits. Bandwidth sellers receive payments in real-time as they provide service and stake OXT to compete for service requests. Buyers use customized or pre-paid cryptocurrency accounts to purchase bandwidth from stakeweighted providers using Orchid’s probabilistic nanopayment system.

PREPAID ACCESS CREDITS: A frictionless payment system
Orchid’s Prepaid Access Credits provide users the option to pay in fiat for VPN credits denominated in the xDAI stablecoin through a simple in-app purchase on mobile devices. The credits are only spendable with Orchid’s preferred providers for VPN service. The system allows for a simple 30-second onramp from any credit card connected to your phone to fund an account with xDAI.

Explore our code
All of Orchid’s code is Open Source and freely available to download on GitHub. Use of Orchid’s source code is governed by the AGPLv3 copyleft Open Source license. Come and follow our project, the community develops code “in the open” by continually pushing changes that anyone can see on GitHub and tagging releases as appropriate. We invite all developers and any curious parties to explore Orchid’s code.
Android, iOS, macOS
Android, iOS, macOS
Orchid Labs Inc.
Basic Internet connections function by transmitting packets of data between two hosts (computers). In order to find their way, packets contain both a source and destination IP address. As packets move from the destination to the source, different routers and physical infrastructure require both of these addresses for the two-way connection to be established and maintained. This means that instantly and over time, the owners of the physical infrastructure are in a position to build a profile of Internet usage on their paying user (you!) and also to block content as the owner sees fit.

Typically these infrastructure owners are ISPs — mobile carriers providing phone data connections, home cable Internet providers, WiFi hotspot operators, and any Internet backbone operators that have peering agreements with user-facing ISPs. In all these cases, the ISP is in an advantaged position to monitor and/or restrict Internet usage. It is common in many countries for ISPs to restrict content so that users cannot load certain websites.

If you are not happy with or do not trust your existing ISP(s), by using Orchid you can currently limit their knowledge to knowing only that you are sending and receiving bytes through Orchid, and completely block their ability to mess with the details of your traffic, unblocking the previously blocked content. They either block all of Orchid or nothing, so if things continue to work after turning on Orchid, then your ISP has allowed 'Orchid in general' and cannot manipulate the individual bytes between you and the rest of the Internet, granting you access to the entire Internet.
The goal with the Orchid app is to give users insight and control over the network connection of their device. To gain privacy, users configure a circuit in Orchid by setting up an Orchid account and funding it with OXT. Then the Orchid app connects to the Orchid network and selects a node using Orchid’s linear stake-weighted algorithm to serve as a VPN and pays for bandwidth via a continuous stream of tiny OXT nanopayments.

In a single-hop circuit configuration, Orchid provides:

Protection from websites seeing your real IP address and physical location

Protection from your ISP seeing what websites you are visiting and when

Access to the open Internet--once a user can connect to Orchid, they are not restricted by ISP level firewalls and can browse the entire Internet freely

A potential problem with using only a single VPN provider is that the provider running the single node circuit knows both your IP address and the content you are accessing. If the provider maintains logs, those logs could be sold to advertisers or otherwise used against you. In the current VPN marketplace, it is hard to know who is maintaining logs and who is not. For Orchid nodes, we have developed a flexible curation system that gives users a way to pick whom to trust.

Another solution is to trust no single provider with enough information to know both who you are and what information you are accessing. To that end, Orchid supports an advanced feature that allows users to configure multi-hop routes by stringing together multiple nodes into a flexible multi-hop circuit. Orchid currently supports several underlying protocols including the native Orchid VPN protocol and OpenVPN, allowing users to mix and match Orchid nodes with traditional VPN nodes. While the potential is there to protect the user from any one provider knowing enough information to reveal their circuit, this is an advanced feature that is currently 'use at your own risk'.
The Orchid app pays for the circuit by sending a continuous stream of tiny nanopayments to providers for the duration of the connection. While the nanopayment architecture locks user funds into a smart contract and--very rarely--winning tickets result in macro-payments posted on the blockchain where the account exists. When that happens, the user’s address, the provider’s address, and a timestamp are stored publically on the blockchain. Note that the payment address of the provider is not a mapping to any single server; instead it is an arbitrary (and potentially temporary) payment address that the provider created specifically to receive funds. Also, the frequency of how often on-chain payments occur is configurable by the user.

All information gained by a potential network attacker is an advantage. However, consider exactly what information is revealed. For an Orchid user running a single hop circuit: the provider sees the user’s payment address when it accepts service, along with the user’s real IP address and the destination addresses that the user is connecting to (if it maintains logs). Once a rare on-chain payment is made, the user’s payment address and provider’s payment address are stored on the blockchain with a timestamp available to the public.

When considering anonymity, it is important to understand if the user is linked to the crypto used in their circuit. Worst case, if the user purchased the crypto used to fund the account on an exchange with their real identity, or the VPN provider used in the circuit maintained logs, then either of those two entities could be compelled to give information that could deanonymize the user. Similarly, a user who paid for a traditional 0VPN service that maintained logs with a credit card could be deanonymized with just one entity being compelled.

A multi-hop circuit affords greater network protections, but to setup a multi-hop Orchid circuit, it would be naive to pay for each hop from the same Ethereum wallet. In that configuration, each provider would be able to see that wallet’s address and potentially use that address to get information about the user. To mitigate that, a better way to setup multi-hop circuits would be to use different wallet addresses for each Orchid hop. If every wallet address is independently dissociated from the user, the full circuit might be quite difficult to link back to the user. Again, multi-hop circuits in Orchid are an advanced feature; use at your own risk.
Yes, providers on Orchid could monitor the bytes that come in and out of the Orchid node. However, all traffic carried over Orchid between hops from the user to the exit is encrypted at the Orchid protocol level, which is an additional layer of encryption. The final exit traffic is then decrypted by the exit node and sent to the destination. In many cases the underlying traffic will also be encrypted with protocols such as TLS, providing at least two layers of encryption.

However, not all traffic on the Internet is encrypted and Orchid doesn’t fix that problem. The last hop configured in the active circuit will need to send the user requests out onto the Internet. So if the user sends an HTTP request, which has no SSL/TLS encryption, Orchid will honor that request and cleartext information would be revealed to the Orchid node. For this reason, you should always use SSL/TLS for sensitive Internet connections, even on Orchid. And even SSL/TLS encryption leaves metadata that the Orchid node could monitor, including the destination address, hostname, packet sizes and the timing of packets.

Using Orchid’s multi-hop feature with a three hop circuit would compartmentalize the information any one provider could monitor. With a properly configured multi-hop circuit the origin and destination of the traffic would be anonymized from any one provider, however, that is an advanced feature which is currently 'use at your own risk'. The way the different Orchid hops are funded has an impact on information leakage that could potentially de-anonymize.

Lastly, the Orchid client randomly selects from a 'curated list' of providers. This adds an additional layer of protection as users could pick or make their own curated list of providers that they trust or someone that they trust, trusts. Orchid has a default list of trusted providers that ships with the Orchid app.

Orchid is a tool that keeps private certain types of information from ISPs, websites, and providers. Orchid adds layers that separate you from the content you are trying to access. If you login to Amazon, the website will know that it is you and can build out information about what you are doing on their website, even with Orchid enabled. However, your local ISP or network provider will not know you are visiting Amazon. Amazon will not know where you are in the world, and will not get your real IP address. If using at least three hops, no single provider will know your IP address and know that you are accessing Amazon.

Also consider that Orchid is a VPN and that all VPNs have vulnerabilities at the software level. Typical modern browsers that are not 'hardened' run all sorts of “active content” such as Java, Javascript, Adobe Flash, Adobe Shockwave, QuickTime, RealAudio, ActiveX controls, and VBScript and other binary applications. This code runs at the operating system level with user account access, meaning they can access anything your user account can access. These technologies could store cookies, bypass proxy settings, store other types of data and share information directly to other sites on the Internet. Therefore, these technologies must be disabled in the browser you are using to improve your security in conjunction with using Orchid.

Other metadata such as the size of the browser window, type of pointing device used and other unique information could be used to 'fingerprint' the user and potentially de-anonymize. These browser fingerprinting attacks could affect any VPN users, Orchid included. Hardened browsers can help reduce or eliminate the user’s visible browser fingerprint.

Also certain apps or code running on your device could send de-anonymizing data out to the Internet or third parties. No VPN can prevent attacks from arbitrary software running on your device, such as malware or a virus.

Furthermore, there is active network security research into 'traffic fingerprinting' attacks that attempt to reveal private information by monitoring encrypted connections. By watching the timing and size of packets, an adversary monitoring an encrypted connection could get a good idea if a particular user is watching a video, browsing the Internet or downloading a large file, just based on the timing and size of packets. Further analysis could reveal what websites are visited by seeing the sequence of things that are loaded— again, the timing and size of packets along with when requests are made.

Orchid is researching 'bandwidth burning' and related techniques to help obfuscate a user’s traffic against these advanced packet timing and size analysis attacks.
Social Links
You Might Also Like