Well that’s just Wikipedia’s blanket statement “be aware of what you download”, torrent is not anyhow more insecure than classical browser download, in fact maybe a bit more secure, let me try to explain.
BitTorrent is a protocol of data transfer, like http for instance.
Torrent client - is just a download / upload manager for that protocol.
If i have .iso and create .torrent file / magnet hash - i am the only owner that can change the content of download / cancel it whatever, no other seed / peer can alter initial content.
So security concerns may possibly come from:
-
Initial uploader is malicious and uploading some malware in the first place
-
Initial uploader got hijacked by bad actors / feds etc in order to change download content and infect users:
For that hashes exist, basically in case there is any change in my initial .iso file upload - those who download(ed) such file will be immediately errored out in torrent client, saying that there’s some hashing mismatch. There’s a function called re-hash, if peer decides to re-hash on it’s own - it’s a risk in case we’re looking at here, so in torrent culture usually when such thing sometimes occurs user goes to place of initial download (say a froum thread) to see if OP of that torrent is saying something like:
I’ve changed x, and added y, see file list for changes to continue download / seeding - please re-hash
If it looks legit - you should re-hash and contniune.
-
Someone powerful like hacker group or feds trying to somehow mangle with connection and switch packets on the fly:
In that case again, all seeds / peers of such torrent will be immediately notified and errored out about hash mismatched, and if they’ll go to OP of such torrents and won’t see any notification from OP like in example given above - it will be obvious for everyone that something malicious is going on, and such thread / torrent should be closed very fast. So people will be sure to make some noise.
So as long as you’re using FOSS client and being reasonable - everything should be fine, it’s much easier for malicious actor to take control of the classical download server, than take control of the torrent - because of hashing that multiple people have in decentralized fashion.
The only valid concern with torrent clients as they are now - privacy, it’s about as private as…well, usual internet. Everyone sees all of IPs.
If that’s a concern there’s Favourite Lesser Known Programs - #611 by keybreak this client, which masks your identity through onion routing, like Tor.
