From the Passim README:
Here we’ve assuming your local network (aka LAN) is a nice and friendly place, without evil people trying to overwhelm your system or feed you fake files. Although we request files by their hash (and thus can detect tampering) it still uses resources to send a file over the network.
We’ll assume that any network with working mDNS (as implemented in Avahi) is good enough to get metadata from other peers. If Avahi is not running, or mDNS is turned off on the firewall then no files will be shared.
Trusting networks based on mDNS support is not a good idea, there are good reasons to have mDNS enabled on untrusted networks (like using a printer on a semi-public network).
Also from the Passim README:
The file is sent when requested from a URL like
https://192.168.1.1:27500/filename.xml.gz?sha256=hash– any file requested without the checksum will not be supplied
Since a lot of files have unique filenames and are public, obtaining the hash is not very hard. An attacker could request known filename+hash pairs to guess information about a device. This can be used for fingerprinting and might even be enough to uniquely identify a host across networks. The 2mb data cap doesn’t really help mitigate this attack.