First - yes, there are bugs in msgcache/hobbitfetch, and I'll try to get those sorted out.
*5. Regardless, I would like to see some sort of encryption of the hobbit protocol. Nothing extreme, just not plaintext. Even a simple XOR
I must disagree here.
Poorly implemented cryptography is much worse than no cryptography. It gives people the impression that confidentiality "has been taken care of with encryption", when in fact it hasn't. And then people tend to forget about the *other* things they need to do to get a secure environment.
Inventing your own crypto protocol is usually the *worst* way to begin doing any kind of encryption. History is full of examples. I do not want to become part of it.
If Hobbit is going to have an encrypted link between clients and the Hobbit server, it will be using TLS (SSL). It's a well-tested protocol, it has support for not only encryption but also authentication (both server and client), and there are standard libraries available implementing it - which Hobbit already uses for network tests.
But I'm still un-convinced that it's such a great idea. There are lots of ways that you can attack Hobbit if you want to get at the information it stores - if I were to attack such a system, my first attempt would be to get access to the server and steal the hobbitd.chk file, which holds all of the information Hobbit stores about a host.
Regards, Henrik