A small change to the 'simple' DBR error message.
Also, I don't mean to start a flamewar, but this from S.C.U.M.'s site is
right:
NIO
Now that the NIO Freenet is widespread I'm ready to give my 2.0cents of
nonsense, I've been using it for some time and what a great improvement for
cpu usage but I'm close to dumping Freenet altogether(that's probably a
fairly common thought right now), I think [j]random was right that they
basically are ready to compromise real security for P2P glory(paraphrase),
this whole issue of the error pages has had me pissed for a long time, not
because it fucks up this page (that's my and and other people that use
IFrames problem) but because of Matthew Toesland's(lead Freenet programmer)
response to it:
"They are NOT KEYS. They are static images. It is the browser's fault for not
caching them long enough to render each copy of them."
"It is probably simply that your browser
a) has caching disabled, and
b)is not smart enough to coalesce requests for the same image i.e. to
cache it long enough to render it all over the page. Simply enable a
small (like one megabyte) cache in the browser, regardless of it being
cached upstream by the node or the proxy or whatever, and it will only
download the images once each"
I don't think Toesland's stupid and he's obviously working his ass off for
this thing but that's pretty stupid(he's actually blaming a web browser for
shitty Freenet behavior!), Freenet should be made to work with *no browser
cache* that's a pretty fucking basic concept for software made to run in
hostile environments.
But that's not really bad, what's their latest idea? have *Freenet place a
cookie*, actually not just a cookie but nice fucking known static
path&content one that can sit there unchanged for a long time, I don't
suppose any of these bright fellows thought to do some research on cookie
exploits before sticking this in Freenet or more likely they just don't give
a shit anymore.Oh and if you block Freenet from using cookies you'll keep
getting thrown back into their new Freenet for the 21st Century 'Illiterate
Mode'
But wait.. there's more kids, NIO Freenet is unstable and the freenet.log has
gone out of control and filled my disk a couple of times, this actually puts
"stable build" Freenet in the 'dangerously unstable' category but whatever,
what concerns me is last time I read the log and found this:
Jul #, 2003 2:02:28 PM (freenet.client.AutoRequester, QThread-1516, ERROR):
Got StateReachedEvent (State FAILED reached.) with currentRequestProcess ==
null! for freenet.client.AutoRequester:(not
requesting)():freenet:[EMAIL PROTECTED]/colours/3914f3//active.png
For anyone who doesn't know what this means, Freenet has put an error message
in the log containing a key I've requested on the network, perhaps this is a
new experiment to help law enforcement more easily determine what you've been
doing with Freenet, part of it's new "user friendliness".
Is it acceptable that instead of stomping out potential security weaknesses
they are actually adding more? It's not to me and I wish smarter people would
really explain why or why not these weaknesses are a threat(they seem like a
big-ass threat to me) , there is alarmingly little discussion about it and
The Freenet Project does not maintain a list of known weaknesses but chooses
to give the impression of everything's secure.
This is not something that just occured to me, the Internet Explorer thing has
always pissed me off as a Freenet user. They have consistently been pretty
non-chalant about plugging Freenet security holes, but this cookie and log
thing is really too much. I feel some responsibility that I insert data that
I know is illegal in many places and the people who might be downloading it
have a false notion of how secure they are retrieving it. But complaining
about it will get no result so it's "out of my hands" as they say. I thought
about S.C.U.M. with no underage girls or copyright infringement(aka.crappy
S.C.U.M.) but that just isn't going to happen. So frankly I don't know what
to think or do about this, it's very frustrating.
Freenet security problems I know(and I don't know too much so there are
probably others)
- Internet Explorer allows scripting that Fproxy doesn't filter, this allows a
Freesite to get your IP address, things you downloaded etc. At least they
have a warning about this but it never has really been dealt with, ie.better
filtering(if that's possible) or blocking Internet Explorer.
- Freenet sets a static cookie with a known path&content. It's beyond me why
they would add this unnessesary exploitable "feature"
- Browser cache contains Freenet content you've requested, this is a weakness
of using Web browsers as the Freenet interface and it doesn't help when the
software and it's developers encourage using a browser cache instead of
saying "turn it off"
- Browser link history, this is a weakness of using Web browsers as the
Freenet interface, there is no actual data here just addresses
- allowing requested keys to be listed in the freenet.log (default
configuration), this is just dumb.
- Freenet is vunerable to traffic analysis, this is a complex issue at the
heart of the Freenet structure I don't really understand but I do know that
exploiting this weakness would be very difficult, but there hasn't been
enough done yet to randomise HTL values for inserting/requesting (as far as I
know)
(back to the real sender) I realize anonymity and security may not be the main
goals right now, but maybe some of this should be addressed, eh? I'm not
saying toad or anyone has to, but these are matters worthy of consideration.
btw, what's the config option for setting the simple/advanced default?
--
"I love deadlines. I love the whooshing sound they make as they go by."
- Douglas Adams
Nick Tarleton - [EMAIL PROTECTED] - PGP key available
--- src/freenet/client/http/FproxyServlet.java.old 2003-07-04 20:42:06.000000000 -0400
+++ src/freenet/client/http/FproxyServlet.java 2003-07-05 01:56:43.000000000 -0400
@@ -1514,15 +1514,16 @@
String altDbrUrl = "/" +
dr.getTargetForTime(key, time).toString(false);
+ int incr = dr.getIncrement()/(60*60);
if(SimpleAdvanced_ModeUtils.isAdvancedMode(req)) {
dbr = "</p><p>" +
"The request followed a Date Based Redirect, this is usually " +
"used to provide an updateable freesite. It appears that the " +
"current freesite is not available. You could try retrieving " +
"an <A HREF=\"" + prevDbrUrl + "\">earlier dated version</A> (<a href=\""+altDbrUrl+"\">better but date-specific link</a>). "+
- "The site updates every " + dr.getIncrement()/(60*60) + " hours.</p><hr>";
+ "The site updates every " + incr + " hours.</p><hr>";
}else
- dbr = "</p><p>This site updates every day, you could try <A HREF=\"" + prevDbrUrl + "\"> yesterday's edition</A>.</p>"; // Also make sure that your computers clock is correctly set.
+ dbr = "</p><p>This site updates every " + increment + " , you could try <A HREF=\"" + prevDbrUrl + "\"> yesterday's edition</A>. Also make sure that your computer's clock is set correctly.</p>";
}
String msg;
