On Tuesday 18 Dec 2012 02:49:36 Arne Babenhauserheide wrote: > Am Freitag, 14. Dezember 2012, 19:32:18 schrieb Matthew Toseland: > > - HTTPS ensures that the executable hasn't been tampered with. However, the > > friend providing it may be malicious, computer illiterate, or running a > > corrupted build they got from another friend. Trusting your friend is not > > necessarily enough here IMHO. - Therefore we want to verify the signature > > from FPI as well. > > I don’t think that this is strictly necessary. If your friend runs a > corrupted > build, you have a problem anyway. Another layer of security might be nice, > anyway, though: Don’t make it too easy for people to infiltrate freenet…
The problem is you can make your corrupt version spread "virally" as people are invited each time distributing your bogus installer, and get a significant number of corrupted nodes. Verifying the signature avoids this provided we can trust the PKI. Of course if Freenet is illegal we can't trust the PKI. :( > > I like the zip-idea, though, because it would allow shipping more than one > installer: One for Windows, one for GNU/Linux and one for MacOSX. Right. And all three OS's have good support for zip's now. > > And we can provide the sha1 hash of the files along with IP:Port:password, so > GNU/Linux users can easily check for manipulations. We could, although it'd be more work for the user. > > > One fundamental problem with QR codes is they're primarily read by phones > > and tablets, which can't realistically run Freenet. > > It might be possible to prompt the user to send the URL via email to their > home-computer. > > In that case, the QR-code would simply save the typing of the text from a > custom business-card. Is that really an improvement in practice? > > Also people running freenet might not want to use their email address to send > the data: don’t leave a data trail between the two people (which is too easy > to follow). You should only add darknet friends if you don't care about there being a trail between them. You should connect to people that you know. This is the same as "people the bad guys already know are connected to you from your phone records etc". You are going to be connecting to them directly over IP, so if They look at you individually, they can identify your friends. Like the message says on the wizard, don't connect over darknet to your secret mole in guantanamo! Your friends do not have to be perfectly trustworthy. I'd be happy to add people from the same university club. If you only add your direct family you will not have enough links and there won't be enough "long" links. The one case where you don't want to add them is when you have only ever contacted them for the purpose of using Freenet, especially if it's an automated system; this will ruin the topology, and they are probably malicious. > > One more option: Only provide your FOAF connections, NOT your own IP. Huh?
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Devl mailing list [email protected] https://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl
