On Tuesday 18 Dec 2012 15:22:19 Juiceman wrote: > On Dec 18, 2012 8:26 AM, "Matthew Toseland" <[email protected]> > wrote: > > > > On Tuesday 18 Dec 2012 02:49:36 Arne Babenhauserheide wrote: > > > Am Freitag, 14. Dezember 2012, 19:32:18 schrieb Matthew Toseland: > > > > - HTTPS ensures that the executable hasn't been tampered with. > However, the > > > > friend providing it may be malicious, computer illiterate, or running > a > > > > corrupted build they got from another friend. Trusting your friend is > not > > > > necessarily enough here IMHO. - Therefore we want to verify the > signature > > > > from FPI as well. > > > > > > I don’t think that this is strictly necessary. If your friend runs a > corrupted > > > build, you have a problem anyway. Another layer of security might be > nice, > > > anyway, though: Don’t make it too easy for people to infiltrate freenet… > > > > The problem is you can make your corrupt version spread "virally" as > people are invited each time distributing your bogus installer, and get a > significant number of corrupted nodes. Verifying the signature avoids this > provided we can trust the PKI. Of course if Freenet is illegal we can't > trust the PKI. :( > > > > > > I like the zip-idea, though, because it would allow shipping more than > one > > > installer: One for Windows, one for GNU/Linux and one for MacOSX. > > > > Right. And all three OS's have good support for zip's now. > > > > > > And we can provide the sha1 hash of the files along with > IP:Port:password, so > > > GNU/Linux users can easily check for manipulations. > > > > We could, although it'd be more work for the user. > > > > > > > One fundamental problem with QR codes is they're primarily read by > phones > > > > and tablets, which can't realistically run Freenet. > > > > > > It might be possible to prompt the user to send the URL via email to > their > > > home-computer. > > > > > > In that case, the QR-code would simply save the typing of the text from > a > > > custom business-card. > > > > Is that really an improvement in practice? > > > > > > Also people running freenet might not want to use their email address > to send > > > the data: don’t leave a data trail between the two people (which is too > easy > > > to follow). > > > > You should only add darknet friends if you don't care about there being a > trail between them. You should connect to people that you know. This is the > same as "people the bad guys already know are connected to you from your > phone records etc". > > > > You are going to be connecting to them directly over IP, so if They look > at you individually, they can identify your friends. Like the message says > on the wizard, don't connect over darknet to your secret mole in guantanamo! > > > > Your friends do not have to be perfectly trustworthy. I'd be happy to add > people from the same university club. If you only add your direct family > you will not have enough links and there won't be enough "long" links. The > one case where you don't want to add them is when you have only ever > contacted them for the purpose of using Freenet, especially if it's an > automated system; this will ruin the topology, and they are probably > malicious. > > > > > What about some kind of Facebook app then? > There was one, we never did anything with the code. Want me to look it up?
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Devl mailing list [email protected] https://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl
