At present once you are connected to a peer, it can change its name. So it can e.g. impersonate your other peers. This is not easily detectable because of character set issues (there are lots of characters that look like "o" with different unicode code points, for example).
IMHO we need to *confirm the node name* as part of exchanging noderefs. This *should not then change* - at least not without local confirmation. The node can call itself whatever it wants, but we'll always show the name it was added as, unless the local user accepts a change. The phone app is particularly interesting: - When we exchange refs phone-to-phone, we should show the node name, and require the user OK them. This is partly for authentication and partly for crowded rooms etc. - When we connect to the home node, and confirm the refs on the home node, we should show the node names. - Photo ID might even be an interesting option, both for confirmation and for e.g. f2f social functionality in the node (sending messages, files etc)? I'm not sure whether we want to provide contact details - if we confirm the fingerprint out of band (e.g. via a phone call, voice verify a fingerprint like gpg), we'd want to look up the phone number separately. Conceivably we could have the app associate a noderef with a known contact - by email or phone number? - The basic reasons for confirming addition of peers manually on the home node: -- The phone might be compromised. -- We want to confirm that we have actually exchanged noderefs with anyone. I.e. if the phone was compromised, an attacker might try to add refs without you interacting with anyone. -- We want to confirm who we have exchanged noderefs with. In which case we need to know who we've exchanged with. -- We may want to do out-of-band confirmation of the noderef's cryptographic keys, e.g. via a phone call to manually check the fingerprint, like with GPG (or use password based auth). This protects us if the phone is compromised and has substituted an attacker's noderef. This should only happen if one or other of the people involved is paranoid enough to ask for it, i.e. depending on the security settings.
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Devl mailing list [email protected] https://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl
