On Wednesday 24 Jul 2013 21:21:56 Matthew Toseland wrote: > At present once you are connected to a peer, it can change its name. So it > can e.g. impersonate your other peers. This is not easily detectable because > of character set issues (there are lots of characters that look like "o" with > different unicode code points, for example). > > IMHO we need to *confirm the node name* as part of exchanging noderefs. This > *should not then change* - at least not without local confirmation. The node > can call itself whatever it wants, but we'll always show the name it was > added as, unless the local user accepts a change. > > The phone app is particularly interesting: > - When we exchange refs phone-to-phone, we should show the node name, and > require the user OK them. This is partly for authentication and partly for > crowded rooms etc. > - When we connect to the home node, and confirm the refs on the home node, we > should show the node names. > - Photo ID might even be an interesting option, both for confirmation and for > e.g. f2f social functionality in the node (sending messages, files etc)? I'm > not sure whether we want to provide contact details - if we confirm the > fingerprint out of band (e.g. via a phone call, voice verify a fingerprint > like gpg), we'd want to look up the phone number separately. Conceivably we > could have the app associate a noderef with a known contact - by email or > phone number? > - The basic reasons for confirming addition of peers manually on the home > node: > -- The phone might be compromised. > -- We want to confirm that we have actually exchanged noderefs with anyone. > I.e. if the phone was compromised, an attacker might try to add refs without > you interacting with anyone. > -- We want to confirm who we have exchanged noderefs with. In which case we > need to know who we've exchanged with. > -- We may want to do out-of-band confirmation of the noderef's cryptographic > keys, e.g. via a phone call to manually check the fingerprint, like with GPG > (or use password based auth). This protects us if the phone is compromised > and has substituted an attacker's noderef. This should only happen if one or > other of the people involved is paranoid enough to ask for it, i.e. depending > on the security settings. > Okay, simple and minimally adequate proposal for fred:
Node has: - Local nick. - Current remote name. The Name column should show: NICK ( REMOTE NAME ) [ CHANGE NICK ] When the node is added, we set the Nick to the name at the time of it being added. The Add a Friend page should have a space for Nick. Ideally, we'd like to fill it in from the noderef if we're uploading a noderef from disk (this would be fairly clean if through the browser). MIGRATION: Many people likely use Private Note for this purpose. So if there is a Private Note and it is reasonably short, set the Nick to it and clear it. If not, set the Nick to the current remote Name. IMHO some of what I said above still holds especially for the phone app. But this is what we need to make darknet acceptable. https://bugs.freenetproject.org/view.php?id=5904
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Devl mailing list [email protected] https://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl
