On Thursday 01 June 2006 09:19, Colin Davis wrote: > I think freenet can have a similar behavior- By implementing a quick > HTTP auth on fproxy...
Unfortunately it wouldn't work if the user had logged in to FProxy and not closed their browser since. At least, my browser will happily send the auth credentials even if it's being post-ed to by a form on a different domain. Likewise, if you gave the user a cookie, the browser would just send the cookie. You have to ask the user for authentication every time they added / removed a node, or similar, which would get annoying very quickly. Even so, there's still the risk that any website can tell that you're running Freenet, even if they can't tell who you're peered with. Just getting a connection on port 8888 gives away information that Freenet is designed to hide. > > It's also possible to auto-randomize the fproxy port, but I don't think > the inconvenience that causes is worth the benefit, when better > solutions exist. This would help, and I'd expect the norm to be that people will find the node homepage through a desktop shortcut or something, in which case you just point the shortcut at the right port. It's still security through obscurity though. Given that we have an encrypted darknet protocol specifically to mask the fact that users are running Freenet, it's a serious problem that any website can discover this fairly trivially. Unfortunately I'm not sure what the solution is. Dave
