Woah (re Ubernode.org). One button click, you can add its ref to you. Here's a simple countermeasure: Check the Referer, and if it's set (outside 127.0.0.1:<port>), verify whatever transaction it is with another POST form.
On Thu, Jun 01, 2006 at 04:19:18AM -0400, Colin Davis wrote: > > >We can't prevent people from their own stupidity :) > > > > No, but we can raise the barrier of entry- > For instance, on Windows, most people run as the Administrator all the > time... Linux/OS X requires that users use su or sudo before writing to > protected files. > > I think freenet can have a similar behavior- By implementing a quick > HTTP auth on fproxy, it avoids the harvesting problem, as well as > avoiding node autoloaders like the one mentioned before. > > It's also possible to auto-randomize the fproxy port, but I don't think > the inconvenience that causes is worth the benefit, when better > solutions exist. > > Http auth, plus a warning advising people to /never/ give out their > username/password, should help. And if it doesn't... At least it raises > the barrier to entry. > > >And > >according to Ian, that's not a goal we should try to achieve ;) > > > I would point out that people can add automatically references NOW, > trivially, by going through fproxy. > > I have Ubernode.org set up to automatically add references to itself, > and it didn't take a whole lot of effort. (It's a neat experiment. Check > it out ;) http://ubernode.org ) > > I'm not sure what avoiding a FCP command to do the same adds, when a > one-line exec(curl blah blah) does the same thing, just in a slightly > more messy way. > > -Colin > > > > > >NextGen$ > >(Convinced too that the reference auto-adder is EVIL!) > > > > > >------------------------------------------------------------------------ > > > >_______________________________________________ > >Devl mailing list > >Devl at freenetproject.org > >http://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl > > _______________________________________________ > Devl mailing list > Devl at freenetproject.org > http://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl > -- Matthew J Toseland - toad at amphibian.dyndns.org Freenet Project Official Codemonkey - http://freenetproject.org/ ICTHUS - Nothing is impossible. Our Boss says so. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: Digital signature URL: <https://emu.freenetproject.org/pipermail/devl/attachments/20060601/fa2e0e33/attachment.pgp>
