>Woah (re Ubernode.org). One button click, you can add its ref to you. > >Here's a simple countermeasure: Check the Referer, and if it's set >(outside 127.0.0.1:<port>), verify whatever transaction it is with >another POST form.
can be faked by server >On Thu, Jun 01, 2006 at 04:19:18AM -0400, Colin Davis wrote: >>=20 >> >We can't prevent people from their own stupidity :) >> > >>=20 >> No, but we can raise the barrier of entry- >> For instance, on Windows, most people run as the Administrator all the=20 >> time... Linux/OS X requires that users use su or sudo before writing to= >=20 >> protected files. >>=20 >> I think freenet can have a similar behavior- By implementing a quick=20 >> HTTP auth on fproxy, it avoids the harvesting problem, as well as=20 >> avoiding node autoloaders like the one mentioned before. >>=20 >> It's also possible to auto-randomize the fproxy port, but I don't think= >=20 >> the inconvenience that causes is worth the benefit, when better=20 >> solutions exist. >>=20 >> Http auth, plus a warning advising people to /never/ give out their=20 >> username/password, should help. And if it doesn't... At least it raises= >=20 >> the barrier to entry. >>=20 >> >And >> >according to Ian, that's not a goal we should try to achieve ;) >> > >> I would point out that people can add automatically references NOW,=20 >> trivially, by going through fproxy. >>=20 >> I have Ubernode.org set up to automatically add references to itself,=20 >> and it didn't take a whole lot of effort. (It's a neat experiment. Check= >=20 >> it out ;) http://ubernode.org ) >>=20 >> I'm not sure what avoiding a FCP command to do the same adds, when a=20 >> one-line exec(curl blah blah) does the same thing, just in a slightly=20 >> more messy way. >>=20 >> -Colin >>=20 >>=20 >>=20 >>=20 >> >NextGen$ >> >(Convinced too that the reference auto-adder is EVIL!) >> > >> > >> >------------------------------------------------------------------------ >> > >> >_______________________________________________ >> >Devl mailing list >> >Devl at freenetproject.org >> >http://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl >>=20 >> _______________________________________________ >> Devl mailing list >> Devl at freenetproject.org >> http://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl >>=20 > >--=20 >Matthew J Toseland - toad at amphibian.dyndns.org >Freenet Project Official Codemonkey - http://freenetproject.org/ >ICTHUS - Nothing is impossible. Our Boss says so. > >--EP0wieDxd4TSJjHq >Content-Type: application/pgp-signature; name="signature.asc" >Content-Description: Digital signature >Content-Disposition: inline > >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.4.1 (GNU/Linux) > >iD8DBQFEfyMTHzsuOmVUoi0RArgPAKCwSvwrtdc18SlBm8qJ+mOQpdtKEgCcCYHg >xKLoGvdB/6jXdiubBeLpH7I= >=AdfP >-----END PGP SIGNATURE----- > >--EP0wieDxd4TSJjHq-- > >--===============0280018304== >Content-Type: text/plain; charset="us-ascii" >MIME-Version: 1.0 >Content-Transfer-Encoding: 7bit >Content-Disposition: inline > >_______________________________________________ >Devl mailing list >Devl at freenetproject.org >http://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl >--===============0280018304==--
