Freenet / Hyphanet 0.7.5 build 1503 is now available: https://www.hyphanet.org/freenet-hyphanet-build-15021503-fix-vulnerability-and-visibility-add-animated-webp-convenience-and-optimization.html
1502 fixed an inserter tracing vulnerability and added several features, 1503
fixes regressions in 1502.
- fix vulnerability
- reduce visibility on the network
- support animated webp and more modern HTML and CSS
- enable direct linking to Freemail’s “New Message” page
- dismiss alerts and convenience
- substantial routing optimizations
- bug fixes
(if your auto-update is active, you already have 1503)
Details:
## mitigated vulnerability
The most important change is a fix to a vulnerability that enabled
attackers to differentiate between an uploading and a forwarding node
by analyzing the structure of packets in blocks.
The vulnerability enabled two attacks: one active and one passive.
The active one could be exploited by depending on precise block-level
timing of packet handling, forcing the node to expose if it was the
original uploader of a file. The passive one worked by analyzing the
packet structure inside blocks.
While the active attack is completely mitigated, the passive attack
could be done retroactively if an attacker had already recorded the
full transmitted data on sub-block level.
The attack has two limitations: it requires matching individual CHKs
to keys, for example by downloading the key of the file at least once;
this risk is highest for CHKs of known files and for
re-uploads. And it requires a direct connection: it does not work
against pure friend-to-friend mode when your friends are trustworthy.
This vulnerability was reported responsibly by *Xu Yonghuan*. Thank
you very much for the report and for creating and testing a
mitigation!
### fix regression: thread leak
1503 fixed a thread leak from our adaption of the vulnerability
mitigation that caused very fast nodes to overload and slow down after
a few days, because the number of waiting threads exceeded the thread
limit. Don’t wait for zero, for it is infinite.
Thanks to bertm for finding a minimally invasive solution and
max_iops for reporting the problem and testing fixes!
## visibility reduction and interface fixes
There were some additional privacy and safety improvements: do not
check reachability of global addresses to avoid a fallback to Echo
packets when a node does not support Ping. These packets were a
regression from 1498 due to a fallback in the platform address
checking when Ping is disabled.
And don’t show download to disk
for large file page on public gateway nodes, and make fproxy cross
origin isolated -- the latter by torusrxxx.
## animated webp and more HTML/CSS
There is now support for animated, lossy webp images, recovering
some capabilities we lost when browsers removed support for the Theora
codec, and for WAV files for lossless audio. Thank you to Torusrxxx!
Torusrxxx also increased again the fraction of HTML and CSS elements
that can be used on Freesites. More and more pages should just work.
Freesites can now set robots, googlebot and referrer=no-referrer, for
example for the Spiders that update indizes, as well as use more CSS
properties.
1503 fixed a problem displaying Freesites that include an input tag
without type. Sites with such an incomplete input tag can now be
visited again. Thanks to torusrxxx!
## link to freemail
Freemail now allows inbound links to “/Freemail/NewMessage?to=\<WoT ID>”,
so you can use links on Freesites that directly open in Freemail.
## dismiss alerts and convenience
On the alerts page there are buttons to dismiss all alerts that do not
come from other nodes, or to delete all messages from other nodes.
This should unclutter alerts and make node-to-node messages much more
usable.
## optimization
There are new optimizations to the code -- a lot of them
improvements to synchronization -- which should reduce CPU load of
nodes with many peers and make it easier to run simple routing nodes
(without messaging) on weak, cheap, energy conserving hardware:
- Fix synchronization of receive buffer -- #1044 by ArneBab. Thanks to
Xu Yonghuan for the catch!
- Do not synchronize on global variable in CryptoKey.fingerprint --
#1066 by bertm
- Do not synchronize on access to AEADCryptBucket.readOnly -- #1065 by
bertm
- Do not synchronize on global variable in crypt Util.makeKey -- #1064
by bertm
- Do not synchronize on Rijndael cipher initialization or use -- #1061
by bertm
- Use length hint for bucket creation in ChecksumChecker -- #1059 by
bertm
- Optimize OCBBlockCipher_v149 by replacing Vector with List -- #1057
by bertm
- Use JCE AES implementation for AEAD when available -- #1056 by bertm
## fixes
Additionally there are visible Fixes:
- Update dependencies.properties wrapper files to files in
java_installer to avoid downgrading the wrapper after the first
start -- #1081 by ArneBab
- Fix regression: compress parameter was inverted on upload. Thanks to
NewOne@umLZL for investigating! -- #1051 by ArneBab
- Build the Atom XML correctly -- #1080 by Bombe
- Do not fix case (upper/lower) of header key -- #1063 by torusrxxx
- Fix request distribution stats -- #1071 by bertm
- In the plugins visibility was adjusted to show in simple mode the
plugins that actually are easy to understand for newcomers.
- Below the shutdown-button, there’s now an info how to disable
autostart in GNU Linux.
- And 1503 added two new seednodes to speed up inital connection in
Opennet. Thank you for providing them!
And internal code fixes:
- Return valid length from RandomShortReadInputStream.read -- #1060 by
bertm
- Fix single-byte read() in various InputStream implementations --
#1058 by bertm
And improvements to the code to ease maintenance:
- 🐛 Allow Class Loader to Enumerate Directory Entries. Fixes Flyway
usage -- #1049 by Bombe
- ♻️ Use accessor for NodeClientCore.mainExecutor -- #1079 by Bombe
- Add Accessors for PageNode’s Member Fields -- #1076 by Bombe
- Add Accessors for Two Member Fields Used in PeerNodeStatus -- #1075 by Bombe
- Fix Translation Handling in Tests -- #1074 by Bombe
- Remove main(...) methods and related test/debug routines -- #1070 by
bertm
- Remove unused code and parameters from NodeStats -- #1069 by bertm
- Remove remaining code paths for disabled slow-down sending -- #1068
by bertm
- Get rid of Hashtable in NodeStats -- #1067 by bertm
- Fix the test for UserAlertManager where localization didn’t work correctly.
Thanks to Bombe!
## Contribute
_Join our core._
If you want to help us get better, please chat with us in #freenet @
irc.libera.chat
https://web.libera.chat/?nick=Rabbit|?#freenet
And give us time to answer, we’re all volunteers and might not be in your
timezone.
To get into development right-away, have a look at one of the Freenet /
Hyphanet Projects:
https://github.com/hyphanet/wiki/wiki/Projects
or just get fred and fix something that annoys you:
https://github.com/hyphanet/fred
And to take on something that makes a big difference, have a look at the
high-impact tasks:
https://github.com/hyphanet/wiki/wiki/High-Impact-tasks
In addition to coding, spreading Hyphanet, joining the community, writing a
decentralized website, and other ways to contribute within Hyphanet, you can
join the awesome team of translators at transifex. They are the reason why
we’re able to support several different languages, the often unseen heroes who
make our work accessible to those who need it the most.
## What is Freenet / Hyphanet?
Hyphanet is the original Freenet,
a peer-to-peer platform for
censorship-resistant and privacy-respecting
publishing and communication.
> I worry about my child and the Internet all the time, even though
> she's too young to have logged on yet. Here's what I worry about. I
> worry that 10 or 15 years from now, she will come to me and say
> 'Daddy, where were you when they took freedom of the press away from
> the Internet? --Mike Godwin, Electronic Frontier Foundation
That Hyphanet can keep moving forward and help people worldwide to
exercise their basic rights and freedoms is the work of amazing
volunteers, both contributors and people running Hyphanet nodes.
Thank you for your contributions, and thank you for using Freenet /
Hyphanet!
Best wishes,
Arne
PS: if you want to help spread Hyphanet, feel free to share this
announcement with anyone who might be interested and boost the
announcements on social networking and news sites:
reddit post for 1503:
https://www.reddit.com/r/Freenet/comments/1meg3hp/freenet_hyphanet_build_15021503_fix_vulnerability/
hacker news post: https://news.ycombinator.com/edit?id=44751198
bluesky post:
https://bsky.app/profile/hyphanet.bsky.social/post/3lvcayfuslc2e
mastodon toot: https://floss.social/@Freenet/114950375474028948
Twitter/X post: https://x.com/HyphaNet/status/1951059839183909134
signature.asc
Description: PGP signature
