On Thu, 28 Dec 2000, Oskar Sandberg wrote:
> But KSKs are inherently insecure and should be avoided when not absolutely
> necessary. If you do have a "map" file like you suggested, then it should
> never be located directly under a KSK but rather under a secure key type
> (to which KSKs can be redirected). Since the map file would form the core
> document of the site, it is absolutely imperative that it resides within a
> secure key so that people can bookmark the site and be sure they are
> returning to the same place.
"Absolutely imperative" exaggerates the risk. The mapfile will most likely
remain on the user's own node unchanged. If evil nodes start getting good
at cracking popular KSKs then all KSKs should be banned and new nodes
should start rejecting them, just like how we now refuse to store KSKs. If
there are only a few isolated incidents, and no epidemic, we can merely
strongly deprecate them. But for now, they are useful and will help to
increase Freenet's popularity and usability.
> The clients will just have to be smarter (capable of carrying the
> mapping name over a redirect if necessary), and links must, like
> bookmarks, be to a secure key all the same.
There is a much greater probability of recieving a subverted KSK the first
time, because after that it'll probably live on your node. If the KSK is
corrupt from the beginning there's nothing we can do.
> Like so often with security, inexperienced users will be likely to slack
> on this if given the option, but in fact they DO want to be sure that what
> they are linking or returning to is actually what they left.
And how do they know that what they just saw was legit? So they download a
subverted linux kernel the first time, don't notice, and keep on doing
it. It's safest to link through trusted, reliable, secure-key sites to any
new material. Even then, the site maintainers could be decieved into
posting subverted software, but at least you stand a better chance of
finding out about it before it's too late. (And, as you said, too late
comes too soon.)
But really simple keys are essential for bootstrapping Freenet, IMHO. Once
we win a userbase, then we can concentrate on tightening up the
security. Without users it's all useless, so I vote for keeping our
priorities straight.
--
Mark Roberts
[EMAIL PROTECTED]
_______________________________________________
Freenet-dev mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/mailman/listinfo/freenet-dev
