[freenet-dev] #1201: Improved average output bandwidth usage
Before #1201, it was always about 50 KiB/s of the 100 KiB/s which Freenet is allowed to use. Now it has increased: # Total Input: 1.25 GiB (51.3 KiB/sec) # Total Output: 1.63 GiB (66.9 KiB/sec) # Payload Output: 1.20 GiB (49.5 KiB/sec)(74%) Success rates Group P(success) Count All requests5.361% 385,559 CHKs10.695% 163,400 SSKs1.439% 222,159 Local requests 5.472% 51,736 Remote requests 5.344% 333,823 Block transfers 93.023% 31,861 Turtled downstream 46.807% 1,801 Transfers timed out 0.056% 1,801 Turtle requests 75.191% 262 Detailed timings (local CHK fetches) Successful 18.467s Unsuccessful11.046s Average 11.292s
[freenet-dev] History cloaking sucks
Daniel Cheng skrev: > Maybe we should try the another way round: detect if the user use the > same browser > for other web sites and issue a big fat warning for this. > Oh, the sweet irony in us using the same exploit to test if user has visited http://www.google.com/, http://www.ebay.com/, http://www.bbc.co.uk/, etc.. :P - Zero3
[freenet-dev] Freenet 0.7 build 1199, 1200 and installer changes
Matthew Toseland skrev: > 1200: > - More history cloaking bugfixes. > - Make activelinks configurable and turn them off by default. Ian thinks they > are ugly. I'm not sure, any opinions would be welcome. It is however clear > that they slow down loading the homepage. > My opinion is still largely the same: They serve as an intuitive "loading bar" and adds value to the text-links. I think we should keep them, but eventually redesign the standard. E.g. recommending authors to create a set of x images (1 favicon-sized, 1 around the size of the current activelinks, 1 banner-sized, etc...), perhaps based on a common template (e.g. white background with blue border). By moving freesites towards this you can have much more flexibility in creating future fproxy themes (you aren't "stuck" with the current activelinks and their size). Removing them without an alternative would seem like a loss to me :-/. - Zero3
[freenet-dev] History cloaking sucks
On Sun, Jan 18, 2009 at 6:13 PM, Florent Daigni?re wrote: > * svenerichoffmann at gmx.de [2009-01-18 > 00:50:17]: > >> I think the only "real" solution to guarantee safety >> is a dedicated freenet browser. >> >> Trying to control the behaviour and safety of standard browsers >> is serious problematic. As Webmaster i know how much information >> can be gained from visitors. >> >> A dedicated browser would also give full control about timings >> and how much connections to fproxy are made. >> > > Agreed, toad is going on the wrong path here... Just tell the user that > he *needs* to use a separate browser, if he doesn't do so, it's *his* > problem. > > You've already spent hours^wdays implementing the useless history > cloacking thingy (which can be easily bypassed anyway), you've > added one step in the wizard (previously we had an argument > because you wanted me to keep down to a minimum the number > of steps) and no one is happy with the current solution! > > Not even you! Agree. This is the kind of code i consider ugly: - invasive cross across many layers and class, when you are "fix"ing the link twice, you know there are some fundamental design problem. this kind of magic discourage casual code/patch contributor - not fixing the real problem ( there are other ways to know if you are running freenet. for example, just include a http://127.0.0.1:"; onLoad="freenetLoaded();" /> then the website can 99.999% sure you have freenet installed ). Freenet is illegal in many place and *will be* illegal everywhere soon. - reduce usability (copy uri from frost / im ) Maybe we should try the another way round: detect if the user use the same browser for other web sites and issue a big fat warning for this. > >> I think having a taskbar icon siganalizing that freenet service is runing >> and giving some options to configure freenet while runing and offering >> to start the "freenet" browser would be fine and convinient thing. >> >> - Original Message - >> From: "Matthew Toseland" >> To: >> Sent: Sunday, January 18, 2009 12:34 AM >> Subject: [freenet-dev] History cloaking sucks >> >> >> > ___ >> > Devl mailing list >> > Devl at freenetproject.org >> > http://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl >> >> -- >> Ich verwende die kostenlose Version von SPAMfighter f?r private Anwender, >> die bei mir bis jetzt 6089 Spammails entfernt hat. >> Rund 5,8 Millionen Leute nutzen SPAMfighter schon. >> Laden Sie SPAMfighter kostenlos herunter: http://www.spamfighter.com/lde >> >> >> ___ >> Devl mailing list >> Devl at freenetproject.org >> http://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl > > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.9 (GNU/Linux) > > iEYEAREIAAYFAklzAMIACgkQU/Z/dHFfxte/2wCeOGw3QWbPHAMqe0A/CcDCMTxG > WY8AoK0fWX7A/hQYIYQCGmuKkzdbWqHc > =Uaky > -END PGP SIGNATURE- > > ___ > Devl mailing list > Devl at freenetproject.org > http://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl >
[freenet-dev] History cloaking sucks
On Sun, Jan 18, 2009 at 7:34 AM, Matthew Toseland wrote: > We decided to get rid of the firefox profile, because it was becoming the > default profile on a few users' systems, causing severe problems as the user > didn't know what a browser profile is let alone how to switch back to the > default one. > > This meant freenet would typically be browsed by the user in their normal web > browser, leaving two problems: > 1. The browser history - freesites browsed would end up in their browser > history, which could easily be probed by malicious web sites on the Internet. > 2. Performance - Freenet requests frequently take a long time, but web > browsers allow a very limited number of parallel connections to a single > host; it would be much better to have lots of connections in parallel. > > We had hoped that the first problem could be solved by "history cloaking", > i.e. adding a ?secureid= parameter to each URL. This would depend on the URL > being accessed, and on a node-specific random string. The browse scripts have > been updated to open the correct initial URL, links in freesites and in > fproxy have been fixed. Unfortunately, there is a serious problem with > this ... > > If a user inserts a file, then copies the URL to announce it, and forgets to > convert the URL into a key by stripping off the ?secureid= at the end and the > http://127.0.0.1:/ at the beginning, it will still be usable; the > receiving user may need to strip the key, but the beginning bit is already > stripped by fproxy. But a malicious attacker can then probe for this URL > (using standard history stealing), assuming they can get the user to visit a > website they control. Just because the user has visited the site with the > original secureid doesn't mean they inserted it, but if a user other than the > original inserter visits it, they will get a warning page asking them to > clear their browser history ... clearly it is an unacceptable risk. Usability / Integration There are some user still using frost (it is getting less spam when i last checked). People copy and parse freenet uri from frost to browser. This hurt people copying link from IM (skype/icq/msn/jabber) to browser too. > For now, I will add an extra stage to the first-time wizard, asking whether > the user wants history cloaking and explaining the caveats either way. But > really the solution is a proper Freenet UI where we have a Key bar rather > than a Location bar. This can be implemented in a regular browser with > javascript, or it can be implemented (more cleanly and safely, and solving > several other problems) by building a dedicated Freenet browser, as saces has > started to work on. > > ___ > Devl mailing list > Devl at freenetproject.org > http://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl >
Re: [freenet-dev] #1201: Improved average output bandwidth usage
Now with 1201, I have 66KB/s input / 72KB/s output : increase of 100%. On 1/18/09, xor wrote: > > Before #1201, it was always about 50 KiB/s of the 100 KiB/s which Freenet is > allowed to use. Now it has increased: > > # Total Input: 1.25 GiB (51.3 KiB/sec) > # Total Output: 1.63 GiB (66.9 KiB/sec) > # Payload Output: 1.20 GiB (49.5 KiB/sec)(74%) > > Success rates > Group P(success) Count > All requests 5.361% 385,559 > CHKs 10.695% 163,400 > SSKs 1.439% 222,159 > Local requests5.472% 51,736 > Remote requests 5.344% 333,823 > Block transfers 93.023% 31,861 > Turtled downstream46.807% 1,801 > Transfers timed out 0.056% 1,801 > Turtle requests 75.191% 262 > > Detailed timings (local CHK fetches) > Successful18.467s > Unsuccessful 11.046s > Average 11.292s > > ___ > Devl mailing list > Devl@freenetproject.org > http://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl > ___ Devl mailing list Devl@freenetproject.org http://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl
[freenet-dev] #1201: Improved average output bandwidth usage
Before #1201, it was always about 50 KiB/s of the 100 KiB/s which Freenet is allowed to use. Now it has increased: # Total Input: 1.25 GiB (51.3 KiB/sec) # Total Output: 1.63 GiB (66.9 KiB/sec) # Payload Output: 1.20 GiB (49.5 KiB/sec)(74%) Success rates Group P(success) Count All requests5.361% 385,559 CHKs10.695% 163,400 SSKs1.439% 222,159 Local requests 5.472% 51,736 Remote requests 5.344% 333,823 Block transfers 93.023% 31,861 Turtled downstream 46.807% 1,801 Transfers timed out 0.056% 1,801 Turtle requests 75.191% 262 Detailed timings (local CHK fetches) Successful 18.467s Unsuccessful11.046s Average 11.292s ___ Devl mailing list Devl@freenetproject.org http://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl
[freenet-dev] History cloaking sucks
* svenerichoffmann at gmx.de [2009-01-18 00:50:17]: > I think the only "real" solution to guarantee safety > is a dedicated freenet browser. > > Trying to control the behaviour and safety of standard browsers > is serious problematic. As Webmaster i know how much information > can be gained from visitors. > > A dedicated browser would also give full control about timings > and how much connections to fproxy are made. > Agreed, toad is going on the wrong path here... Just tell the user that he *needs* to use a separate browser, if he doesn't do so, it's *his* problem. You've already spent hours^wdays implementing the useless history cloacking thingy (which can be easily bypassed anyway), you've added one step in the wizard (previously we had an argument because you wanted me to keep down to a minimum the number of steps) and no one is happy with the current solution! Not even you! > I think having a taskbar icon siganalizing that freenet service is runing > and giving some options to configure freenet while runing and offering > to start the "freenet" browser would be fine and convinient thing. > > - Original Message - > From: "Matthew Toseland" > To: > Sent: Sunday, January 18, 2009 12:34 AM > Subject: [freenet-dev] History cloaking sucks > > > > ___ > > Devl mailing list > > Devl at freenetproject.org > > http://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl > > -- > Ich verwende die kostenlose Version von SPAMfighter f?r private Anwender, > die bei mir bis jetzt 6089 Spammails entfernt hat. > Rund 5,8 Millionen Leute nutzen SPAMfighter schon. > Laden Sie SPAMfighter kostenlos herunter: http://www.spamfighter.com/lde > > > ___ > Devl mailing list > Devl at freenetproject.org > http://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl -- next part -- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: Digital signature URL: <https://emu.freenetproject.org/pipermail/devl/attachments/20090118/a1f5b2e6/attachment.pgp>
Re: [freenet-dev] History cloaking sucks
Daniel Cheng skrev: > Maybe we should try the another way round: detect if the user use the > same browser > for other web sites and issue a big fat warning for this. > Oh, the sweet irony in us using the same exploit to test if user has visited http://www.google.com/, http://www.ebay.com/, http://www.bbc.co.uk/, etc.. :P - Zero3 ___ Devl mailing list Devl@freenetproject.org http://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl
Re: [freenet-dev] Freenet 0.7 build 1199, 1200 and installer changes
Matthew Toseland skrev: > 1200: > - More history cloaking bugfixes. > - Make activelinks configurable and turn them off by default. Ian thinks they > are ugly. I'm not sure, any opinions would be welcome. It is however clear > that they slow down loading the homepage. > My opinion is still largely the same: They serve as an intuitive "loading bar" and adds value to the text-links. I think we should keep them, but eventually redesign the standard. E.g. recommending authors to create a set of x images (1 favicon-sized, 1 around the size of the current activelinks, 1 banner-sized, etc...), perhaps based on a common template (e.g. white background with blue border). By moving freesites towards this you can have much more flexibility in creating future fproxy themes (you aren't "stuck" with the current activelinks and their size). Removing them without an alternative would seem like a loss to me :-/. - Zero3 ___ Devl mailing list Devl@freenetproject.org http://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl
Re: [freenet-dev] History cloaking sucks
On Sun, Jan 18, 2009 at 6:13 PM, Florent Daignière wrote: > * svenerichoffm...@gmx.de [2009-01-18 00:50:17]: > >> I think the only "real" solution to guarantee safety >> is a dedicated freenet browser. >> >> Trying to control the behaviour and safety of standard browsers >> is serious problematic. As Webmaster i know how much information >> can be gained from visitors. >> >> A dedicated browser would also give full control about timings >> and how much connections to fproxy are made. >> > > Agreed, toad is going on the wrong path here... Just tell the user that > he *needs* to use a separate browser, if he doesn't do so, it's *his* > problem. > > You've already spent hours^wdays implementing the useless history > cloacking thingy (which can be easily bypassed anyway), you've > added one step in the wizard (previously we had an argument > because you wanted me to keep down to a minimum the number > of steps) and no one is happy with the current solution! > > Not even you! Agree. This is the kind of code i consider ugly: - invasive cross across many layers and class, when you are "fix"ing the link twice, you know there are some fundamental design problem. this kind of magic discourage casual code/patch contributor - not fixing the real problem ( there are other ways to know if you are running freenet. for example, just include a http://127.0.0.1:"; onLoad="freenetLoaded();" /> then the website can 99.999% sure you have freenet installed ). Freenet is illegal in many place and *will be* illegal everywhere soon. - reduce usability (copy uri from frost / im ) Maybe we should try the another way round: detect if the user use the same browser for other web sites and issue a big fat warning for this. > >> I think having a taskbar icon siganalizing that freenet service is runing >> and giving some options to configure freenet while runing and offering >> to start the "freenet" browser would be fine and convinient thing. >> >> - Original Message - >> From: "Matthew Toseland" >> To: >> Sent: Sunday, January 18, 2009 12:34 AM >> Subject: [freenet-dev] History cloaking sucks >> >> >> > ___ >> > Devl mailing list >> > Devl@freenetproject.org >> > http://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl >> >> -- >> Ich verwende die kostenlose Version von SPAMfighter für private Anwender, >> die bei mir bis jetzt 6089 Spammails entfernt hat. >> Rund 5,8 Millionen Leute nutzen SPAMfighter schon. >> Laden Sie SPAMfighter kostenlos herunter: http://www.spamfighter.com/lde >> >> >> ___ >> Devl mailing list >> Devl@freenetproject.org >> http://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl > > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.9 (GNU/Linux) > > iEYEAREIAAYFAklzAMIACgkQU/Z/dHFfxte/2wCeOGw3QWbPHAMqe0A/CcDCMTxG > WY8AoK0fWX7A/hQYIYQCGmuKkzdbWqHc > =Uaky > -END PGP SIGNATURE- > > ___ > Devl mailing list > Devl@freenetproject.org > http://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl > ___ Devl mailing list Devl@freenetproject.org http://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl
Re: [freenet-dev] History cloaking sucks
* svenerichoffm...@gmx.de [2009-01-18 00:50:17]: > I think the only "real" solution to guarantee safety > is a dedicated freenet browser. > > Trying to control the behaviour and safety of standard browsers > is serious problematic. As Webmaster i know how much information > can be gained from visitors. > > A dedicated browser would also give full control about timings > and how much connections to fproxy are made. > Agreed, toad is going on the wrong path here... Just tell the user that he *needs* to use a separate browser, if he doesn't do so, it's *his* problem. You've already spent hours^wdays implementing the useless history cloacking thingy (which can be easily bypassed anyway), you've added one step in the wizard (previously we had an argument because you wanted me to keep down to a minimum the number of steps) and no one is happy with the current solution! Not even you! > I think having a taskbar icon siganalizing that freenet service is runing > and giving some options to configure freenet while runing and offering > to start the "freenet" browser would be fine and convinient thing. > > - Original Message - > From: "Matthew Toseland" > To: > Sent: Sunday, January 18, 2009 12:34 AM > Subject: [freenet-dev] History cloaking sucks > > > > ___ > > Devl mailing list > > Devl@freenetproject.org > > http://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl > > -- > Ich verwende die kostenlose Version von SPAMfighter für private Anwender, > die bei mir bis jetzt 6089 Spammails entfernt hat. > Rund 5,8 Millionen Leute nutzen SPAMfighter schon. > Laden Sie SPAMfighter kostenlos herunter: http://www.spamfighter.com/lde > > > ___ > Devl mailing list > Devl@freenetproject.org > http://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl signature.asc Description: Digital signature ___ Devl mailing list Devl@freenetproject.org http://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl
Re: [freenet-dev] History cloaking sucks
On Sun, Jan 18, 2009 at 7:34 AM, Matthew Toseland wrote: > We decided to get rid of the firefox profile, because it was becoming the > default profile on a few users' systems, causing severe problems as the user > didn't know what a browser profile is let alone how to switch back to the > default one. > > This meant freenet would typically be browsed by the user in their normal web > browser, leaving two problems: > 1. The browser history - freesites browsed would end up in their browser > history, which could easily be probed by malicious web sites on the Internet. > 2. Performance - Freenet requests frequently take a long time, but web > browsers allow a very limited number of parallel connections to a single > host; it would be much better to have lots of connections in parallel. > > We had hoped that the first problem could be solved by "history cloaking", > i.e. adding a ?secureid= parameter to each URL. This would depend on the URL > being accessed, and on a node-specific random string. The browse scripts have > been updated to open the correct initial URL, links in freesites and in > fproxy have been fixed. Unfortunately, there is a serious problem with > this ... > > If a user inserts a file, then copies the URL to announce it, and forgets to > convert the URL into a key by stripping off the ?secureid= at the end and the > http://127.0.0.1:/ at the beginning, it will still be usable; the > receiving user may need to strip the key, but the beginning bit is already > stripped by fproxy. But a malicious attacker can then probe for this URL > (using standard history stealing), assuming they can get the user to visit a > website they control. Just because the user has visited the site with the > original secureid doesn't mean they inserted it, but if a user other than the > original inserter visits it, they will get a warning page asking them to > clear their browser history ... clearly it is an unacceptable risk. Usability / Integration There are some user still using frost (it is getting less spam when i last checked). People copy and parse freenet uri from frost to browser. This hurt people copying link from IM (skype/icq/msn/jabber) to browser too. > For now, I will add an extra stage to the first-time wizard, asking whether > the user wants history cloaking and explaining the caveats either way. But > really the solution is a proper Freenet UI where we have a Key bar rather > than a Location bar. This can be implemented in a regular browser with > javascript, or it can be implemented (more cleanly and safely, and solving > several other problems) by building a dedicated Freenet browser, as saces has > started to work on. > > ___ > Devl mailing list > Devl@freenetproject.org > http://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl > ___ Devl mailing list Devl@freenetproject.org http://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl
[freenet-dev] History cloaking sucks
I think the only "real" solution to guarantee safety is a dedicated freenet browser. Trying to control the behaviour and safety of standard browsers is serious problematic. As Webmaster i know how much information can be gained from visitors. A dedicated browser would also give full control about timings and how much connections to fproxy are made. I think having a taskbar icon siganalizing that freenet service is runing and giving some options to configure freenet while runing and offering to start the "freenet" browser would be fine and convinient thing. - Original Message - From: "Matthew Toseland" To: Sent: Sunday, January 18, 2009 12:34 AM Subject: [freenet-dev] History cloaking sucks > ___ > Devl mailing list > Devl at freenetproject.org > http://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl -- Ich verwende die kostenlose Version von SPAMfighter f?r private Anwender, die bei mir bis jetzt 6089 Spammails entfernt hat. Rund 5,8 Millionen Leute nutzen SPAMfighter schon. Laden Sie SPAMfighter kostenlos herunter: http://www.spamfighter.com/lde
