[freenet-dev] closestLocation vulnerability
Robert Hailey
robert at emu.freenetproject.org
Fri Dec 21 17:19:21 UTC 2007
Although intuitive, it seems like initializing (requests/inserts)
closestLocation field to our node's location could make correlation
attacks easier. In fact, if we get a request from a node whose
location matches the closestLocation value, we know that either (1)
they originated the request, or (2) we are the first in their peer
list they asked (the request is currently making bee-line progress;
which if an attacker has a known node location less-than and greater-
than connected, they could rule out?).
I thought it might help to initialize closestLocation values to a
random-but-farther-than-our-location value, but it seems that would be
even more obvious (as the default behaviour should have then made the
closestLocation to match our own). Would it help to initialize it to a
random location 'between' us and the closer of our peers?
Would it ever make sense to receive a request whose closestLocation-so-
far is further than the node we received it from? Perhaps we should
reject it or set it for them?
--
Robert Hailey
e.g. in freenet/node/NodeClientCore.java:
Object o = node.makeRequestSender(key.getNodeCHK(), node.maxHTL(),
uid, null, node.getLocation(), false, localOnly, cache, ignoreStore);
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://emu.freenetproject.org/pipermail/devl/attachments/20071221/4acb4c87/attachment.htm
More information about the Devl
mailing list