[freenet-support] The site ignores an important FAQ
Matthew Toseland
toad at amphibian.dyndns.org
Mon Apr 28 18:09:40 UTC 2008
On Monday 28 April 2008 05:38, Simply Paranoid wrote:
> Hello fellow paranoids!
>
> I've spent ~a good hour on the site trying to find answers for 2 simple
> yet important questions regarding insecure mode:
> 1. Can my ISP know what am I downloading/uploading to FreeNet?
Not easily. Your ISP can for example MITM your downloading Freenet in the
first place, and replace it with a rootkit. :) Or slightly more subtle,
replace your seednodes.fref with a bunch of evil nodes he controls.
If you have a trust path to nextgens' SSL cert (with which the installer is
signed), or if you build from source (and manually inspect it!), you are a
bit safer, but you still have the seednodes replacement threat. One solution
to that is to only connect to your friends (but you'd have to exchange
noderefs out of band, or encrypted with keys which have been verified out of
band e.g. by checking fingerprints over the phone).
Note that your ISP can do this with any executable you download from a non-SSL
site, e.g. linux graphics drivers.
> 2. Can the nodes I download/upload from (Read: NSA in disguise) see what
> I'm doing?
> Of course, we assume they don't use correlation attacks or any other
> ridiculous & unlikely methods.
If they don't attack you they can't see what you're doing. That's kinda by
definition... :)
Unfortunately correlation attacks are far from ridiculous and unlikely. They
are feasible for a sufficiently motivated and resourced attacker. They are
easier for big files or long-lived Frost identities.
Another class of attack is where the attacker is mobile, able to connect to a
small subset of the network at any one time. If Mallory can identify which
blocks belong to a specific requestor, he can gradually move towards the
requestor.
>
> I believe the answer to the second question is "yes until 0.8", though
> I'm not sure. The first question, however, is essentially unmentioned at
> all, at least directly*. If both the ISP and connecting nodes can read
> the content, then I find very little difference between FN and say,
> Limewire!
Hopefully 0.8 will improve significantly on request security. However, it was
just as bad (give or take a percentage) in 0.5. And 0.7 has darknet, which
opens up new options to significantly improve security, as well as network
survivability.
>
> Anyway it would be nice to see this info on the site in order to compare
> between FreeNet and similar projects like I2P.
> Thanks and keep it up :)
You should read the wiki:
http://wiki.freenetproject.org/FreenetZeroPointSevenSecurity
>
> *http://archives.freenetproject.org/message/20080407.160132.8fa35bc2.en.html
> touches the issue vaguely.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://emu.freenetproject.org/pipermail/support/attachments/20080428/bd6b9c13/attachment.pgp
More information about the Support
mailing list