So an interesting debate arose between myself and Oskar today on IRC
regarding how nodes find out about each-other in 0.4.
As you know, we will have a nifty new announcement protocol which will
reduce the reliance on inform.php and should improve the overall health
of the network, but you still need to bootstrap your node by giving it
the address of at least one other node in the network. The question is:
how does your node get such an address?
The simplest solution would be to keep using the current inform.php
script, a node connects to it on startup, and gets a list of other node
addresses. The problem here is that it would be trivial to fill up
inform.php with references to nodes controlled by Mr Evil. Any user
which connected to this script would unwittingly join a network of nodes
controlled by Mr Evil who would then be able to do evil things (as Mr
Evil is known to do).
A more sophisticated solution would be to have one or more central
"trusted" nodes, which can be used to send announcement messages to,
which will be forwarded on into the rest of the network. One attack on
this would be for Mr Evil to flood these nodes with announcement
messages thus ensuring that all references in their datastore point to
evil nodes, thus suffering from the same problem as described in the
previous paragraph. To avoid this, the trusted node could just forward
on announcement messages without making changes to its own datastore.
The problem is that it might be possible to compromise even this
arrangement (oskar made some vague suggestions although I am not yet
convinced that it would be particularly easy, or couldn't be countered
with one or two additional modifications). I am sure he will correct me
if there is any inaccuracy, however Oskar's view was that each user
should be responsible for securely finding out the address of another
node in the network, without relying on any public list of trusted
nodes.
The problem here is obvious, the vast majority of Freenet users will not
have the ability to do this (hell, I would have trouble finding such a
node address without asking this mailing list, and if everyone needed to
do that we would have 10,000 emails a day just requesting node
addresses!). The most likely (and scariest) scenario is that someone
(perhaps Mr Evil in disguise) would provide a widely known node which
the vast majority of people would use out of convenience with
disasterous consequences. Sure, we could sit in our ivory tower and
tut-tut about idiot newbies, but that really doesn't help Freenet's
users.
So what is the solution? I propose that each distribution site for
Freenet also provides one or more seed nodes (since the place where you
downloaded Freenet already knows your IP address this doesn't really
have a big impact on privacy). These seed nodes should have
configuration options (such as just forwarding announcement messages
with no datastore modification) which would make it much more difficult
for a malicious node to hijack them. Paranoid users are encouraged to
find a node address through secure out-of-band means.
Oierw apparently has another suggested solution which I have asked him
to post to this list, keep an eye out for it.
Thoughts?
Ian.
PGP signature
