I agree with this view too. We just don't have enough developer time to worry
about this *and* progress with more productive features. Even Tor, which has
many times more resources than us, don't worry about swap/etc/whatever.
The theoretical scope of freenet design is to have secure and anonymous storage
and transfer. (Everything unknown to you) is encrypted so that you can have
plausible deniability if your machine gets seized and examined. There is no
difference between running a node, and never using it to actually obtain stuff
for yourself - you're still providing "the freenet service" to others.
However, once you access data in a readable form, you've decrypted it. This is
just like accessing anything on any other service (looking at web pages,
reading email, etc). Your computer is going to cache it, leaving traces of what
you've done.
In this scenario, it's up to the individual what level of security they want.
It can only be up to the individual - only they know what they've accessed, and
can get in trouble for. Security that you don't need is just a waste of time
and resources. Also, if we spend this much time on an issue out of our scope
we're effectively DDoSing our own development time.
So yes we should just drop "physical security". To do it properly we'll have to
fuck with parts of people's machines we really shouldn't be fucking with; and
if they are that paranoid (I am) they should just encrypt their entire disks,
which will cover non-freenet stuff too.
Obviously, we should try to make it clear (like Tor[1]) what Freenet DOES and
DOES NOT do. "the freenet service" only tries to provide an
anonymous/DDoS-resistant insert/request service, it doesn't try to protect you
after you actually *get* that data.
X
[1] http://www.torproject.org/download.html.en#Warning
On 01/08/10 00:30, Steve Oliver wrote:
That's a good point, stop worrying about the physical side of things because
it is a bit pointless. Perhaps just recommend that the user install
Truecrypt and refer them to the Truecrypt site, give them a strong warning
that if their drive is not encrypted, Freenet can't actually protect them
from physical attacks.
On Jul 31, 2010, at 9:52 AM, xor wrote:
On Friday 30 July 2010 04:29:54 pm Matthew Toseland wrote:
1. Offer to turn on encrypted swap in the installer. Keep encrypting
everything. Warn users about saving files out, and media files, and
work towards playing media files in an embedded (e.g. java) player that
doesn't use plaintext temp files.
Offering to reconfigure swap to be encrypted is out of scope. And not
possible on Windows
2. Give up on encrypting anything on disk, and offer to install
TrueCrypt if it isn't already installed.
Offering TrueCrypt is out of scope
I see a third option:
3. Realize that most users have a real LOAD of stuff on their hard disks
which could get them screwed. Get rid of physical security. Encrypting the
Freenet stuff does not help because they will use browsers which cache
dangerous stuff and do downloads of dangerous stuff etc. The really
paranoid ones will use TrueCrypt anyway. And encryption makes stuff slow.
I mean it IS nice that we have a physical security level but I wouldn't
have offered that feature from the beginning on.
If you want to be safe when your computer gets seized you absolutely have
to do full disk encryption, something will ALWAYS leak out otherwise.
_______________________________________________
Devl mailing list
[email protected]
http://freenetproject.org/cgi-bin/mailman/listinfo/devl
