-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Seedserver - our script/app/whever that runs on our servers (freenetproject.org) and takes care of the harvesting Seednode - well the seednode Seedclient - a new Freenet-Node which wants to bootstrap into Freenet Seedservice - a service which is run on the seednode to be addressed by the Seedserver
Stage1 We deliver the public key of our Seedserver with Freenet (e.g. in the installer or jar). Once a node chooses to become a Seednode (Alice) it sends it's own public key and port on which it runs the Seedservice encrypted with the public key of the Server to our Seedserver. The Seedserver sends a random number encrypted with the public key of Alice who has to return it. Now the Server and the Node know each others public key and can't be MITMed, under the assumption that the installer was correct. The following traffic can be encrypted. Stage2 The Seedserver asks some already established Seednode (Bob) to insert a file which holds a random number encrypted with the public key of Alice. Bob reports the key under which this has been inserted to Alice who fetches it and sends the random number to the Server. If Alice can't fetch the key, we ask another two Seednodes for inserting it, if it still fails Alice is considered not to be connected (obviously we have to have a long timeout here). Now the Server knows Alice if is connected and can add her to his Seednodes-list/DB A Seednode has to follow this routine every 24 hours and whenever something changes (different IP, disable Seedserver, etc. (obviously if a seednode goes offline it doesn't have to prove it's connected to freenet)). The Server only accepts changes from Seednodes wich prove they can read a random number encrypted with the public key of the Seednode entry they want to alter. The Server removes (or marks them disabled) Seednode entries that weren't updated 26 hours and of Seednodes that didn't react on insertrequests more than 3 times in a row (maybe disable them and try again 30 min. later) Possible Attacks: - - manipulated installer - Well this is a general problem, not only to seednode harvesting. We have to come up with a suitable solution for this (SSL with trusted certificate (expensive), signed installer (how can our users know whether to trust the public key?) - - DoS the Seedserver - well then you could probably also DoS our webserver and prevent our users from downloading the installer and seednodes.fref - - An attacker could add his node as a Seednode - well that is an obvious problem for all of the automatic methods and also partly applies to Seednodes which are added manually and Opennet in general - if an attacker succesfully added a Seednode, he could have a whole farm of manipulated nodes to which a new node is connected to and the new node can't tell. This is especially a problem if the ghost-net has some kind of proxy which relays requests in his own name so the node can't get other opennet-connections and doesn't know it's not on the real freenet and if it gets or even worse inserts some content which in the most countries is illegal, the attacker can tell because he could spider the freenet and do a blacklist. Looking forward to your comments Neo at NHNG -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHjRwEPUBAMhFf+J4RAvjxAJ91iM5ACrr5GzBOdNfEb3+So9uFJQCfUkYf PVRa4Brixfd8BiaNzhC7+OY= =/6/7 -----END PGP SIGNATURE-----
