On Monday 28 July 2008 11:36, Julien Cornuwel wrote: > Volodya a ?crit : > |> Hi, > |> > |> People on Frost are wondering about messages displayed during freenet > |> start : > |> > |> INFO | jvm 2 | 2008/07/25 17:07:14 | Note that this version of Freenet > |> is still a very early alpha, and may well have numerous bugs and design > |> flaws. > |> INFO | jvm 2 | 2008/07/25 17:07:14 | In particular: YOU ARE WIDE OPEN TO > |> YOUR IMMEDIATE PEERS! They can eavesdrop on your requests with > |> relatively little difficulty at present (correlation attacks etc). > |> > |> The question is : Are these messages here because you didn't remove them > |> ~ after the release of 0.7 ? Are you planning to let them until 1.0 ? > |> Until the networks is 100% secure (eg. forever) ? > |> > |> Regards, > | > | I think that the messages should be there until they are no longer > true. For > | example being open to your immediate peers will remain true until some > sort of > | encrypted tunnels will be implemented, > > Right. > > | the message about software being in alpha > | might be replaced by the GPL "AS IS" warning... > > Sounds better, "very early alpha" isn't really compatible with a > release, event pre-1.0. > > | P.S. Where is that discussion on frost? I haven't seen it. > > It's on fr.freenet, the topic is "Noeud qui redemarre tout seul et > message de securit??" > > A user saw the messages and was a bit affraid ;)
Okay, well, we do need some kind of warning... We have one in the wizard, maybe we should just dump that to stdout? We should probably show the standard GPL thingy... Basically the issues here are: - Freenet has serious known design flaws. - Freenet almost certainly has serious unknown design flaws and bugs. - Major known attacks include: -- Correlation attacks. If the attacker is connected to you, and he is able to identify content (e.g. because it is published on indexes), he has a good chance of identifying what you request and insert. -- Datastore seizure and remote probing: On much the same assumptions, if an attacker can either obtain your datastore (e.g. by search and seizure), or is connected and can remotely probe it, he can find out what you've been downloading/uploading... -- Adaptive search: It is probably possible, at least on opennet, for an attacker to trace an identity publishing large amounts of data, by key based attacks and progressively approaching the originator. There are proposed solutions for most of these problems, some will be implemented in 0.8, but we will remain fairly vulnerable until at least 0.9... -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: <https://emu.freenetproject.org/pipermail/devl/attachments/20080728/9a954f1a/attachment.pgp>
