On Tue, Jun 11, 2013 at 10:29 AM, Steve Weis <stevew...@gmail.com> wrote: > Hi. I took a quick look while procrastinating at work and found a few > potential issues:
Thanks for taking a look. I'll be sure to incorporate your feedback. > > - What's up with this hard-coded salt? Lack of love for the text client. I should just delete that code. The primary user interface is the HTTP endpoint. > - Any specific reason you picked CTR? CTR is widely recommended. Cryptography Engineering specifically recommends it. > - Use mlock here? I don't think that will help you if you run within a guest > VM though. > - Buffer overflow on password input Absolutely true. > - Is this safe for non-terminated strings? Gah, must have missed that in my review. > - Why do you have this checksum if you just HMACed the ciphertext? This checksum is an important part of DiNet. Each packet comes with a checksum that each router uses to verify the message integrity (not authenticate, mind you) and to make sure it hasn't seen this message before. As each router sends every packet it hasn't seen recently to every machine that is connected to it, it is important to not re-send data. > - HMAC verification is vulnerable to a timing attack. Since you're using > CTR, it's that much easier to forge messages. I will have to look into this in my Javascript client as well. Do you have any recommendations? > - There's no forward security. I am aware. This is a feature I would love to add to the Javascript client. > > This is by no means comprehensive. I've only been looking at a couple files. Thanks for looking! I appreciate the feedback. Sean > > > On Tue, Jun 11, 2013 at 9:52 AM, Sean Cassidy <sean.a.cass...@gmail.com> > wrote: >> >> Hello all, >> >> I have created a simple anonymity network that broadcasts all messages >> to participants so that you cannot associate chatters. >> >> https://bitbucket.org/scassidy/dinet >> >> There is a simple sample client available, but you could write your >> own client to build your own features atop the network. >> >> http://projects.existentialize.com/dinet/client.html >> >> Please let me know if you have any comments. >> >> Sean >> -- >> Too many emails? Unsubscribe, change to digest, or change password by >> emailing moderator at compa...@stanford.edu or changing your settings at >> https://mailman.stanford.edu/mailman/listinfo/liberationtech > > > > -- > Too many emails? Unsubscribe, change to digest, or change password by > emailing moderator at compa...@stanford.edu or changing your settings at > https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech