[freenet-dev] Using standard ports of encrypted protocols
On Wednesday, 20. May 2009 18:14:53 Matthew Toseland wrote: > Depends on your threat model. Freenet traffic clearly doesn't look like > these without proper stego transport plugins, and the connections between > nodes definitely don't look like them, unless what you are imitating is > purely peer to peer, in which case you need to look at the other nodes' > connections as well and/or the timing. Is a steganography transport plugin planned? The option of going really deep into hiding is one of the ideas behind freenet which appealed to me the most. > Also, we can't use TCP at the > moment. That's why I searched for services which also use UDP. Else the list would have been far longer... :) Best wishes, Arne --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- - singing a part of the history of free software - http://infinite-hands.draketo.de -- next part -- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part. URL: <https://emu.freenetproject.org/pipermail/devl/attachments/20090520/d198719d/attachment.pgp>
[freenet-dev] Usability test results
On Monday 18 May 2009 14:50:30 Thomas Sachau wrote: > Arne Babenhauserheide schrieb: > > On Saturday, 16. May 2009 16:02:19 Thomas Sachau wrote: > >> Additionally, Gentoo is about choice, if there is a warning, the user can > >> choose, with a forcing script, there is no choice, which is a bad idea for > >> this philosophy, therefor i vote against such a script for linux. > > > > But in Gentoo it would also be possible to add a use flag to select the > > browser, which just tells freenet which browser to use. > > > > Do you know the numbers of possible browsers? You dont want to add a useflag for each of them and > additionally this would force the user to use exactly the one browser selected by useflag. > Additionally, what happens, when the selected browser has no privacy mode enabled, while another has > it? This was and still is no real option. > Simple and easy is only the warning page, everyone sees it, everyone can act as written there. All > choices still open and if anyone chooses to act like an idiot, it is his own problem. It is not simple and easy, because the user sees the warning page, and has to act on it. We should call a secure browser in the first place, and in particular, the Browse Freenet link, which everyone who can't memorise http://127.0.0.1:/ will use, should start either a browser in incognito mode or a browser chosen by the user for browsing Freenet. -- next part -- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: <https://emu.freenetproject.org/pipermail/devl/attachments/20090520/f801d9e3/attachment.pgp>
[freenet-dev] Usability test results
> > each others, this is not > > > > > true for linux. Where would you place that script? How would you check > > > which > > > > browser the user wants > > > > > to use? This idea looks more like the way user handling is done on > > > windows > > > > or ubuntu: Expect him to > > > > > know nothing and try to do everything for him. Might be nice for > > > beginners > > > > and if it works, but > > > > > makes things worse for experienced users, who want to do it different and > > > > also makes it harder, if > > > > > there are problems. > > > Imho you cant beat stupidity. Either users read a message and act the > > > right > > > > way or they dont. You > > > > > cannot prevent them from doing bad things. > > > > > > Additionally, Gentoo is about choice, if there is a warning, the user can > > > > choose, with a forcing > > > > > script, there is no choice, which is a bad idea for this philosophy, > > > > therefor i vote against such a > > > > > script for linux. > > > > Well, we already have a Browse Freenet script on all three platforms. > > Currently it detects browsers that we know about. You don't have to use it > > if you don't want to. But we should extend it to use incognito mode if > > possible, and to favour browsers with such support. I dunno how we can > > determine whether such a mode works with the particular installed version > > though... > > I don't see the point forcing the user to choose. I don't see the point > displaying a warning neither btw : > > should we detect all the potentials security threats (or unused benefits) on > the user's system ? > > Things like that are just waste of time. What would be good instead is a > documentation about how to have a secure environment in which you can run > freenet, and display a link to it during the wizard (or display the howto > directly). > > Additional code to detect if the user use freenet in a secure environment is > just a waste of time. Good documentation isn't. Freenet should, like all security software, be secure by default. When it cannot be secure it should TELL THE USER. We are not talking about detecting trojans here: we explicitly call a web browser, hence it is our responsibility. -- next part -- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: <https://emu.freenetproject.org/pipermail/devl/attachments/20090520/559b3db9/attachment.pgp>
[freenet-dev] Separate browser or not
On Sunday 17 May 2009 11:41:00 Zero3 wrote: > Matthew Toseland skrev: > >> Detecting the version of an installed application in the launcher (at > >> least in Windows) shouldn't be a problem. It will most likely be > >> registered in the registry next to the .exe path we are checking already > >> for the individual browsers. We can also check the version info of .exes > >> as an alternative (most Windows applications are compiled with various > >> static info like version and author). The Windows launcher is already > >> running Chrome with a command line argument making it start in privacy > >> mode btw. > > > > You should prioritise Chrome with privacy mode over Firefox without it. > > Agreed: https://bugs.freenetproject.org/view.php?id=3118. I thought you had already done this? -- next part -- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: <https://emu.freenetproject.org/pipermail/devl/attachments/20090520/c8d71f7a/attachment.pgp>
[freenet-dev] Separate browser or not
On Sunday 17 May 2009 11:43:26 Zero3 wrote: > Colin Davis skrev: > > As implemented currently, Private browsing is all-or-nothing in > > FF3.5beta4 and Safari, but Google Chrome is per-window. > >> Firefox has issues with coalescing windows, no? If I run firefox with command > >> line options to use one profile, it may use another if a window is already > >> open, there are things like that... Is opening a window with privacy mode > >> enabled safe and reliable? > > I guess both ways should work fine for us? We simply launch the browser > with the command line arguments, and let the browser handle the > window/tab management? No, Firefox might very well end up opening a window in non-incognito mode. -- next part -- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: <https://emu.freenetproject.org/pipermail/devl/attachments/20090520/428727ab/attachment.pgp>
[freenet-dev] Using standard ports of encrypted protocols
Depends on your threat model. Freenet traffic clearly doesn't look like these without proper stego transport plugins, and the connections between nodes definitely don't look like them, unless what you are imitating is purely peer to peer, in which case you need to look at the other nodes' connections as well and/or the timing. Also, we can't use TCP at the moment. On Saturday 16 May 2009 23:52:15 Arne Babenhauserheide wrote: > Hi, > > It would be nice, if I could tell freenet to use standard ports for > communication - especially for connections inside a LAN (where the possibility > that an admin is watching all used ports might be a bit higher than on the > internet). > > I'd think it would be useful to just test a list of ports normally used for > communication (ideally encrypted), so that encrypted data wouldn't draw > suspicions (and so we don't need to implement full steganography at once, but > can move towards it). > > Maybe the option could include a list with the note "Only select services you > DON'T want to run!" > > Some ideas, not all encrypted: > > - 2190/UDP TiVoConnect Beacon > - 2593/TCP,UDP RunUO?Ultima Online server > - 3723/TCP,UDP Used by many Battle.net Blizzard games (Diablo II, Warcraft > II, Warcraft III, StarCraft) > - 3724/TCP,UDP World of Warcraft Online gaming MMORPG > - 4000/TCP,UDP Diablo II game > - 6619/TCP,UDP odette-ftps, Odette File Transfer Protocol (OFTP) over TLS/SSL > - 6891?6900/TCP,UDP Windows Live Messenger (File transfer) > - 6901/TCP,UDP Windows Live Messenger (Voice) > - 28910 Nintendo Wi-Fi Connection > > (all information from > http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers > I'm sure there are more...) > > Is tehre any danger in using known ports? > > Best wishes, > Arne -- next part -- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: <https://emu.freenetproject.org/pipermail/devl/attachments/20090520/083bcf5a/attachment.pgp>
Re: [freenet-dev] Usability test results
On Monday 18 May 2009 14:50:30 Thomas Sachau wrote: Arne Babenhauserheide schrieb: On Saturday, 16. May 2009 16:02:19 Thomas Sachau wrote: Additionally, Gentoo is about choice, if there is a warning, the user can choose, with a forcing script, there is no choice, which is a bad idea for this philosophy, therefor i vote against such a script for linux. But in Gentoo it would also be possible to add a use flag to select the browser, which just tells freenet which browser to use. Do you know the numbers of possible browsers? You dont want to add a useflag for each of them and additionally this would force the user to use exactly the one browser selected by useflag. Additionally, what happens, when the selected browser has no privacy mode enabled, while another has it? This was and still is no real option. Simple and easy is only the warning page, everyone sees it, everyone can act as written there. All choices still open and if anyone chooses to act like an idiot, it is his own problem. It is not simple and easy, because the user sees the warning page, and has to act on it. We should call a secure browser in the first place, and in particular, the Browse Freenet link, which everyone who can't memorise http://127.0.0.1:/ will use, should start either a browser in incognito mode or a browser chosen by the user for browsing Freenet. signature.asc Description: This is a digitally signed message part. ___ Devl mailing list Devl@freenetproject.org http://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl
Re: [freenet-dev] Separate browser or not
On Sunday 17 May 2009 11:41:00 Zero3 wrote: Matthew Toseland skrev: Detecting the version of an installed application in the launcher (at least in Windows) shouldn't be a problem. It will most likely be registered in the registry next to the .exe path we are checking already for the individual browsers. We can also check the version info of .exes as an alternative (most Windows applications are compiled with various static info like version and author). The Windows launcher is already running Chrome with a command line argument making it start in privacy mode btw. You should prioritise Chrome with privacy mode over Firefox without it. Agreed: https://bugs.freenetproject.org/view.php?id=3118. I thought you had already done this? signature.asc Description: This is a digitally signed message part. ___ Devl mailing list Devl@freenetproject.org http://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl
Re: [freenet-dev] Usability test results
On Monday 18 May 2009 18:03:50 Clément wrote: Le samedi 16 mai 2009 20:10:00, Matthew Toseland a écrit : On Saturday 16 May 2009 15:02:19 Thomas Sachau wrote: Matthew Toseland schrieb: On Friday 15 May 2009 16:35:40 Thomas Sachau wrote: Matthew Toseland schrieb: On Thursday 14 May 2009 18:35:07 Thomas Sachau wrote: Matthew Toseland schrieb: My observation: Can we get rid of the I will configure it manually choice? And maybe the welcome page? (#3094) You want to force everyone to use the Wizard? Why would that be bad? What if i dont want to do use the Wizard? Also, if i removed the wizard done line (intentinally or by mistake), a new run would remove my custom settings. With the option, i can just stop the wizard and no harm done. If you know enough to skip the wizard you should shutdown the node, edit the config file and tell the node you have done the wizard! Is there a need for editing the config file? You can set everything with the config section too, but without the i want to do it myself, you cant disable the wizard from the GUI. Related idea: We should maybe tell the user in the installer that they should use a separate browser for Freenet, rather than in the wizard? And then let them choose one, and then use it when they click on the icon to browse Freenet? (#3104) This would produce additional work for people packaging freenet, since they would have to warn the user themselves, while users tend to ignore the output of the package manager. So this would lower the chance of people noticing the request for a different freenet browser/profile and therefor i am against it. I suggest the current way: Warning during first call of the webinterface like it is currently done. Well, maybe on linux, with the packages that we don't have yet... Did you miss the Gentoo ebuilds? Isnt it a goal to get other distros to package it too? Just because it did not happen until now, doesnt mean it wont happen some time in the future. May just need more time since Gentoo as source based distro may be a bit better for packages than binary distros. No, it is a goal to package it with private repositories. Having a debian package that is frozen for 3 years is not useful at the present time. And if we have it for linux, why would you like to add additional code for windows (both in the installer and in freenet, which would have to detect the OS and then decide to show the warning or not)? Well, we could do something similar for *nix, no? Launch a suitable privacy enabled browser when the user runs the browse-freenet script? You dont know the user system. While windows user systems may be similar to each others, this is not true for linux. Where would you place that script? How would you check which browser the user wants to use? This idea looks more like the way user handling is done on windows or ubuntu: Expect him to know nothing and try to do everything for him. Might be nice for beginners and if it works, but makes things worse for experienced users, who want to do it different and also makes it harder, if there are problems. Imho you cant beat stupidity. Either users read a message and act the right way or they dont. You cannot prevent them from doing bad things. Additionally, Gentoo is about choice, if there is a warning, the user can choose, with a forcing script, there is no choice, which is a bad idea for this philosophy, therefor i vote against such a script for linux. Well, we already have a Browse Freenet script on all three platforms. Currently it detects browsers that we know about. You don't have to use it if you don't want to. But we should extend it to use incognito mode if possible, and to favour browsers with such support. I dunno how we can determine whether such a mode works with the particular installed version though... I don't see the point forcing the user to choose. I don't see the point displaying a warning neither btw : should we detect all the potentials security threats (or unused benefits) on the user's system ? Things like that are just waste of time. What would be good instead is a documentation about how to have a secure environment in which you can run freenet, and display a link to it during the wizard (or display the howto directly). Additional code to detect if the user use freenet in a secure environment is just a waste of time. Good documentation isn't. Freenet should, like all security software, be secure by default. When it cannot be secure it should TELL THE USER. We are
Re: [freenet-dev] Separate browser or not
On Sunday 17 May 2009 11:43:26 Zero3 wrote: Colin Davis skrev: As implemented currently, Private browsing is all-or-nothing in FF3.5beta4 and Safari, but Google Chrome is per-window. Firefox has issues with coalescing windows, no? If I run firefox with command line options to use one profile, it may use another if a window is already open, there are things like that... Is opening a window with privacy mode enabled safe and reliable? I guess both ways should work fine for us? We simply launch the browser with the command line arguments, and let the browser handle the window/tab management? No, Firefox might very well end up opening a window in non-incognito mode. signature.asc Description: This is a digitally signed message part. ___ Devl mailing list Devl@freenetproject.org http://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl
Re: [freenet-dev] Using standard ports of encrypted protocols
On Wednesday, 20. May 2009 18:14:53 Matthew Toseland wrote: Depends on your threat model. Freenet traffic clearly doesn't look like these without proper stego transport plugins, and the connections between nodes definitely don't look like them, unless what you are imitating is purely peer to peer, in which case you need to look at the other nodes' connections as well and/or the timing. Is a steganography transport plugin planned? The option of going really deep into hiding is one of the ideas behind freenet which appealed to me the most. Also, we can't use TCP at the moment. That's why I searched for services which also use UDP. Else the list would have been far longer... :) Best wishes, Arne --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- - singing a part of the history of free software - http://infinite-hands.draketo.de signature.asc Description: This is a digitally signed message part. ___ Devl mailing list Devl@freenetproject.org http://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl
[freenet-dev] XMLLibrarian binary on downloads.freenetproject.org
XMLLibrarian on downloads.freenetproject.org was compiled with Java 6 and emitting UnsupportedClassVersionError. Please recompile it with Java 5 and update the binary. ___ Devl mailing list Devl@freenetproject.org http://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl