On Friday 02 November 2007 23:25, Jack O'Lantern wrote: > Hi, > > it took me some time but I managed to subscribe to > this list through TOR. I've sent and canceled a > previous message, sorry for the confusion. > > I've attached a patch for freenet 0.5. It fixes the > Diffie-Hellman exponential weakness. I hope I caught > every instance of this weakness in the code. Please > apply this patch and build freenet 0.5-5108. > > "Nomen Nescio" kindly posted the patch to the support > list in the form in which I posted it on Frost at Freenet > 0.5. The only difference in the attached patch is that > the build.xml file remains unchanged, so you can use > your own build process.
The patch posted to support has been applied (without the build.xml change). It was rather troublesome to apply probably because of its going via Frost (tab to space translations?). The weak DH keys issue is not the only security problem with Freenet 0.5, and as it is unmaintained by the core team, we would be happy for you to have an SVN account and maintain Freenet 0.5. Major security issues with 0.5 (there are probably more): - CSS filter updates - HTML filter updates - Link level encryption can be cheaply DoSed on CPU (hence JFK in 0.7); this can be done stealthily as it doesn't require much bandwidth and freenet commonly uses lots of CPU, it would have the effect of overloading the node and making traffic go elsewhere, thus the attacker would know that any requests from it originate locally. This might be possible on 0.7 but is definitely easier on 0.5 because of the link level crypto. - The most effective attack may simply be to cause lots of connection churn. This is also a problem on 0.7 opennet. - And of course, 0.5 is strictly opennet (thus harvestable), routing table takeover is probably not hard, and it's unlikely given current knowledge that NGR will scale (and likely that it can be manipulated). > > Jack -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: <https://emu.freenetproject.org/pipermail/support/attachments/20071113/4bf6a6e8/attachment.pgp>
