uhm, this isn't all too clear for me, so i'll ask some questions: >All we have to do to have reasonably secure plugins on Freenet: >- Each plugin has its own client-cache.
ack, makes sense to keep plug-ins away from each other >- Any request which is satisfied from this cache takes 2.0-2.5 seconds > (randomized). why? >- Any request which is satisfied from the local datastore, or from the > network, takes precisely 30-35 seconds (randomized). why? having fproxy wait another half minute for displaying something is not all too good imho. what's the reasoning for this? >- The above may be subject to load issues. Presumably we can allow each > plugin a request every X seconds... We may need to up them to deal > with load. >- The plugins are allowed to access the clock, and even to persist a > certain amount of data. can system.currenttimemillis() be protected from access? i don't know of this... why anyway? >- The plugins cannot figure out which node they are on by timing > requests. The delays above are implemented at the level of > client.async; we do not add in delays after the fetch (as this might > introduce vulnerabilities via updatable keys). >- The plugin CAN identify the time of day when it is used. This is > obviously a serious vulnerability, but there are some relatively easy > mitigations, and it exists even in e.g. Freemail or posting freesites; > it is not unique to plugins. All we can do is warn people about > intersection attacks and recommend they run their nodes 24x7. i think nearly all plugins need to know what the time is, and might it be for internal timed events or benchmarking >- The plugin can maybe identify fluctuations in the system load > depending on time of day, but this is difficult due to the above > randomizations. It may well still be possible, but would probably > require correlation over a long period. it's not too serious imho. end of the line is - if i allow a program to run on my computer i give very much control to it. so the consensus is, if i allow a fred-plugin to run on my node i must trust it just as same as an standalone program. i mean - the plugins have to be manually installed, or not? frost and fuqid are widely used and have many rights on the computer >- We warn users about the remaining security issues. Obviously the only > way to be totally sure a plugin is safe is to have a large community > of people inspect its source code, but I suspect we can produce > something which gives a reasonable level of confidence. who develops these plugins? one should only plugins that come from a creditable source. people who don't respect safety simply CAN'T be helped...
