On Saturday 23 September 2006 11:13, toad wrote: > On Sat, Sep 23, 2006 at 10:45:57AM -0700, an ominous cow herd wrote: > > I find it funny that all of these 0.7 users are saying that the 0.7 > > network is better and more secure than the 0.5 network. They say this > > even while we see these warnings about critical bug fixes, peers in the > > 0.7 network being able to monitor what comes from your node, and the IRC > > channels where people trade references could have cops monitoring or > > actively trading these references. Now you mention that there is a cap on > > bandwidth. WTF? > > > > This is why I'm staying with the 0.5 network until either 0.7 becomes > > useful, or another anonymous network (ANts > > http://antsp2p.sourceforge.net/) surpasses the 0.5 network in usability, > > popularity, and security. > > > > It would be sad to see Freenet become just a footnote in the computer > > chronicles while other anonymous networks become more popular and Freenet > > loses it's user base. Maybe some Chinese Christian dissident will use it > > to speak freely, but it won't matter much if there is no one to listen. > > I'm half inclined to believe that there's a deliberate propaganda campaign > against Freenet 0.7... > > Here's what I said on the tech list: > ----------------------------------------------------------------------- > The 10MB limit is nonsense; there is no such code. > > And correlation attacks are feasible on 0.5 as well as on 0.7. It's a > bit more complex on 0.5, but I'm not sure that it requires any more > effort. And on 0.7 you get to choose your peers; on 0.5 a clever peer > can choose you (possibly as part of a network-wide campaign to connect > to everyone in order to monitor everyone). > > 0.7 does have some security issues certainly, but overall I'm not sure > that 0.5 is any better. Anyway, read the security page on the wiki. > ----------------------------------------------------------------------- > > For anyone listening who can't be bothered to look up the security page > on the wiki, here it is: > http://wiki.freenetproject.org/FreenetZeroPointSevenSecurity > > The short version: > - Correlation attacks are possible on both 0.5 and 0.7. They may be > easier on 0.7 due to it having better (therefore more predictable) > routing, but 0.5's routing is pretty predictable, as it just goes by > load most of the time. Also due to Freenet 0.7 having smaller keys. > - Freenet 0.7 has one major, obvious weakness right now which is that > its connection setup isn't secure against MITM or impersonation when > the attacker knows the refs of both sides. Nextgens started to work on > this, but STS (the solution) isn't quite ready yet. > - On 0.5, or indeed on any opennet, such as the one we will soon > implement for 0.7, or the bogus one we have at present using > #freenet-refs etc, a whole range of attacks are much easier. In > particular, harvest-and-block is the best known attack. But content > tracing is easier on opennet too, because all you have to do is > connect to everyone and do correlation attacks on everyone (requires > an ubernode). Or connect to one node at a time and likewise. You are > vulnerable on darknet or on opennet - but on darknet you get to choose > who you are vulnerable to. If you suspect a particular subnetwork, > just connect to all the nodes on that network and do correlation > attacks on them. Etc etc.
I'm inclined to believe that there is a deliberate attempt to kill the 0.5 network by directing new users to the 0.7 network, but then again I'm the paranoid sort. Thanks for clearing up the 10MB limit question. It would have been one big mistake to cap the usage. As to the 0.7 network having the ability to choose your own neighbor nodes, that can done on the 0.5 network as well. You and another can build your own private network with it's own seednode.ref. You can also block all IP addresses not in your network by the use of a firewall. The fact that the average user must download referances from an IRC channel that could easily be compromised by the cops doesn't leave me with warm and fuzzy feelings.
