-
Notifications
You must be signed in to change notification settings - Fork 2
Threat Model
This document is evolving. Obviously what threats we can protect against changes as Freenet changes.
They don't give out their home address on an anonymous forum.
They don't reinsert stuff as a CHK.
Obviously the documented best practice will change with time too.
They are much more valuable than downloaders, or volunteers running the Keepalive plugin to keep content retrievable.
Only knows that the target is on Freenet.
In order to trick users into connecting with an attacker over darknet, human interaction is (usually) required.
Users may be coerced or bribed to run surveillance software to track their darknet peers, but this too is relatively expensive unless automated via hacking.
It is illegal, sometimes detected, and sometimes technically difficult.
Note that "expensive" here doesn't mean prohibitively expensive for a single instance. It means that it gets to be a significant expense when you have to do it to thousands of nodes/people.
It may still be affordable for many attackers, but we assume that, for example, it is much more expensive to social engineer 1000 users (to get darknet connections) than to connect to their nodes on opennet.
If you are connected to a node, you can log what requests/inserts it does, and do some statistics (correlation attacks) to figure out whether they are inserting (or downloading) a known (published) large file.
The main task is to prevent the attacker from getting connected to the originator in the first place.
It follows that almost all attacks are dramatically more expensive on darknet than on opennet.
In the future we will provide protection against malicious direct peers by means of tunnels, but even this works far better on darknet than on opennet, see e.g. the PISCES paper.
Also, we care about blocking. It should be hard to block Freenet.
See Major attacks
All released code is manually reviewed.
TODO automated code review tools.
Unit tests: Limited coverage.
Documented elsewhere. All released code should have been reviewed by the person doing the release. Releases are signed and there is a revocation mechanism for the auto-updater.
Not currently a priority for paid staff. Partly because on opennet there are some rather easy attacks. We want to fix them before we draw attention to them!
However, long term, the best way to quantify an attack is to try it out, and attackers will inevitably build their own tools.
IMHO long term a security bounty program would be a good idea too.
No current activity.