[Freedombox-discuss] PageKite relay service; risks, community and collaboration?
Sunil Mohan Adapa
sunil at medhas.org
Sun Nov 22 15:37:41 UTC 2015
On 11/22/2015 07:04 PM, Bjarni Runar Einarsson wrote:
[...]
> I touched on most of the concerns and potential solutions in my
> last mail - I think the best "design" for this, would be to
> decouple the DNS part of the service from the relays. So the
> ecosystem would look something like this:
>
> 1) Volunteers run relays according to a community code of
> conduct. 2) One or more orgs keeps a registry of existing relays,
> tests them for compliance with community standards (e.g. make
> sure clear-text HTTP is unavailable). 3) Organizations sell or
> give a way domain names; included in this service is a dynamic
> DNS and DNS-based PageKite authentication (so a relay can
> validate a tunnel request).
>
> Roles 2) and 3) could be merged; their technical requirements are
> quite similar, both will need a dynamic DNS service and user
> database of some sort. This is a technically sophisticated role
> and handling abuse etc. happens here, so these are organizations
> rather than individuals.
>
> For security reasons (as discussed in my last post), role 1)
> should be separate. This is where even small players can
> contribute to the network.
Some more points we could consider:
- HSTS headers in HTTP will partially help. Browser will not go back to
using HTTP after a proper first connection is made.
- Mozilla has been encouraging certification authorities to publish a
list of all SSL certificates they have ever issued. This list is likely
to be available in Let's Encrypt and also slowly available from other CAs.
- Multiple solutions to the problem: Dynamic DNS, PageKite and Tor
Hidden Service (with possibly Tor2Web) should be combined to make the
experience for the user smooth and to get the apt solution.
- FreedomBox has a social aspect with federated social networking coming
soon. We are discussing on possibility of taking backups on buddy's
machines etc. Spamming and abuse can be handled by perhaps explicitly
authorizing relay of traffic from friends list.
--
Sunil
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/freedombox-discuss/attachments/20151122/7518afa6/attachment.sig>
More information about the Freedombox-discuss
mailing list