Freenet / Hyphanet 0.7.5 build 1503 is now available.
Install Freenet / Hyphanet for Windows, for GNU/Linux, macOS and other *nixes. See the download page for more information and other platforms.
This is a shared release page for 1502 and 1503. 1502 fixed an inserter tracing vulnerability and added several features while 1503 is a hotfix release that fixes regressions in 1502. The main changes are:
- fixed vulnerability
- reduce visibility on the network
- support animated webp and more modern HTML and CSS
- enable direct linking to Freemail’s “New Message” page
- dismiss alerts and convenience
- substantial routing optimizations
- fixes
mitigated vulnerability
The most important change is a fix to a vulnerability that enabled attackers to differentiate between an uploading and a forwarding node by analyzing the structure of packets in blocks.
The vulnerability enabled two attacks: one active and one passive. The active one could be exploited by depending on precise block-level timing of packet handling, forcing the node to expose if it was the original uploader of a file. The passive one worked by analyzing the packet structure inside blocks.
While the active attack is completely mitigated, the passive attack could be done retroactively if an attacker had already recorded the full transmitted data on sub-block level.
The attack has two limitations: it requires matching individual CHKs to keys, for example by downloading the key of the file at least once; this risk is highest for CHKs of known files and for re-uploads. And it requires a direct connection: it does not work against pure friend-to-friend mode when your friends are trustworthy.
This vulnerability was reported responsibly by Xu Yonghuan. Thank you very much for the report and for creating and testing a mitigation!
fix regression: thread leak
1503 fixed a thread leak from our adaption of the vulnerability mitigation that caused very fast nodes to overload and slow down after a few days, because the number of waiting threads exceeded the thread limit. Don’t wait for zero, for it is infinite.
Thanks to bertm for finding a minimally invasive solution and max_iops for reporting the problem and testing fixes!
visibility reduction and interface fixes
There were some additional privacy and safety improvements: do not check reachability of global addresses to avoid a fallback to Echo packets when a node does not support Ping. These packets were a regression from 1498 due to a fallback in the platform address checking when Ping is disabled.
And don’t show download to disk for large file page on public gateway nodes, and make fproxy cross origin isolated -- the latter by torusrxxx.
animated webp and more HTML/CSS
There is now support for animated, lossy webp images, recovering some capabilities we lost when browsers removed support for the Theora codec, and for WAV files for lossless audio. Thank you to Torusrxxx!
Torusrxxx also increased again the fraction of HTML and CSS elements that can be used on Freesites. More and more pages should just work. Freesites can now set robots, googlebot and referrer=no-referrer, for example for the Spiders that update indizes, as well as use more CSS properties.
1503 fixed a problem displaying Freesites that include an input tag without type. Sites with such an incomplete input tag can now be visited again. Thanks to torusrxxx!
link to freemail
Freemail now allows inbound links to “/Freemail/NewMessage?to=\
dismiss alerts and convenience
On the alerts page there are buttons to dismiss all alerts that do not come from other nodes, or to delete all messages from other nodes. This should unclutter alerts and make node-to-node messages much more usable.
optimization
There are new optimizations to the code -- a lot of them improvements to synchronization -- which should reduce CPU load of nodes with many peers and make it easier to run simple routing nodes (without messaging) on weak, cheap, energy conserving hardware:
- Fix synchronization of receive buffer -- #1044 by ArneBab. Thanks to Xu Yonghuan for the catch!
- Do not synchronize on global variable in CryptoKey.fingerprint -- #1066 by bertm
- Do not synchronize on access to AEADCryptBucket.readOnly -- #1065 by bertm
- Do not synchronize on global variable in crypt Util.makeKey -- #1064 by bertm
- Do not synchronize on Rijndael cipher initialization or use -- #1061 by bertm
- Use length hint for bucket creation in ChecksumChecker -- #1059 by bertm
- Optimize OCBBlockCipher_v149 by replacing Vector with List -- #1057 by bertm
- Use JCE AES implementation for AEAD when available -- #1056 by bertm
fixes
Additionally there are visible Fixes:
- Update dependencies.properties wrapper files to files in java_installer to avoid downgrading the wrapper after the first start -- #1081 by ArneBab
- Fix regression: compress parameter was inverted on upload. Thanks to NewOne@umLZL for investigating! -- #1051 by ArneBab
- Build the Atom XML correctly -- #1080 by Bombe
- Do not fix case (upper/lower) of header key -- #1063 by torusrxxx
- Fix request distribution stats -- #1071 by bertm
- In the plugins visibility was adjusted to show in simple mode the plugins that actually are easy to understand for newcomers.
- Below the shutdown-button, there’s now an info how to disable autostart in GNU Linux.
- And 1503 added two new seednodes to speed up inital connection in Opennet. Thank you for providing them!
And internal code fixes:
- Return valid length from RandomShortReadInputStream.read -- #1060 by bertm
- Fix single-byte read() in various InputStream implementations -- #1058 by bertm
And improvements to the code to ease maintenance:
- 🐛 Allow Class Loader to Enumerate Directory Entries. Fixes Flyway usage -- #1049 by Bombe
- ♻️ Use accessor for NodeClientCore.mainExecutor -- #1079 by Bombe
- Add Accessors for PageNode’s Member Fields -- #1076 by Bombe
- Add Accessors for Two Member Fields Used in PeerNodeStatus -- #1075 by Bombe
- Fix Translation Handling in Tests -- #1074 by Bombe
- Remove main(...) methods and related test/debug routines -- #1070 by bertm
- Remove unused code and parameters from NodeStats -- #1069 by bertm
- Remove remaining code paths for disabled slow-down sending -- #1068 by bertm
- Get rid of Hashtable in NodeStats -- #1067 by bertm
- Fix the test for UserAlertManager where localization didn’t work correctly. Thanks to Bombe!
Contribute
Join our core.
If you want to help us get better, please chat with us in #freenet @ irc.libera.chat. And give us time to answer, we’re all volunteers and might not be in your timezone.
To get into development right-away, have a look at one of the Freenet / Hyphanet Projects or just get fred and fix something that annoys you.
And to take on something that makes a big difference, have a look at the high-impact tasks.
In addition to coding, spreading Hyphanet, joining the community, writing a decentralized website, and other ways to contribute within Hyphanet, you can join the awesome team of translators at transifex. They are the reason why we’re able to support several different languages, the often unseen heroes who make our work accessible to those who need it the most.
What is Freenet / Hyphanet?
Hyphanet is the original Freenet,
a peer-to-peer platform for
censorship-resistant and privacy-respecting
publishing and communication.
I worry about my child and the Internet all the time, even though she's too young to have logged on yet. Here's what I worry about. I worry that 10 or 15 years from now, she will come to me and say 'Daddy, where were you when they took freedom of the press away from the Internet? --Mike Godwin, Electronic Frontier Foundation
What about the name „Hyphanet“? See Freenet renamed to Hyphanet.
That Hyphanet can keep moving forward and help people worldwide to exercise their basic rights and freedoms is the work of amazing volunteers, both contributors and people running Hyphanet nodes.
Thank you for your contributions, and thank you for using Freenet / Hyphanet!
-- AB
Install Freenet / Hyphanet for Windows, for GNU/Linux, macOS and other *nixes. See the download page for more information and other platforms.