On Fri, 25 Jul 2014 11:08:19 +0000 (UTC)
intrigeri <intrigeri@???> wrote:
> Note: what follows is *not* about finding a solution to the last
> de-anonymization vulnerability found in I2P 0.9.13. I trust the I2P
> team will do a proper job at it.
A new release is out that resolves this recent XSS and a few other
issues, but it has had very, very little testing. Perhaps there are
other problems lurking which haven't been reported yet; people are
certainly giving I2P more attention *now*. (Exodus reported *multiple*
0days incl RCE affecting Tails. See also
http://www.twitlonger.com/show/n_1s2jibg. Are these others in I2P? Tor?
Something else? Will these other 0 days be disclosed or are they
to be sold?)
WRT to the last I2P release: I do know that the filtering is a little
too strict and broke retrieving torrent metainfo, so I think that there
will be a point release relatively soon (Perhaps the I2P-users on Tails
don't bother with this feature?).
I still haven't had a chance to play 'catch-up' with the posts,
Redmine, and/or IRC to give the level of detail that they deserve,
but a few quick things:
apparmor: This was in my plans prior to this bug but of course its
priority has been raised.
'router console access': How many on Tails on I2P just visit I2P
internal sites? How many look at or change settings here? Should this be
disabled by default?
greeter or boot option: Seems like a reasonable compromise. I suppose
could also allow the "I2P-specific" rules to be set if-and-only-if this
option is specified.
More will be forthcoming.
