So your response hinges on the concept of trust? Stop playin… You almost had me there. Oh wait, you were being serious!?
The trust is in the website. If you don’t trust the opensourced plugin then you won’t be using a browser to access SAFE
You could just get the plugin from github and bypass the website and requirement for safe website to get the plugin
Somehow people have to find the plugin.
I’ll skip the humor, as Tonda took care of that. This is NOT a good idea.
This proposal is meant to address the situation when a user without the plugin accesses the site. Of course the proposal also handles users with the plugin (by not doing anything for them).
The Tor Project hasn’t found a better solution than to simply ask people to download the browser from their Web site or some other trusted place (if you can obtain the checksum from a trusted source). Some degree of trust is necessary, but I’m sure they thought of and declined to use redirects.
Months ago I discovered (and posted here) that Amazon has a pending application for the TLD .safe
. Now I learned that Tor managed to solve “the Namecoin problem” by reserving .onion
. It took them 10 or so years to get there so even if the next project secures a similar compromise faster, it’d take years. But it’s a good breakthrough for them and all other projects that may want to take the same route.
I can verify every step to the web site and any software it provides. Impractical and time consuming but possible. This is not currently possible with software operated on another machine unless you have root control. Even then the problem of physical tampering is still not solved. The less trust the more assurance a user can have if they posses the ability to understand what they are using.
What software are you referring to?
Server and site framework.
Ok fair enough. It is always a concern.
But how do you solve getting the plugin, if the person has no idea how to.
It seems there has to be at least some “trust” if the person does not know github or where to get the plugin, after all they just wanted to visit the SAFE site
How do people find how to get on the Onion network?
That hasn’t been a problem.
You don’t. You just advertise and wait for those with a use for the network to move in. I believe in making things stupid easy, but I don’t think people should be spoon fed at the expense of security or anonymity.
True, but they had to trust the website they got the software from and that is what @Tonda was addressing.and my reply
But we can verify what was received.
I also said that above - either they have to trust the site, or have another way to verify the package out-of-band (e.g. to obtain a signed checksum from the author directly, or from another person).
That doesn’t require redirects. Linux, Tor, TAILS, OpenSSL and countless others all approach this problem the same way.
@neo yes, you got it.
The URL would be accessed by https (encrypted) so it’s not different to visiting maidsafe.net/downloads with regard to bring snooped on. And what value is knowing that someone clicked on a particular link without first considering the privacy issues?
I agree there is a tiny fragment of suspicion if an agency can discover you knowingly clicked on certain kinds of material - once! After that you go get the add-on , and if you don’t get the add-on, well you are probably not at risk or of interest anyway. Meanwhile, the agencies already have many other ways to spy on and identify such a naive user, whereas the benefit of us doing things this way is that we make it far easier for people to discover and join SAFEnetwork, which overall means people will be far safer from what you are concerned about IMO.
We must not underestimate the value to people from more rapid, or even mass adoption, so finding ways to reach as many people as possible and help them to install the SAFE browser add-on, is very important IMO.
IMO we’re not creating significant additional risk here - but we are introducing many more people to SAFEnetwork by instead of showing them a “Website not found page”, showing them a page that helps them install the browser add-on, and vastly increases their privacy and security by doing so. And, very important, making rate of adoption much faster, benefiting more people, and increasing the chances of SAFEnetwork being successful.
The biggest risk to people is not that the NSA discovered they clicked on one dodgy link without thinking - but that SAFEnetwork fails to be adopted widely. Or that the naive individual tried a risky link and didn’t get the chance to learn about SAFEnetwork and install the SAFE browser add-on.
@blindsite2k there’s no extra website for you or me to buy our host. Only one special website owned by the MaidSafe Foundation, which becomes a default landing page when someone tries to access a SAFE URL but has not yet installed the SAFE browser add-on. At the moment, someone doing this would get a “Website not found” error.
The only difference to the earlier schemes (such as starting SAFE URLs with “safe:”) is that if the user has NOT yet installed the SAFE browser add-on, they will see a helpful page telling them about SAFE Network and how to get the add-on, rather than “Website not found”. For those who DO have the SAFE browser add-on installed, there is no difference from the other schemes - the website is not involved at all - the browser add-on just gets the content directly from SAFEnetwork as normal. Hope that clarifies.
There’s quite a lot of misunderstandings in the replies which I think has made it hard to understand what I actually proposed, so please ask for further clarification if any of you are still unsure about t this.
They don’t have to trust the safenetwork.net website with regard to the SAFE browser add-on.
If they install the add-on, they do so by visiting the relevant official browser add-on store: Mozilla, Chrome etc This will be at least as safe as doing it via github, or maidsafe.net/downloads which someone capable of doing would still be free to do.
The key thing not to miss here is the benefit gained by helping people learn about SAFEnetwork, and obtain the browser add-on. This method makes it far easier, helping far more people improve their privacy and security than if they are served up “Website not found” instead. I think that is going to result in people being less secure overall.
Widespread adoption of SAFEnetwork is the way to improve people’s security much more than if we get stuck trying to build a perfect system, and far less people use it as a result!
The quoted part is my response to neo’s question above in which he asked how do people get the SAFE browser plugin.
Yes, that’s what I meant when I said “have another way to verify the package out-of-band (e.g. to obtain a signed checksum from the author directly, or from another person).” All those places allow them to do that in a secure manner.
There is no trust problem: seen from legacy internet, the safenetwork.net domain is just a web server giving information about the safe network, like our forum or the maidsafe website. @Happybeing proposal is only another way to reveal safe network to the world. Yes, but a very powerful one.
Besides, what could the powers that be do regarding this domain?
- Close it: then we will have to fall back to traditional ways to publicize the network but there would be no regression compared to the other schemes considered for the plugin.
- Redirect it to some pages stating that usage of this network is illegal: Streisand effect comes to mind, and there isn’t any better publicity for the safe network.
But in any case nothing worse than they could also do with the other schemes (and the plugin would still run because it doesn’t depend on the availablity of this domain).
Walk down the street and do a survey - approach anyone with a smartphone:
How many people know what facebook is and how to access it?
Now ask them what the Onion network is and how to access it.
These are the people I want us to reach. Otherwise SAFEnetwork is just another niche tool and will protect only a tiny proportion of people.
That’s not why I’m here - I’m curious to hear from the community about this question: is widespread adoption a priority for you, or not?
Let Us please use a one or two or three letter dot extension .
It has to be practical and convenient to be competitive
i see the logic of a short URL…or
the community has this domain
SecureAccessForEveryone.com - decentralized internet.
Based on my experience with .onion
people who’ve heard of it and like the idea, don’t have the problem getting on it.
I think the key is to spread the idea. Once they now what the idea is, you win them or lose them.
If you win them, you don’t need to tell them where to find the extension or how to access it - they’ll easily find a way (even now, I would bet google already has correct results for “safe network browser extension” (might be a page from this site), but if you search for internet privacy or such, you probably won’t see SAFE on the first 5 pages, which I think confirms that the difficult part is to spread awareness about the project rather than assist with downloads).
Of course the both are important, it’s just that plugin downloads doesn’t seem like the challenging part.