The importance of trust

Trust is important on Freenet. For example, the Darknet, which is propagated as the best mode to operate Freenet, is based heavily on trust. How can I trust my friends? How can I trust them not to be evildoers and turn out wrong or a wrong side on me at least? You’ll never really know unless they are really good friends and even then perhaps not.

Another important thing you’ve got trust in is the software you’re using, meaning Freenet itself. First you need to trust Toad that they’re not just claiming it works the way it works and on the contrary it’s quite easy to de-anonymize someone. This is quite easy to debunk, since the source code is available, so you can take a look at it yourself or take the word of experts in that kind of field if it’s trustworthy or not. Personally I trust them on that kind of matter.

But trusting people and their efforts is one thing; trusting software another. For example, most Freenet nodes are using the autoupdate-mechanism built in, it’s even activated by default. This is nice for the user if you always want to run the latest and greatest, but is it a good thing?

No. If you really care about your anonymity it’s a thing with good intention which could backfire great lengths at you. How? Well, let’s just guess this little scenario: someone was able to get the write key (e.g. personal abuse, spying, keylogger, whatever) used for the updates that’s mentioned per default in the node. He wants to deanonymize at least some people, content or Freenet as a whole. So what’s this guy going to do? He’s going to make an update. The source published on emu.freenetproject.org would be completley unsuspicious, but since the node is downloading compiled JAR-files to update itself the content of that JAR-file would be completely different and contain the attacker’s malware portions of code engined to disable Freenet or deanonymize you/content/whatever.

While this is unlikely to happen(?), it is a possible and quite easy vector of attacking Freenet as a whole if someone is able to achieve that knowledge. So what should you really do if you’re concerned about your anonymity? Right: you should disable that feature, just get the peer reviewed source patches and compile it yourself. That’s the only way to counter that possible attack, even if it means that you need to give up somewhat of your laziness.

Another thing about trust is trusting downloads from Freesites. If those are movies or normal programs, they can be mostly be trusted, but of course you should still use the normal precautions, like running an anti virus scanner on them.

But what about binary packages that are covering security areas, like for example data encryption? Personally I would not trust them, because you’ll never be able to know if the posted hasn’t been engineering some malicious routines into it or not. Don’t trust them, get them at established sources only.

This also covers the many tools for Freenet. I only trust Tools that work together with Freenet if I can get a hold on the source code. Otherwise you should just scratch them and don’t use them at all if you’re really concerned about privacy.