
Freenet Project's Statement on the recent Freedom Hosting bust - Sami_Lehtinen
https://freenetproject.org/news.html#2013-tor-bust
======
bcoates
I'm a fan of Freenet, but it has some core (and extremely longstanding!)
usability issues that Tor has proven are unforced errors.

The restrictions on JavaScript is the biggest one. The complete inability to
run server-side code in a trusted context makes JS _more_ necessary on Freenet
than the HTTP web; it's absense makes developing a useful Freenet site
extremely difficult. It causes interesting Freenet projects to be deployed as
local applications (which necessitates auto-update to be practical). This
represents an absolute trust of unknown service providers and is vastly worse
than running untrusted JavaScript. It also makes maintaining parallel Freenet
and HTTP sites impractical in practice (when only reader-side anonymity is
needed), something Tor got right the first time.

Secondly, Freenet's JavaScript exclusion relies entirely on filtering code
that's specific to Freenet and thus not anywhere near as battle-hardened as
browser JS engines. You don't need a Chrome zero-day to circumvent Freenet's
reader anonymity, you just need to find an edge case in its filtering code
against the moving target of a self-updating browser.

Freenet's core feature of anonymous distributed hosting (as opposed to just
Tor's distributed proxying and Bittorrent's bandwidth sharing) is still a
relevant technological frontier that's long overdue to see the light of day,
but that's not going to happen until it stops tilting at windmills on some of
the crazier technical decisions.

Edit: While I'm complaining, I'm unclear on the real-world threat model that
the friend-to-friend Darknet is supposed to protect against. Proving out that
globally routable friend networks a la "The Crying of Lot 49" actually
function is neat scientific accomplishment but it does nothing but help the
Global Passive Attacker and probably makes things easier for more mundane
threats too.

------
unknownian
Too bad it's written in Java.

~~~
zxcdw
Agreed. Not the language itself, but the way the runtime operates. One simply
does not build reliable and fundamental abstractions over non-optimal enough
abstractions and expect things to work long-term.

~~~
tomjen3
All the abstractions you build will eventually go over x86 bytecode
instructions. And those aren't pretty, let me tell you.

The truth is that there is nothing important wrong with Java, and everything
important wrong with Java programmers, which casues people like you to say
things like that.

~~~
eatmyshorts
I guess you aren't aware of the dozens of 0-day exploits to the JVM that were
released last year? Since Oracle took over, Java's security model is looking
like Swiss cheese, Oracle's responsiveness to security flaws has been slow,
and the fixes have introduced even more security flaws.

See here ( [http://java-0day.com/](http://java-0day.com/) ) for some examples.

~~~
tomjen3
I am away against attacks _against the java applet executor, not against Java
itself_.

~~~
eatmyshorts
The problems weren't with the Java Applet executor. They were with the JVM.
Java WebStart and the JVM security model are the two places where most of the
0-day exploits came. Neither of these have anything to do with applets.

------
northwest
> Freenet is a distributed data storage network designed to prevent
> censorship, provide anonymity and be hard to block.

A very similar solution offering this is
[http://retroshare.sourceforge.net/](http://retroshare.sourceforge.net/)

You get decentralized/p2p encrypted VOIP/chat/messaging/file sharing (written
in C++).

General intro for "darknet" solutions:
[https://en.wikipedia.org/wiki/Darknet_%28file_sharing%29](https://en.wikipedia.org/wiki/Darknet_%28file_sharing%29)

~~~
Sami_Lehtinen
RetroShare isn't similar to Freenet at all. Please read design & white papers
completely for both projects. What I really like about Freenet & GNUnet is the
build in distributed efficient caching of data. So even small sites won't go
down when there's a global rush.

------
stefantalpalaru
They are comparing static sites on Freenet with dynamic hidden services on
Tor. Sure, hosting many hidden services with the same provider was dumb, but
we're talking apples and oranges here.

