#saltr (irc2p) | I2P+ 2.5.0-11+ >> i2pplus.github.io | skank.i2p | git.skank.i2p | purokishi.i2p | vituperative.github.io/i2pchat | natter.i2p | notbob.i2p | ramble.i2p | shreddit.i2p | cake.i2p | /msg an op for voice

dr|z3d java -jar ./install.jar or 'java -jar ./install.jar -console' for headless install (remember to specify the install dir if you install this way, usually /home/user/i2p/)

GalaxyNova oh wow it works so painlessly!

GalaxyNova i had to do some tricks to even get to the normal i2p to run

GalaxyNova thanks

dr|z3d oh, fantastic.

dr|z3d happy days \o/

GalaxyNova dr|z3d: yeah so the scripts the I2P+ ./i2prouter installer ar kind of broken

dr|z3d GalaxyNova: you mean for systemd?

GalaxyNova they're in /etc instead of /usr/local/etc >:(

GalaxyNova no for FreeBSD

dr|z3d i2prouter install ?

GalaxyNova yeah

dr|z3d ok, I'll nudge term99 to look at those. there are other methods you can use for autostart, check skank.i2p

mesh GalaxyNova: you know you really don't need to "install" the i2p router at all. At the end of the day it's just a normal java program.

GalaxyNova yeah it's just convenient for autostart

GalaxyNova so i don't have to do it at each boot

mesh (at least that's what I do instead of fighting the I2P installer to run the router)

dr|z3d elif [ "$DIST_OS" = "freebsd" ] ; then

dr|z3d echo 'Detected FreeBSD:'

dr|z3d if [ -f "/etc/rc.d/$APP_NAME" ] ; then

dr|z3d eval echo " `gettext 'The $APP_LONG_NAME daemon is already installed.'`"

dr|z3d exit 1

dr|z3d else

dr|z3d eval echo " `gettext 'Installing the $APP_LONG_NAME daemon'`.."

dr|z3d sed -i .bak "/${APP_NAME}_enable=\"YES\"/d" /etc/rc.conf

dr|z3d if [ -f "${REALDIR}/${APP_NAME}.install" ] ; then

dr|z3d ln -s "${REALDIR}/${APP_NAME}.install" "/etc/rc.d/$APP_NAME"

dr|z3d else

dr|z3d echo '#!/bin/sh' > "/etc/rc.d/$APP_NAME"

dr|z3d echo "#" >> "/etc/rc.d/$APP_NAME"

dr|z3d does freebsd use rc.local, GalaxyNova?

mesh GalaxyNova: you can usuually set that up manually well enough but yeah. I think the problem with the installer is exactly this, every distribution out there is just a lil bit different...

GalaxyNova dr|z3d: there's /etc/rc.conf.local

GalaxyNova /etc/rc.local*

dr|z3d > Add /bin/su yourusername -c "/home/yourusername/i2p/i2prouter start" to your /etc/rc.local file

dr|z3d that should work, or some variation thereof that's bsd friendly.

GalaxyNova that's probably what I'm going to end up doing

dr|z3d you also probably want to enable unsigned dev updates to keep abreast of i2p+, and keep notify only enabled on /configupdate so you don't inadvertently get updated to vanilla i2p.

dr|z3d you'll then get notified when there's a new dev build available.. entirely up to you if you download & install it.

dr|z3d *want to

dr|z3d and given you're on freebsd, you probably also want to add the line: routerconsole.advanced=true to your ~/.i2p/router.config file. :)

RN I have /user/local/etc/rc.conf

dr|z3d hardenedbsd.i2p RN.

RN ahh

RN similar

GalaxyNova hardenedbsd is great :)

dr|z3d :)

RN I would have tried that, but went with free

mesh a heroic effort certainly

GalaxyNova the lack of developers working on hardenedbsd is holding me back

GalaxyNova from switching

mesh at the end of the day freebsd, like most os', is a big pile of C code

GalaxyNova once of the better piles of C code

GalaxyNova one*

GalaxyNova OpenBSD is also great

mesh stuff like nakedsecurity.sophos.com/2021/03/17/serious-security-the-linux-kernel-bugs-that-surfaced-after-15-years is inevitable though. And BSD has less devs than linux

GalaxyNova I think the BSDs generally have pretty good auditing / security strategies, especially OpenBSD

GalaxyNova I still use OpenBSD on my NAS

mesh openbsd is probably better than most but it's still full of bugs I think eg csoonline.com/article/3250653/is-the-bsd-os-dying-some-security-researchers-think-so.html

GalaxyNova "It is official; Netcraft now confirms: BSD is dying"

GalaxyNova but yeah there's a real lack of developers :(

GalaxyNova which is a shame, they're both great operating systems

mesh I've been told by people who would know that redhat is actually the most secure os. A lot of time and money gets invested in actually securing it

mesh but yeah OpenBSD at least in theory is obsessed with security

mesh but at the end of the day all these OSes, being big piles of C code, are probably just full of holes

GalaxyNova We'll have to wait for hurd to release and then we'll be saved

GalaxyNova xD

dr|z3d !

mesh we might get a rust-based linux kernel

GalaxyNova Rust's safety is pretty nice

GalaxyNova crates.io is a shithole though

GalaxyNova have you ever compiled a rust program before

mesh yeah it's very slow

GalaxyNova even the simplest program pulls in 100s of dependencies

GalaxyNova it's like npm but with the added compile time

mesh yeah I don't know how serious the rust guys are about security

mesh the idea that one language can do everything is probably misguided. we need a language that's just for security probably. But it would require so much work... sel4 is 10+ years old and still can't run a browser

mesh android is also apparently very secure. I've always liked the idea of having lots of little android servers running around

mesh and you can already run java+i2p on it hehe

GalaxyNova is there an easy way to connect a bouncer like znc to an irc server served over i2p?

dr|z3d sure, just have znc connect to the irc client tunnel.

dr|z3d 127.0.0.1:6668 by default.

mesh GalaxyNova: why would you want a bouncer? your connection is already anonymous

GalaxyNova because i want to see messages that are sent when I'm offline :P

dr|z3d bouncers maintain a persistent connection, mesh, and do other useful things. like log.

mesh GalaxyNova: you really want to know the terrible things people say about you when you're not here?

GalaxyNova lol

mesh dr|z3d: I know... though I always assumed most of their value was anonymity.

dr|z3d and they also mask when you're not around.. client disconnects, bouncer remains connected. better for anonymity.

dr|z3d useful when you run i2p on a different box than your client, too.

mesh dr|z3d: maybe... it's a stretch

dr|z3d not at all. common sense.

mesh connection times aren't a good signal anyways

mesh you would look for activity, so unless your bouncers are generating random messages I don't think it would help much

dr|z3d run a bouncer, see how it helps, then come back.

dr|z3d evidently you know about bouncers but haven't actually run one.

mesh I doubt. If anything I think keeping your Destination around for a long time is only a risk.

GalaxyNova Do you guys have any ideas for useful i2p websites I could make

GalaxyNova It's so fustrating that 90% of the i2p network is just personal sites or useless websites

mesh GalaxyNova: but that's the whole point

mesh everybody is free to easily host the most personal and useless stuff

GalaxyNova I'm not saying personal sites are bad.. they are really fun to explore

GalaxyNova but i'd love to have more practical things too

GalaxyNova I've noticed there's a lack of video sharing platforms on i2p

mesh it's interesting to think about what kind of business model would work over i2p but for most business transactions anonymity is a big bug

GalaxyNova woudn't it be cool to have something like that specifically on i2p

mesh so you may not find any real businesses

GalaxyNova maybe get people to pay through gostcoin?

GalaxyNova idk

GalaxyNova I'm not really looking for turning a profit

mesh GalaxyNova: video sharing platforms cost a lot of money. Gotta get people to pay

GalaxyNova rample.i2p is dead AF

GalaxyNova ramble*

mesh I was wondering if there was even i2p proxy-mirrors of wikipedia or archive.org

GalaxyNova there

GalaxyNova there is a mirror of wikipedia

mesh I GalaxyNova address?

RN there is also a youtube

GalaxyNova wikimirror.i2p

RN tube.i2p I think. if it is still up

GalaxyNova tube.i2p is very nice

GalaxyNova but it's just a mirror of youtube

mesh I mean you can reach wikipedia.org through an outproxy but this requires you to trust the outproxy

mesh or does it? outproxies do the ssl mitm thing

GalaxyNova I've heard people complain on reddit that wikipedia blocks i2p

GalaxyNova or something

mesh actually when I go to wikipedia.org I get a valid ssl cert and an encrypted connection

GalaxyNova oh a thing i just realized about hosting a video sharing platform on i2p...

GalaxyNova it's going to be really difficult to keep illegal things out

mesh GalaxyNova: you're better off writing a program that lets people host their own video sharing content and selling that

mesh for some reason I thought outproxies couldn't mitm ssl but when I go google.com and wikipedia.org I get "secure" connections

mesh that's kinda scary

dr|z3d ramble.i2p will soon be resurrected.

term99 its not a mitm

dr|z3d it's dead because tor.

mesh GalaxyNova: what you really want is somebody who downloads (crypto-signed) wikipedia every night and then serves it over i2p

mesh term99: how is it not?

dr|z3d how would the outproxy mitm wikipedia?

term99 wouldnt you need the certificate trust in your /etc/ssl for it to register?

mesh I mean, if you go through the outproxy to wikipedia.org you get a secure connection

dr|z3d you'd need to install an ssl cert to allow the outproxy to mitm.

term99 trace the connection using nmap

RN check the cert you get, then compare to the cert you get in an unproxied browser

mesh so the outproxy is definitely mitm'ing the ssl connection

term99 how do you get that idea?

RN they could just be, proxying it?

dr|z3d no, you would need to *install a cert* to allow the outproxy to mitm. and that's not going to happen. there is NO MITM.

mesh RN: the cert is alright, firefox trusts it

RN if you actually inspect it I propose it will be identical to the one you get without a proxy

term99 solid reasoning there, check from local and from remote

mesh dr|z3d: maybe mitm is the wrong term, but the outproxy is proxing an ssl connection

dr|z3d if an outproxy asks you to install an ssl cert, then you'll know something's not right. otherwise, the outproxy cannot intercept, read, or otherwise mess with SSL traffic.

mesh dr|z3d: would it be possible for the outproxy to return a different cert that was signed by a valid CA but wasn't actually google's cert?

dr|z3d no

dr|z3d not without your manual intervention to allow the outproxy to use a different cert.

RN someone needs to read up on cryptographic protocols...

term99 you would need access to the key file to generate a valid cert in your cert trust

mesh term99: it's just trust though

term99 then remove your trust

mesh term99: what's to stop the outproxy from replacing google's cert with a cert of its own?

mesh (assuming the cert of its own is a trusted cert by firefox)

term99 does the outproxy have the google key to generate that trust file?

mesh term99: that's not what I'm saying. the outproxy can't fake google's cert. But it can supply a (trusted) cert of its own. I wouldn't even realize it unless I clicked on the lock icon in the address bar and saw that it wasn't google's cert

term99 well your system normally keeps your trusts up to date when you do a system update via update system

RN if they do, Google's got big problems

dr|z3d >> if an outproxy asks you to install an ssl cert, then you'll know something's not right. otherwise, the outproxy cannot intercept, read, or otherwise mess with SSL traffic.

dr|z3d If I have to repeat myself one more time, someone's getting hurt :)

term99 lol

RN I'm selling tickets

mesh dr|z3d: I'm not talking about the case where the outproxy asks you to install a CA

term99 mesh you really should do some research on how it works OR setup your own outproxy on your own VPS and use that as your TRUSTED outproxy

mesh dr|z3d: I'm talking about the case where the outproxy has a cert signed by a CA you already trust

RN but that cert won't match the tld

RN er...

RN s/tld/url/

dr|z3d I'll be sure to let you know when I'm in possession of a valid *.google.com cert, mesh.

term99 w00t, hook me up bro!

mesh RN: I guess that's what you'd hope. That firefox would look at the outproxy's cert and say the domains don't match

term99 you're in control of your browser

mesh maybe all you have to do is run a malicious outproxy and wait for somebody to mistype an address, or send somebody a bad link

term99 its up to you to trust it, its just like a tor outproxy

term99 when you torsocks wget <file> do you trust that the file is good? well you checksum it, do you trust the assigned checksums, entirely up to you

mesh term99: I know that

mesh what I realize now is that the domain checking of ssl certs isn't driven by dns

mesh because https proxies are a thing

term99 :)

mesh the browser must compare it against whatever you type in the address bar

term99 don't forget about CSP, it helps secure the site too as long as you're being fed good headers but as you said https proxies exist so you get good headers