GalaxyNova
heyo :D
dr|z3d
hello GalaxyNova
GalaxyNova
what does voice do?
dr|z3d
ensures you're not muted if the channel gets a +m
GalaxyNova
ah
dr|z3d
happens from time to time, because troll(s).
term99
trolls nuts get squished quickly :)
GalaxyNova
are all the eepsites in the channel topic run by the I2P+ team?
GalaxyNova
or?
dr|z3d
no, though mostly they do run on i2p+
GalaxyNova
oh i see
dr|z3d
they're just sites that are recommended.
GalaxyNova
yeah they're really high quality
dr|z3d
are you an I2P+ user, GalaxyNova?
GalaxyNova
i use notbob.i2p and libreddit.i2p a lot
GalaxyNova
I used it for a bit when I ran Linux
GalaxyNova
i2pd works much better on FreeBSD from my experience
GalaxyNova
which is the OS that I currently use
dr|z3d
oh, that's curious. what was the issue with I2P+ on freebsd?
GalaxyNova
well I wasn't able to get the java i2p working correctly
GalaxyNova
i should attempt setting it up again
GalaxyNova
maybe I'll have more luck
dr|z3d
what that the normal i2p, or i2p+ ?
dr|z3d
*was
GalaxyNova
the normal i2p
dr|z3d
maybe try from the getgo with the i2p+ installer. I think term99 may have done some bsd work on i2p+
GalaxyNova
thanks I'll check it out
dr|z3d
that's probably what you want, that's a global installer.
dr|z3d
java -jar ./install.jar or 'java -jar ./install.jar -console' for headless install (remember to specify the install dir if you install this way, usually /home/user/i2p/)
GalaxyNova
oh wow it works so painlessly!
GalaxyNova
i had to do some tricks to even get to the normal i2p to run
GalaxyNova
thanks
dr|z3d
oh, fantastic.
dr|z3d
happy days \o/
GalaxyNova
dr|z3d: yeah so the scripts the I2P+ ./i2prouter installer ar kind of broken
dr|z3d
GalaxyNova: you mean for systemd?
GalaxyNova
they're in /etc instead of /usr/local/etc >:(
GalaxyNova
no for FreeBSD
dr|z3d
i2prouter install ?
GalaxyNova
yeah
dr|z3d
ok, I'll nudge term99 to look at those. there are other methods you can use for autostart, check skank.i2p
mesh
GalaxyNova: you know you really don't need to "install" the i2p router at all. At the end of the day it's just a normal java program.
GalaxyNova
yeah it's just convenient for autostart
GalaxyNova
so i don't have to do it at each boot
mesh
(at least that's what I do instead of fighting the I2P installer to run the router)
dr|z3d
elif [ "$DIST_OS" = "freebsd" ] ; then
dr|z3d
echo 'Detected FreeBSD:'
dr|z3d
if [ -f "/etc/rc.d/$APP_NAME" ] ; then
dr|z3d
eval echo " `gettext 'The $APP_LONG_NAME daemon is already installed.'`"
dr|z3d
exit 1
dr|z3d
else
dr|z3d
eval echo " `gettext 'Installing the $APP_LONG_NAME daemon'`.."
dr|z3d
sed -i .bak "/${APP_NAME}_enable=\"YES\"/d" /etc/rc.conf
dr|z3d
if [ -f "${REALDIR}/${APP_NAME}.install" ] ; then
dr|z3d
ln -s "${REALDIR}/${APP_NAME}.install" "/etc/rc.d/$APP_NAME"
dr|z3d
else
dr|z3d
echo '#!/bin/sh' > "/etc/rc.d/$APP_NAME"
dr|z3d
echo "#" >> "/etc/rc.d/$APP_NAME"
dr|z3d
does freebsd use rc.local, GalaxyNova?
mesh
GalaxyNova: you can usuually set that up manually well enough but yeah. I think the problem with the installer is exactly this, every distribution out there is just a lil bit different...
GalaxyNova
dr|z3d: there's /etc/rc.conf.local
GalaxyNova
/etc/rc.local*
dr|z3d
> Add /bin/su yourusername -c "/home/yourusername/i2p/i2prouter start" to your /etc/rc.local file
dr|z3d
that should work, or some variation thereof that's bsd friendly.
GalaxyNova
that's probably what I'm going to end up doing
dr|z3d
you also probably want to enable unsigned dev updates to keep abreast of i2p+, and keep notify only enabled on /configupdate so you don't inadvertently get updated to vanilla i2p.
dr|z3d
you'll then get notified when there's a new dev build available.. entirely up to you if you download & install it.
dr|z3d
*want to
dr|z3d
and given you're on freebsd, you probably also want to add the line: routerconsole.advanced=true to your ~/.i2p/router.config file. :)
RN
I have /user/local/etc/rc.conf
RN
ahh
RN
similar
GalaxyNova
hardenedbsd is great :)
dr|z3d
:)
RN
I would have tried that, but went with free
mesh
a heroic effort certainly
GalaxyNova
the lack of developers working on hardenedbsd is holding me back
GalaxyNova
from switching
mesh
at the end of the day freebsd, like most os', is a big pile of C code
GalaxyNova
once of the better piles of C code
GalaxyNova
one*
GalaxyNova
OpenBSD is also great
mesh
stuff like nakedsecurity.sophos.com/2021/03/17/serious-security-the-linux-kernel-bugs-that-surfaced-after-15-years is inevitable though. And BSD has less devs than linux
GalaxyNova
I think the BSDs generally have pretty good auditing / security strategies, especially OpenBSD
GalaxyNova
I still use OpenBSD on my NAS
mesh
openbsd is probably better than most but it's still full of bugs I think eg csoonline.com/article/3250653/is-the-bsd-os-dying-some-security-researchers-think-so.html
GalaxyNova
"It is official; Netcraft now confirms: BSD is dying"
GalaxyNova
but yeah there's a real lack of developers :(
GalaxyNova
which is a shame, they're both great operating systems
mesh
I've been told by people who would know that redhat is actually the most secure os. A lot of time and money gets invested in actually securing it
mesh
but yeah OpenBSD at least in theory is obsessed with security
mesh
but at the end of the day all these OSes, being big piles of C code, are probably just full of holes
GalaxyNova
We'll have to wait for hurd to release and then we'll be saved
GalaxyNova
xD
dr|z3d
!
mesh
we might get a rust-based linux kernel
GalaxyNova
Rust's safety is pretty nice
GalaxyNova
crates.io is a shithole though
GalaxyNova
have you ever compiled a rust program before
mesh
yeah it's very slow
GalaxyNova
even the simplest program pulls in 100s of dependencies
GalaxyNova
it's like npm but with the added compile time
mesh
yeah I don't know how serious the rust guys are about security
mesh
the idea that one language can do everything is probably misguided. we need a language that's just for security probably. But it would require so much work... sel4 is 10+ years old and still can't run a browser
mesh
android is also apparently very secure. I've always liked the idea of having lots of little android servers running around
mesh
and you can already run java+i2p on it hehe
GalaxyNova
is there an easy way to connect a bouncer like znc to an irc server served over i2p?
dr|z3d
sure, just have znc connect to the irc client tunnel.
dr|z3d
127.0.0.1:6668 by default.
mesh
GalaxyNova: why would you want a bouncer? your connection is already anonymous
GalaxyNova
because i want to see messages that are sent when I'm offline :P
dr|z3d
bouncers maintain a persistent connection, mesh, and do other useful things. like log.
mesh
GalaxyNova: you really want to know the terrible things people say about you when you're not here?
GalaxyNova
lol
mesh
dr|z3d: I know... though I always assumed most of their value was anonymity.
dr|z3d
and they also mask when you're not around.. client disconnects, bouncer remains connected. better for anonymity.
dr|z3d
useful when you run i2p on a different box than your client, too.
mesh
dr|z3d: maybe... it's a stretch
dr|z3d
not at all. common sense.
mesh
connection times aren't a good signal anyways
mesh
you would look for activity, so unless your bouncers are generating random messages I don't think it would help much
dr|z3d
run a bouncer, see how it helps, then come back.
dr|z3d
evidently you know about bouncers but haven't actually run one.
mesh
I doubt. If anything I think keeping your Destination around for a long time is only a risk.
GalaxyNova
Do you guys have any ideas for useful i2p websites I could make
GalaxyNova
It's so fustrating that 90% of the i2p network is just personal sites or useless websites
mesh
GalaxyNova: but that's the whole point
mesh
everybody is free to easily host the most personal and useless stuff
GalaxyNova
I'm not saying personal sites are bad.. they are really fun to explore
GalaxyNova
but i'd love to have more practical things too
GalaxyNova
I've noticed there's a lack of video sharing platforms on i2p
mesh
it's interesting to think about what kind of business model would work over i2p but for most business transactions anonymity is a big bug
GalaxyNova
woudn't it be cool to have something like that specifically on i2p
mesh
so you may not find any real businesses
GalaxyNova
maybe get people to pay through gostcoin?
GalaxyNova
idk
GalaxyNova
I'm not really looking for turning a profit
mesh
GalaxyNova: video sharing platforms cost a lot of money. Gotta get people to pay
GalaxyNova
rample.i2p is dead AF
GalaxyNova
ramble*
mesh
I was wondering if there was even i2p proxy-mirrors of wikipedia or archive.org
GalaxyNova
there
GalaxyNova
there is a mirror of wikipedia
mesh
I GalaxyNova address?
RN
there is also a youtube
RN
tube.i2p I think. if it is still up
GalaxyNova
tube.i2p is very nice
GalaxyNova
but it's just a mirror of youtube
mesh
I mean you can reach wikipedia.org through an outproxy but this requires you to trust the outproxy
mesh
or does it? outproxies do the ssl mitm thing
GalaxyNova
I've heard people complain on reddit that wikipedia blocks i2p
GalaxyNova
or something
mesh
actually when I go to wikipedia.org I get a valid ssl cert and an encrypted connection
GalaxyNova
oh a thing i just realized about hosting a video sharing platform on i2p...
GalaxyNova
it's going to be really difficult to keep illegal things out
mesh
GalaxyNova: you're better off writing a program that lets people host their own video sharing content and selling that
mesh
for some reason I thought outproxies couldn't mitm ssl but when I go google.com and wikipedia.org I get "secure" connections
mesh
that's kinda scary
dr|z3d
ramble.i2p will soon be resurrected.
term99
its not a mitm
dr|z3d
it's dead because tor.
mesh
GalaxyNova: what you really want is somebody who downloads (crypto-signed) wikipedia every night and then serves it over i2p
mesh
term99: how is it not?
dr|z3d
how would the outproxy mitm wikipedia?
term99
wouldnt you need the certificate trust in your /etc/ssl for it to register?
mesh
I mean, if you go through the outproxy to wikipedia.org you get a secure connection
dr|z3d
you'd need to install an ssl cert to allow the outproxy to mitm.
term99
trace the connection using nmap
RN
check the cert you get, then compare to the cert you get in an unproxied browser
mesh
so the outproxy is definitely mitm'ing the ssl connection
term99
how do you get that idea?
RN
they could just be, proxying it?
dr|z3d
no, you would need to *install a cert* to allow the outproxy to mitm. and that's not going to happen. there is NO MITM.
mesh
RN: the cert is alright, firefox trusts it
RN
if you actually inspect it I propose it will be identical to the one you get without a proxy
term99
solid reasoning there, check from local and from remote
mesh
dr|z3d: maybe mitm is the wrong term, but the outproxy is proxing an ssl connection
dr|z3d
if an outproxy asks you to install an ssl cert, then you'll know something's not right. otherwise, the outproxy cannot intercept, read, or otherwise mess with SSL traffic.
mesh
dr|z3d: would it be possible for the outproxy to return a different cert that was signed by a valid CA but wasn't actually google's cert?
dr|z3d
no
dr|z3d
not without your manual intervention to allow the outproxy to use a different cert.
RN
someone needs to read up on cryptographic protocols...
term99
you would need access to the key file to generate a valid cert in your cert trust
mesh
term99: it's just trust though
term99
then remove your trust
mesh
term99: what's to stop the outproxy from replacing google's cert with a cert of its own?
mesh
(assuming the cert of its own is a trusted cert by firefox)
term99
does the outproxy have the google key to generate that trust file?
mesh
term99: that's not what I'm saying. the outproxy can't fake google's cert. But it can supply a (trusted) cert of its own. I wouldn't even realize it unless I clicked on the lock icon in the address bar and saw that it wasn't google's cert
term99
well your system normally keeps your trusts up to date when you do a system update via update system
RN
if they do, Google's got big problems
dr|z3d
>> if an outproxy asks you to install an ssl cert, then you'll know something's not right. otherwise, the outproxy cannot intercept, read, or otherwise mess with SSL traffic.
dr|z3d
If I have to repeat myself one more time, someone's getting hurt :)
term99
lol
RN
I'm selling tickets
mesh
dr|z3d: I'm not talking about the case where the outproxy asks you to install a CA
term99
mesh you really should do some research on how it works OR setup your own outproxy on your own VPS and use that as your TRUSTED outproxy
mesh
dr|z3d: I'm talking about the case where the outproxy has a cert signed by a CA you already trust
RN
but that cert won't match the tld
RN
er...
RN
s/tld/url/
dr|z3d
I'll be sure to let you know when I'm in possession of a valid *.google.com cert, mesh.
term99
w00t, hook me up bro!
mesh
RN: I guess that's what you'd hope. That firefox would look at the outproxy's cert and say the domains don't match
term99
you're in control of your browser
mesh
maybe all you have to do is run a malicious outproxy and wait for somebody to mistype an address, or send somebody a bad link
term99
its up to you to trust it, its just like a tor outproxy
term99
when you torsocks wget <file> do you trust that the file is good? well you checksum it, do you trust the assigned checksums, entirely up to you
mesh
term99: I know that
mesh
what I realize now is that the domain checking of ssl certs isn't driven by dns
mesh
because https proxies are a thing
term99
:)
mesh
the browser must compare it against whatever you type in the address bar
term99
don't forget about CSP, it helps secure the site too as long as you're being fed good headers but as you said https proxies exist so you get good headers