OneSwarm Forum » Feature Requests

Security improvements

(7 posts)

  1. Happycat
    Member
    Login to Send PM

    Hi,

    In using oneswarm I've come upon a few security issues mainly based around the possibility of someone gaining access to your or your friends computer against your wishes. I'll try to keep on the reasonable side of paranoid :-P

    1. Ability to install OneSwarm on another partition. As far as I can tell, you cannot choose to install OneSwarm anywhere else than c:\, right? So even if you have the actual data that you're sharing on for example a Truecrypt partition, the information about what you are sharing would still be on the unencrypted system partion (unless you use full system encryption of course). If you could just install OneSwarm anywhere and keep the files that reveal what you are sharing in that location you would have the option of creating an encrypted partion that required a password to mount.

    2. Don't save chat history. Say you recommend a friend that politically sensitive Obama speech (LOL!) through the OneSwarm chat. Anyone that looks at his/hers computer can see that you recommended it in the chat history. Since I cannot imagine people will have very memorable conversations through the OneSwarm chat, wouldn't it be more reasonable to not store chat history between OneSwarm restarts?

    3. Option of password protection. This is sort of an alternative to 1, why not use the encryption in the program to encrypt all files that reveal what you are sharing and give users the option of requiring a password at startup of OneSwarm to decrypt them?

    4. Limited until password. I trust my friends but I don't trust everyone that may be at one of their parties. So why not an option to appear as a limited friend until a password is entered?

    4. An option to autostart without Web UI on Windows startup. Not a security issue but really, this should have been implemented in version 0.0001 :-P

    Posted 1 year ago #

  2. MaTee
    Member
    Login to Send PM

    Interesting topic!

    1, 2, 3 and 4 have a common solution. Encrypt information about shared files, friend list, chat history, private key, and everything else that could be sensitive. A password is needed to read this information. One problem is that if you forget your password, you loose all this information. Make encryption optional!

    5. Agreed. This is a common requested future, and it is important for the networks growth. A problem with the solution above is that a password would have to be entered on every startup.

    Posted 1 year ago #

  3. Happycat
    Member
    Login to Send PM

    Thank you for the interest!

    With regards to 5, Perhaps OneSwarm could still be working in the background but a password is required the first time you access either the Web UI och the old UI? Not as safe though since you could probably use other software to monitor network connections and what data on the HD is read and written. A password on startup is still a rather small price for ensuring that a third party cannot prove which data you shared. If someone should be shockingly evil and have copyrighted material on their computer without permission for example, just having it is hardly a crime, while sharing it online could land you in big trouble if anyone could prove it.

    Posted 1 year ago #

  4. MaTee
    Member
    Login to Send PM

    You have a problem there since if the background process can access the information without a password, everyone can do it with knowledge and access to the computer.

    Posted 1 year ago #

  5. isdal
    Administrator
    Login to Send PM

    MaTee has a good point in that encrypting your entire settings folder would be the way to go. That ensures that your private key together with all metainfo about what you are sharing is encrypted as well.

    On linux this is easy, just symlink ~/.oneswarm onto your encrypted drive. One Windows you will have to do download a custom tool to do this:
    http://www.howtogeek.com/howto/windows-vista/using-symlinks-in-windows-vista/

    Basic steps:
    0. mount your encrypted drive
    1. move your oneswarm (c:/documents and settings/user/local settings/oneswarm) settings folder to your encrypted drive:
    2. use the tool to create a link from your encrypted drive to the folder where the dir was before.

    If the encrypted drive isn't mounted your OneSwarm install won't start (or start with no friends or shared files), otherwise things will be like normal.

    As far as starting on windows start: we had this but removed it because we didn't have time to implement "don't start on startup" and we didn't want to piss people off... This should be on 0.7 as well.

    Posted 1 year ago #

  6. Happycat
    Member
    Login to Send PM

    Thank you for answering!

    I would still recommend that you somehow include this feature in OneSwarm, it seems like you already have features for password protection (remote access) and encryption in the software so to add an option to encrypt the settings files shouldn't be that hard?

    Alternatively, add an option to store the settings folder somewhere else than the standard folder. Then you wouldn't have to use the symlink procedure.

    Still, for the moment, will updates and such work even with the symlink in place? As long as the encrypted drive is mounted of course.

    Posted 1 year ago #

  7. isdal
    Administrator
    Login to Send PM

    Yes, updates only affect the installation folder (c:\program files\OneSwarm). As long as the encrypted partition is mounted you will be fine. I'm haven't tried it myself, so I don't know what would happen if the encrypted partition is not mounted.

    You are right that adding support for encrypted settings wouldn't be to hard since we already use a lot of encryption in the program. Maybe in some version after 0.7 :-)

    Posted 1 year ago #

RSS feed for this topic

Reply

You must log in to post.