Tenfingers
-
Vulnerability 3
V3:
A sharing node stores the public RSA from a node it shares data from. If a bad state actor could get the hands of lots of nodes, they could figure out that two shared data originated from the same node.
It cannot know who shared it.
Solution:
Store every shared file in its own folder. So instead of storing in it folder /3/ because it is the node "3" (from this nodes perspective) store it in a unique folder /785/ because it is the shared data number 785
This will, as V2, be published when V1 is published.
-
Vulnerability 2
A second vulnerability have been found:
V2: A bad state actor can know that you shared a specific link file, even if you do not publish your IP:PORT address in that specific link file, if
- The bad state actor has the link file as the link file contains your public RSA key.
- One day gets access to any other of your shared links, as they contains the same RSA key.
Solution: Use one specific key pair per file
This has been implemented, but not yes published. It will be published when V1 has been patched.
-
Vulnerability 1
Thank you [email protected] for detecting this vulnerability.
A vulnerability was found:
A malevolent node can spoof data if:
It is sharing the specific data It has access to the link file
Note: both conditions must be met.
Because it has now access to the AES key pair in the link file and can encode bad data and serve it to an eventual client.
Solution:
Add a payload to each data which is generated like this:
SHA256 the data Encrypt the SHA with the private RSA key
Check it with the public RSA that is already in the link file when downloading data by:
When the data is fully downloaded:
Remove the SHA256 from the data Decrypt it with the public RSA key in the link file SHA256 the data (the data without the SHA256) Compare the two SHA, if not identical then there has been errors or tampering.
-
Latest updates published
Two large modifications and a smaller one (plus fixes) are now available on all platforms (Python, Linux & Windows)
- You can now launch 10f from the folder of your choice, before it was needed to launch the insertion, update etc. from the folder where the 10f exe or .py was located.
This means you can do things like (depending on where you put the files of course) :
> python3 $HOME/10f.py
-
No update: If you update some data, but there is no difference, a new version will no longer be pushed.
-
The script tenfingers_book.py has been published too, which lets you make a crude "book" you can share with people. See Tenfingers Book for more information.
-
Source repository moved to Codeberg
You can check out the code repo here:
https://codeberg.org/Valmond/Tenfingers
-
New documentation with examples: Book & Chat
I updated the documentation a bit, and added two week-end projects that I did more or less to check stuff out.
So now you have a simple way of making a simple "book" where you can share your daily thoughts (very crude and non optimized, but simple and effective IMO).
Also I made a Tkinter chat program, so that you can, again in a very crude manner, chat and share files with people.
-
New documentation
A better structured doc for downloading and installing Tenfingers.
-
New server!
So the old server was bogged down with problems and have started to make bad noises :-/ so here is the new one!