Chris Carlin | 4 Dec 18:21 2006
Picon

Dijjer and its embedded web server

I've been thinking lately about the possibility of using Dijjer's 
embedded webserver to actually host files for people. It would seem that 
this would fill a need that people have, allowing them to easily 
distribute personal media in a more ad hoc way without having to mess 
with external web hosts or anything like that.

The main issue seems to be the problem of firewall piercing that 
prevents people from running webservers in the first place. Perhaps 
there's a clean way to have remote peers bounce the data off of the 
local dijjer peer to get through, though.

Anyone have any thoughts on such an effort?

---Begin Offtopic Rant---
It annoys me so much to see bittorrent experience success in the realm 
of legitimate content distribution. It bugs me that the little 
unimaginative toy is presented as an amazing innovation launched by a 
visionary hacker. With all of its weaknesses, especially the tracker 
centralization issues that frequently brings bittorrent networks to 
their knees, it amazes me that reasonable people give it a second thought.

Sure it's popular, but these very same bittorrent fans would be the 
first to decry Windows dominance despite its dominance.
---End Offtopic Rant---

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
(Continue reading)

Ian Clarke | 5 Dec 11:43 2006
Picon

Re: Dijjer and its embedded web server

On 12/4/06, Chris Carlin <ccarlin <at> physics.tamu.edu> wrote:
> I've been thinking lately about the possibility of using Dijjer's
> embedded webserver to actually host files for people. It would seem that
> this would fill a need that people have, allowing them to easily
> distribute personal media in a more ad hoc way without having to mess
> with external web hosts or anything like that.
>
> The main issue seems to be the problem of firewall piercing that
> prevents people from running webservers in the first place. Perhaps
> there's a clean way to have remote peers bounce the data off of the
> local dijjer peer to get through, though.
>
> Anyone have any thoughts on such an effort?

In your proposal, do the people downloading the files run Dijjer
themselves?  If so, then firewalls aren't an issue as it all goes
through Dijjer as a proxy anyway.

If not, it could indeed be a problem, I'm not sure it is possible to
do firewall hole-punching without cooperation from both ends.

The second issue is ensuring that the files are actually there, as you
know Dijjer is currently a cache, it doesn't guarantee the presence of
any files in the dijjer network.

Ian.

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
(Continue reading)

Chris Carlin | 5 Dec 14:31 2006

Re: Dijjer and its embedded web server

Ian Clarke wrote:
> In your proposal, do the people downloading the files run Dijjer
> themselves?  If so, then firewalls aren't an issue as it all goes
> through Dijjer as a proxy anyway.
>
> If not, it could indeed be a problem, I'm not sure it is possible to
> do firewall hole-punching without cooperation from both ends.
>
> The second issue is ensuring that the files are actually there, as you
> know Dijjer is currently a cache, it doesn't guarantee the presence of
> any files in the dijjer network.
>   

Dijjer's embedded webserver would act as any other webserver on the 
internet hosting the files.
The expectation would be that people would access this webserver through 
Dijjer, so the client would be using dijjer as well.

The problem is, only the server's local instance of dijjer is guaranteed 
to be able to access the embedded server without ISP firewalls. Any 
client would therefore need to be able to route his request through the 
server's local instance of dijjer, which is itself problematic since the 
client's request may not be able to find its way to the server instance.

Perhaps it's just plain impossible.

~Chris

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
(Continue reading)

Stas Khirman | 6 Dec 02:11 2006
Picon
Picon

Dijjer security vulnerability ??

(Sorry if my question is a naïve one – just started to review Dijjer project – looks VERY cool!)

 

If I understand correctly, Dijjer run as a background HTTP server. GUI implemented as a web application served by this local server. When user click on content URL, external server detect presence of the DIjjer on local machine and redirect request to the local server.

 

Doesn’t it open a huge security vulnerability hole – someone can create a customized web page ( possibly with JavaScript help) to force user machine to start downloading of non-desirable files and potentially activate them (even without user knowledge) ? Does Dijjer implement some protection mechanisms against such kind of attack?

 

Regards

Stas

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
dijjer-devel mailing list
dijjer-devel <at> lists.sf.net
https://lists.sourceforge.net/lists/listinfo/dijjer-devel
Chris Carlin | 6 Dec 05:40 2006

Re: Dijjer security vulnerability ??

Stas Khirman wrote:  
>
> If I understand correctly, Dijjer run as a background HTTP server. GUI 
> implemented as a web application served by this local server. When 
> user click on content URL, external server detect presence of the 
> DIjjer on local machine and redirect request to the local server.
>
As far as I can tell this isn't any more a worry than any other activity 
on a webpage. A transmission through Dijjer comes from the local 
embedded web server, yes, but it's the same as if the local server was 
sitting somewhere else. The only way this may be a problem is if the web 
browser assigns more trust to a web server running on the local host for 
the purpose of filtering.

~Chris

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Mason | 10 Dec 05:00 2006
Picon

Re: Dijjer security vulnerability ??

Well, the local webserver will only accept connections from localhost,
but yeah, you COULD trick it into downloading something using some fancy
javascript in a normal browser...  However, the user would be aware of
it pretty quickly when they get a "Downloading foo.exe" dialog box
popping up.  Digger won't complete the download if it notices that the
browser has stopped asking for the data, I believe.

Also, there is ZERO way to activate them after they are downloaded
without the user doing that on purpose on his own...  UNLESS your
browser just automatically runs executable files that it downloads,
which means you probably have bigger problems that a Dijjer exploit. 

On Tue, 2006-12-05 at 17:11 -0800, Stas Khirman wrote:
> (Sorry if my question is a naïve one – just started to review Dijjer
> project – looks VERY cool!)
> 
>  
> 
> If I understand correctly, Dijjer run as a background HTTP server. GUI
> implemented as a web application served by this local server. When
> user click on content URL, external server detect presence of the
> DIjjer on local machine and redirect request to the local server.
> 
>  
> 
> Doesn’t it open a huge security vulnerability hole – someone can
> create a customized web page ( possibly with JavaScript help) to force
> user machine to start downloading of non-desirable files and
> potentially activate them (even without user knowledge) ? Does Dijjer
> implement some protection mechanisms against such kind of attack? 
> 
>  
> 
> Regards
> 
> Stas
> 
> 
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys - and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________ dijjer-devel mailing list
dijjer-devel <at> lists.sf.net https://lists.sourceforge.net/lists/listinfo/dijjer-devel

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
dijjer-devel mailing list
dijjer-devel <at> lists.sf.net
https://lists.sourceforge.net/lists/listinfo/dijjer-devel
Mason | 10 Dec 04:53 2006
Picon

Re: Dijjer and its embedded web server

Not to mention that HTTP traffic is TCP based, and the hole punching
only works *because* it's UDP based.

However, I *do* like the idea of using a modified Dijjer protocol and
bypassing the caching altogether.  It wouldn't be "Dijjer" anymore, but
instead simply be a useful lower-level library that others could use to
do firewall hole punching.  A generic transport protocol that can clear
firewalls by design would be quite useful for all sorts of applications.

On Tue, 2006-12-05 at 10:43 +0000, Ian Clarke wrote:
> On 12/4/06, Chris Carlin <ccarlin <at> physics.tamu.edu> wrote:
> > I've been thinking lately about the possibility of using Dijjer's
> > embedded webserver to actually host files for people. It would seem that
> > this would fill a need that people have, allowing them to easily
> > distribute personal media in a more ad hoc way without having to mess
> > with external web hosts or anything like that.
> >
> > The main issue seems to be the problem of firewall piercing that
> > prevents people from running webservers in the first place. Perhaps
> > there's a clean way to have remote peers bounce the data off of the
> > local dijjer peer to get through, though.
> >
> > Anyone have any thoughts on such an effort?
> 
> In your proposal, do the people downloading the files run Dijjer
> themselves?  If so, then firewalls aren't an issue as it all goes
> through Dijjer as a proxy anyway.
> 
> If not, it could indeed be a problem, I'm not sure it is possible to
> do firewall hole-punching without cooperation from both ends.
> 
> The second issue is ensuring that the files are actually there, as you
> know Dijjer is currently a cache, it doesn't guarantee the presence of
> any files in the dijjer network.
> 
> Ian.
> 
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys - and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> dijjer-devel mailing list
> dijjer-devel <at> lists.sf.net
> https://lists.sourceforge.net/lists/listinfo/dijjer-devel

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Mason | 10 Dec 04:56 2006
Picon

Re: Dijjer and its embedded web server

AAAH, I see what you mean.  You want to have that webserver do local
file hosting, so people without the means/know-how/desire to set up
Apache or whatnot could instead just use the built-in server.

That's not a bad idea, actually.  I like it.  Of course the current
built-in web-server is not quite made to support this, but it can be
rewritten, etc...

On Tue, 2006-12-05 at 08:31 -0500, Chris Carlin wrote:
> Ian Clarke wrote:
> > In your proposal, do the people downloading the files run Dijjer
> > themselves?  If so, then firewalls aren't an issue as it all goes
> > through Dijjer as a proxy anyway.
> >
> > If not, it could indeed be a problem, I'm not sure it is possible to
> > do firewall hole-punching without cooperation from both ends.
> >
> > The second issue is ensuring that the files are actually there, as you
> > know Dijjer is currently a cache, it doesn't guarantee the presence of
> > any files in the dijjer network.
> >   
> 
> Dijjer's embedded webserver would act as any other webserver on the 
> internet hosting the files.
> The expectation would be that people would access this webserver through 
> Dijjer, so the client would be using dijjer as well.
> 
> The problem is, only the server's local instance of dijjer is guaranteed 
> to be able to access the embedded server without ISP firewalls. Any 
> client would therefore need to be able to route his request through the 
> server's local instance of dijjer, which is itself problematic since the 
> client's request may not be able to find its way to the server instance.
> 
> Perhaps it's just plain impossible.
> 
> ~Chris
> 
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys - and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> dijjer-devel mailing list
> dijjer-devel <at> lists.sf.net
> https://lists.sourceforge.net/lists/listinfo/dijjer-devel

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Chris Carlin | 11 Dec 03:06 2006

Re: Dijjer and its embedded web server

Mason wrote:
> AAAH, I see what you mean.  You want to have that webserver do local
> file hosting, so people without the means/know-how/desire to set up
> Apache or whatnot could instead just use the built-in server.
>
> That's not a bad idea, actually.  I like it.  Of course the current
> built-in web-server is not quite made to support this, but it can be
> rewritten, etc...
>   
Adding the ability for the embedded server to provide arbitrary files 
isn't the difficult thing here. That' s a simple matter of programming, 
as they say. The hard part (for me, at least) is seeing how to integrate 
this cleanly into the Dijjer network.

In some cases firewalls will not interfere at all. The webserver would 
provide files to any Dijjer node requesting them and everything is good.

In other (most?) cases, firewalls will interfere and the only guaranteed 
way to access the web server is through the local Dijjer node. The 
problem then becomes accessing the local node. Since the connection 
strategy relies on preexisting connections, it's not true that 
arbitrary, non-peered nodes will necessarily be able to connect to 
request data.

This is the deal killer as far as I can see.

~Chris

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Gmane