\[Kickstart\] Link - The File Sharing Blockchain Protocol
-
Nah, the browser has this built into it. It’s cross platform (not PHP specific), it’s future proof without ever updating the code, and it’s 4 lines of code (in coffeescript):
[code]
escapeHtml = (str) ->
div = document.createElement(“div”)
div.appendChild document.createTextNode(str)
div.innerHTML
[/code]Since anyone can encode anything into the blockchain, it just makes sense to sanitize any output before displaying it, since you can’t ever trust the server to do the right thing. Since all output is appended to the DOM via client side templates, there’s a single point which all data must pass through before being rendered. This makes the whole design trivial and idiot-proof. You just need to handle the special cases of things that should be allowed but normally aren’t.
-
I doubt you could truthfully santise at DOM level. You are giving ball back, surely?.
-
[quote name=“UKMark” post=“47907” timestamp=“1388181492”]
I doubt you could truthfully santise at DOM level. You are giving ball back, surely?.
[/quote]In fact that’s exactly what it’s doing. Specifically document.createTextNode() is a native function that will escape ANYTHING that the browser considers a DOM element. That’s why it’s future proof: As new tags are added, and supported on the browser, this native function will escape them.
It doesn’t work for PHP code, because PHP is rife with xss possibilities.
Consider the following example:
[code]
document.createTextNode(‘’);
[/code]The browser will leave that intact, because it’s perfectly safe to render in the DOM. The XSS happens on the server side, which is why mixing code and templates in HTML documents is inherently dangerous, and should be avoided.
-
Show me one xss possibilities that can evade ctype_alnum?..I am anal about sever side security, call me out, but honesty prevails…
-
[quote name=“UKMark” post=“47918” timestamp=“1388183032”]
Show me one xss possibilities that can evade ctype_alnum?..I am anal about sever side security, call me out, but honesty prevails…
[/quote]I’m sure it’s a solid package that address a huge problem with PHP, namely the intermingling of server side code and client side HTML. In the security world, we call that particular feature “Broken By Design”.
Since I’m not using PHP, and I’m not rendering anything server side except JSON, it’s a non issue for this project. I’m not vulnerable to server side attacks, because business logic is kept well clear of client templates, and I’m not vulnerable to client side attacks because the browser sanitizes any output before appending it to the DOM.
The client HTML is static html files that can be served up off the filesystem with no execution, pushing all the work of rendering onto the client. This means they can be e-tagged and cached client side trivially, since they don’t change when data changes. That means the server has less load because no execution is required, and the client page loads faster because it always comes out of local cache, and only the data need be queried, reducing the amount of bandwidth required. Those queries can be e-taged and cached as well, making the entire experience as optimal as possible. Since the template need only be transferred once, and the data is all that has to go over the wire, the bandwidth is even further reduced, since you don’t need to transfer the HTML each time with the data.
That’s server side security: No execution path whatsoever for the most common case, while significantly reducing the amount of work that must be done server side, significantly reducing the bandwidth required, and significantly reducing the load times while keeping a trivially simple cache model.
-
[quote name=“Kevlar” post=“47923” timestamp=“1388184280”]
That’s server side security: No execution path whatsoever for the most common case.
[/quote]I am so unlearning PHP from watching this project. Also: [url=http://forum.feathercoin.com/index.php/topic,6422]http://forum.feathercoin.com/index.php/topic,6422[/url]
-
[quote name=“zerodrama” post=“47924” timestamp=“1388184502”]
I am so unlearning PHP from watching this project.
[/quote]For once, I feel like I’m ahead of you. I never learned PHP. ;)
-
Ok, unleash the hounds on it!
Turns out the xss scare was all for not: the templating engine was doing it by default, and my paranoia had me writing code for nothing.
Publishing is fixed. Please test it out.
For those of you who notice the major change… please don’t spoil the surprise for the rest! I’ll be making a big announcement about it soon.
-
[quote name=“Kevlar” post=“47989” timestamp=“1388210183”]
For those of you who notice the major change… please don’t spoil the surprise for the rest! I’ll be making a big announcement about it soon.
[/quote]that’s a great idea
-
thank you for the link and i wish you an Happy new year and successful year 2014
-
Alright ladies and germs,
We’re about a day away from go time.
Sessions are being written to disk. The server is in production mode. Publishing has been tested and is working again. iawgoM’s css fix is in place. New goals are also in place.
A firewall is in place. For the hackers: You have access to port 22 and 80. The root account can’t log in. Good luck guessing my user and pass phrase. Do your worst!
I’d still like to do a little SEO before we start sending the link around, maybe I’ll get to that later today.
As of this post, all known bugs are fixed. Please test publishing and searching, because if there’s anything else wrong I’d rather know sooner rather than later!
Thanks for all your support! :)
-
[quote name=“Kevlar” post=“48102” timestamp=“1388263047”]For the hackers: You have access to port 22 and 80. The root account can’t log in. Good luck guessing my user and pass phrase. Do your worst!
[/quote]admin/hunter2 -
[quote name=“HopeStillFlies” post=“48107” timestamp=“1388265738”]
[quote author=Kevlar link=topic=5663.msg48102#msg48102 date=1388263047]For the hackers: You have access to port 22 and 80. The root account can’t log in. Good luck guessing my user and pass phrase. Do your worst!
[/quote]admin/hunter2
[/quote]Close.
It was spaceballs/12345, but I figured that was the kind of password an idiot would have on his luggage.
So I changed it to realultimatepower/The purpose of the ninja is to flip out and kill people.
But then I thought someone might actually guess that, so I changed it to Murray/I am a talking voodoo skull! Fear me!
But I kept forgetting the punctuation. So finally I went to correcthorsestaplebattery.net and had it generate a > 10 word passphrase, and the account name is from random.org.
Estimated time to brute force that: Longer than the heat death of the universe.
-
[quote name=“Kevlar” post=“48102” timestamp=“1388263047”]
For the hackers: You have access to port 22 and 80. The root account can’t log in. Good luck guessing my user and pass phrase. Do your worst!
[/quote]
[code]
Username : 1337TS
Password : Link Beer Pizza Cryptocurrency[/code]I’m in!
-
Dammit, Kevlar took all my fun away and banned anything other than magnet links. I was about to submit a link to Link inside Link and really f@ck this world up!
-
Scary thought. What if [url=http://correcthorsebatterystaple.net/]http://correcthorsebatterystaple.net/[/url] was actually just producing passwords from a dictionary of a couple of thousand phrases so they could steal the internet? :o
I’m sticking to using my cat’s name for everything. ;) -
[quote name=“SecretSquirrel” post=“48159” timestamp=“1388303248”]
Scary thought. What if [url=http://correcthorsebatterystaple.net/]http://correcthorsebatterystaple.net/[/url] was actually just producing passwords from a dictionary of a couple of thousand phrases so they could steal the internet? :)
I’m sticking to using my cat’s name for everything. ;)
[/quote]Did you just post this to get your number of posts up? :P
-
[quote name=“FTClover” post=“48327” timestamp=“1388371000”]
Did you just post this to get your number of posts up? :P
[/quote]:o
^ Now that’s just posting to get post’s up :D
But in all seriousness, If there’s anything wrong with that?
SecretSquirrel isn’t spamming so I don’t see an issue.
-
[quote name=“Calem” post=“48339” timestamp=“1388380061”]
[quote author=FTClover link=topic=5663.msg48327#msg48327 date=1388371000]
Did you just post this to get your number of posts up? :P
[/quote]:o
^ Now that’s just posting to get post’s up :D
But in all seriousness, If there’s anything wrong with that?
SecretSquirrel isn’t spamming so I don’t see an issue.
[/quote]Yeah I dont see anything wrong with it I just thought it was funny ;D
-
[quote name=“Kevlar” post=“41596” timestamp=“1386503016”]
For those of you who have been following the discussion over [url=http://forum.feathercoin.com/index.php/topic,5558.0.html]here[/url], you know that I’ve started working on a new protocol that allows peer to peer file sharing via the blockchain. It’s already reached a point where the idea is ready to be tested out on the blockchain itself, and the next step is to start work on a client to automate the process.At this point I’d like to start soliciting donations in order to help rapidly advance the project.
Why should you donate?
This protocol has the potential to drastically increase the value of the blockchain. When the blockchain doubles as a ledger of account, and a distributed database of serchable p2p torrents (think a Pirate Bay that can’t be taken down), it’s possible that the valuation of Feathercoin will rise significantly. (It’s also entirely possible it will crash it to zero,. Anything is possible in this world.)
FTC already has value on exchanges, and publishing message via the Link protocol requires you to destroy coins, so this means there’s an inherit cost in doing so. If people are willing to pay that cost, they remove that currency from the supply of coins permanently. This means that using Link to publish torrents in the blockchain is both costly, and deflationary to the rest of FTC, all while increasing the number of full nodes that are running in order to retrieve what’s being published.
This may well and truly be a game changer for whatever coin adopts it. Imagine a coin that was traded on an exchange, and carried with it all the new torrents that were being released, all while draining the currency supply out of the available pool. Do you think that has value?
By donating to this project, you’re participating in a social experiment; An experiment designed to change how information is shared in a way that makes it tough to censor and impossible to corrupt.
Donaters will also receive recognition in the credits, as well as get early access to client betas and testing builds.
Now people have brought up the topic of blockchain bloat (bloatchain?), and while I’m sensitive to this, my calculations tell me 2 things:
#1. A standard transaction containing a torrent will be of typically small transaction size. Every consideration has been made for compression and space optimization in the protocol, allowing for very small amounts of information to be encoded very efficiently. Link transaction, on the whole, don’t have to be very large at all and most will be WELL under 1k. It looks like you can get away with adding about 50-60 bytes per transaction to do something really meaningful, and the rest is normal input-output-change address overhead.
#2. The act of posting a Link sequence destroys the coins, meaning that those coins can NEVER generate another transaction, where as normal spends are, in theory, capable of generating an infinite number of spends in the future. This means that you’re taking a tiny hit up front, and those coins will never add to the size of the blockchain again.
I’m not convinced that this qualifies as bloat. If the transaction overhead well outpaces the actual data size, AND the result is a (even more) deflationary currency which has an increasing number of coins which won’t be spent again and won’t be adding any more to the blockchain size, then this seems like something that would actually be desirable. If the user is willing to pay the fee and burn the coins, there’s really not a lot you can do about this, and the free market will determine the correct price. Trying to stop or discourage this behavior may actually be considered harmful or controlling. Since there’s nothing you can do to stop this behavior, I see no reason to not experiment with it and see what happens.
So, what will the coins be used for?
Well for one, I’m going to need to test it. In fact I expect to need to test it a lot, and for that, I’m going to need a lot of coins to burn.
I also might need a pizza. But mostly testing.
So… who wants to see what happens when you make a blockchain more valuable than it already is?
[/quote]Just sent today’s mine of 33 FTC your way in support of this most awesome project. Well done!
