search

FriendUPCloud / friendup

FriendOS is a free web based platform that runs in your browser. It allows you to work and play, collaboratively, across devices.
https://friendos.com/
Other
347 stars 87 forks source link

[Suggestion] Secure/validated downloads #78

Open Dr-Flay opened 6 years ago

Dr-Flay commented 6 years ago

I propose that FriendUP adopt magnet and/or metalink as standards for file downloads and transfers.

Pros: They allow for multiple sources, networks and hashes Magnets simply require extra text in a URI Adds multiple levels of file redundancy protection, allowing for preference or P2P style multi-threaded bandwidth spread. multiple hashes allow for preference of network source or multiple levels of validation. Supports HTTP/S, FTP, Torrent, G1,G2,eD2k and more. Metalink sources can include a standard country descriptor so locality of sources can be used for preferential downloading.

Cons: They require extra text in the links (however there are open source magnet and metalink generators) Metalinks use a normal link to a metalink text file containing all the info. Depending on how you prefer to update your resource pages, this may not be a problem as you can leave all the links the same, but just physically overwrite the old metalink text files with all your updated ones. *Does not add authentication.

Worth consideration is another proposed standard "TLDR". As it is such a stupid name you will never find it by searching, so https://www.bennish.net/tldr/

thomaswollburg commented 6 years ago

Magnet could be a feature for sharing files with the public - but as far as we see it only for that, as you would want to download and/or store your personal files on others people computers. We will look into decentralised storage once we have the resources to do so.

When it comes to TLDR, to me this seems like a temporary solution as many download sites today already provide https - Friend based filesharing certainly does that :)

Dr-Flay commented 6 years ago

For internal use I agree, a Friend fileshare system is more sensible, as long as it can validate like p2p does.

HTTPS solves a different problem and only adds encryption and authenticity for the domain, not file validation for making sure it is not corrupt or the wrong file. When I transfer files on my desktop with teracopy, I can include CRC verification. Yes this takes a little longer, but as Windows doesn't actually check it wrote a file correctly it is worth using for important files, or large files pulled from a remote source.

When getting files from any remote resource, this is more important, and yes agreed more useful for taking files out of the network to one of your drives.

At its most basic a magnet could contain just 1 normal URL and 1 hash. Normal clickable web links do not offer any form of validation, only encryption. Linux sites post their ISOs with a list of optional hashes. If Mint Linux users used the available hashes when downloading from the HTTPS encrypted but hacked mirror, they were aware the file from a legitimate source was not correct. Those that did not, got a version of mint with "extras". After the breach Mint announced all p2p downloads were automatically protected. This extra hash protection needs to be standard feature so users don't have to think about it.

HTTPS will not protect from hacked mirrors, so until web browsers show DNS validation errors, and both parties are using DNSSec, users are not protected from a man in the middle interception. BTW. Well done with the DNSSec on all the Friend domains. Top marks !

I know the project has other things to deal with, but I figure plan ahead for absorbing a useful web standard that allows for validation and decentralised storage of many types.

Q. why not be able to suck a torrent or edonkey file into my google drive via Friend OS, so not have to download on my PC first ?