0.4.4

Thanks Beardog for raising the issue!

.mtn-ignore

@@ -34,6 +34,7 @@ commons-configuration-.*.jar
 commons-io-.*.jar
 commons-lang-.*.jar
 commons-logging-.*.jar
+csrfguard-.*.jar
 james-server-filesystem-api-3.0.0-beta5-SNAPSHOT.jar
 james-server-lifecycle-api-3.0.0-beta5-SNAPSHOT.jar
 james-server-protocols-imap4-3.0.0-beta5-SNAPSHOT.jar

build.xml

@@ -76,6 +76,12 @@
     <property name="subetha.archive" value="subethasmtp-3.1.7.zip"/>
     <property name="subetha.url" value="http://subethasmtp.googlecode.com/files/subethasmtp-3.1.7.zip"/>
     <property name="subetha.includeinupdate" value="false"/>
+    <!-- OWASP CSRFGuard -->
+    <property name="csrf.name" value="OWASP CSRFGuard"/>
+    <property name="csrf.filename" value="csrfguard-3.1.0.jar"/>
+    <property name="csrf.hash" value="b9dc95baa44ede02a74192f4b50d6c68f3b5c53b5de05bb22acef5098e39511c"/>
+    <property name="csrf.url" value="https://repo1.maven.org/maven2/org/owasp/csrfguard/3.1.0/csrfguard-3.1.0.jar"/>
+    <property name="csrf.includeinupdate" value="true"/>
 
     <!-- the following are only used by win32installer -->
     <property name="i2p.mtn" value="../i2p.mtn"/>
@@ -133,6 +139,7 @@
         <pathelement location="${lib}/${subetha.filename}" />
         <pathelement location="${lib}/${jcommon.filename}" />
         <pathelement location="${lib}/${jfreechart.filename}" />
+        <pathelement location="${lib}/${csrf.filename}" />
         <pathelement location="src/main/webapp/WEB-INF/classes" />
         <fileset refid="imaplibs"/>
     </path>
@@ -192,17 +199,20 @@
         <available property="jamesexists" file="${lib}/${james.filename}" type="file"/>
         <available property="mime4jexists" file="${lib}/${mime4j.filename}" type="file"/>
         <available property="subethaexists" file="${lib}/${subetha.filename}" type="file"/>
+        <available property="csrfexists" file="${lib}/${csrf.filename}" type="file"/>
 
         <ant target="downloadmailapi"/>
         <ant target="downloadbcprov"/>
         <ant target="downloadjames"/>
         <ant target="downloadmime4j"/>
         <ant target="downloadsubetha"/>
+        <ant target="downloadcsrf"/>
 
         <checkdep dep="mailapi"/>
         <checkdep dep="bcprov"/>
         <checkdep dep="mime4j"/>
         <checkdep dep="subetha"/>
+        <checkdep dep="csrf"/>
     </target>
 
     <!-- compiles everything under src/main/java, but not src/test/ or src/build/ -->
@@ -260,6 +270,7 @@
         <mkdir dir="ant_build" />
         <war destfile="i2pbote.war" webxml="ant_build/web.xml">
             <classes dir="ant_build/classes" includes="i2p/bote/web/** i2p/bote/jsp/** org/apache/jsp/**" />
+            <classes dir="src/main/webapp/WEB-INF/classes" includes="*.properties"/>
             <fileset dir="src/main/webapp" includes="*.html"/>
             <fileset dir="src/main/webapp/" includes="*.xml"/>
             <webinf dir="src/main/webapp/WEB-INF/tlds" includes="*.tld"/>
@@ -272,6 +283,7 @@
             <lib file="${lib}/${gmss.filename}"/>
             <lib file="${lib}/${jcommon.filename}" />
             <lib file="${lib}/${jfreechart.filename}" />
+            <lib file="${lib}/${csrf.filename}"/>
             <zipfileset dir="src/main/webapp/html" prefix="html"/>
           <zipfileset dir="src/main/webapp/themes" prefix="themes"/>
         </war>
@@ -362,6 +374,7 @@
         <!-- mime4j handled separately temporarily -->
         <includedep updater="true" dep="mime4j"/>
         <includedep updater="true" dep="subetha"/>
+        <includedep updater="true" dep="csrf"/>
 
         <copy file="src/main/scripts/encrypt.sh" todir="plugin/plugin.tmp/lib"/>
         <copy file="src/main/scripts/decrypt.sh" todir="plugin/plugin.tmp/lib"/>
@@ -405,6 +418,7 @@
         <includedep dep="bcprov"/>
         <includedep dep="james"/>
         <includedep dep="subetha"/>
+        <includedep dep="csrf"/>
 
         <!-- make the install xpi2p -->
         <copy file="plugin/plugin.config" todir="plugin/plugin.tmp" overwrite="true" />
@@ -421,6 +435,7 @@
         <mkdir dir="ant_build" />
         <war destfile="i2pbote-plugin.war" webxml="ant_build/web.xml">
             <classes dir="ant_build/classes" includes="i2p/bote/web/** i2p/bote/jsp/** org/apache/jsp/**" />
+            <classes dir="src/main/webapp/WEB-INF/classes" includes="*.properties"/>
             <fileset dir="src/main/webapp" includes="*.html"/>
             <fileset dir="src/main/webapp/" includes="*.xml"/>
             <webinf dir="src/main/webapp/WEB-INF/tlds" includes="*.tld"/>
@@ -562,6 +577,13 @@
         <removepack dep="subetha"/>
     </target>
 
+    <target name="packdep.csrf">
+        <packdep dep="csrf"/>
+    </target>
+    <target name="removepack.csrf">
+        <removepack dep="csrf"/>
+    </target>
+
     <target name="bundle" depends="compile">
         <!-- Update the messages_*.po files.
              We need to supply the bat file for windows, and then change the fail property to true -->
@@ -626,6 +648,7 @@
         <copy file="${lib}/flexi-gmss-1.7p1.jar" todir="${i2pinstallerplugindir}/lib"/>
         <copy file="${lib}/jcommon-1.0.23.jar" todir="${i2pinstallerplugindir}/lib"/>
         <copy file="${lib}/jfreechart-1.0.19.jar" todir="${i2pinstallerplugindir}/lib"/>
+        <copy file="${lib}/${csrf.filename}" todir="${i2pinstallerplugindir}/lib"/>
         <!-- build the I2P + I2P-Bote install.jar -->
         <ant antfile="${installerdir}/i2p.i2p/build.xml" target="installer" inheritAll="false"/>
         <copy file="${installerdir}/i2p.i2p/install.jar" todir="${installerresources}"/>
@@ -882,6 +905,16 @@
         <delete file="${lib}/${subetha.archive}"/>
     </target>
 
+    <target name="downloadcsrf" unless="csrfexists">
+        <input message="OWASP CSRFGuard not found, download now?" validargs="y,n" addproperty="userinput.csrf"/>
+        <fail message="OK, aborting build.">
+            <condition>
+                <equals arg1="${userinput.csrf}" arg2="n"/>
+            </condition>
+        </fail>
+        <get src="${csrf.url}" verbose="true" dest="${lib}/${csrf.filename}"/>
+    </target>
+
     <!-- Write the app version into ${version} -->
     <!-- Depends on compile b/c it gets the app version from I2PBote.class -->
     <target name="getversion" depends="compile">

history.txt

@@ -1,6 +1,12 @@
 I2P-Bote Version History
 ------------------------
 
+0.4.4 (Released on Nov 28, 2016)
+  * Add CSRF guards to all forms (thanks Beardog for raising the issue!)
+  * Tweak error message to avoid XSS filter (ticket #1815)
+  * Improve identities list usability (thanks Jonathan!)
+  * Ensure CSS gets gets reloaded after updates
+
 0.4.3 (Released on Jan 28, 2016)
   * Re-enabled IMAP (ticket #1678)
   * Only bind IMAP to the configured address and port (ticket #1680)

plugin/webapps.config

@@ -1 +1 @@
-webapps.i2pbote.classpath=$I2P/lib/jstl.jar,$I2P/lib/standard.jar,$PLUGIN/lib/i2pbote.jar,$PLUGIN/lib/mailapi-1.5.4.jar,$PLUGIN/lib/bcprov-jdk15on-152.jar,$PLUGIN/lib/flexi-gmss-1.7p1.jar,$PLUGIN/lib/ntruenc-1.2.jar,$PLUGIN/lib/scrypt-1.4.0.jar,$PLUGIN/lib/lzma-9.20.jar,$PLUGIN/lib/apache-james-mailbox-api-0.6-20150508.040939-710.jar,$PLUGIN/lib/apache-james-mailbox-store-0.6-20150508.041003-704.jar,$PLUGIN/lib/apache-mime4j-core-0.7.2.jar,$PLUGIN/lib/commons-codec-1.7.jar,$PLUGIN/lib/commons-collections-3.2.1.jar,$PLUGIN/lib/commons-configuration-1.9.jar,$PLUGIN/lib/commons-io-2.4.jar,$PLUGIN/lib/commons-lang-2.6.jar,$PLUGIN/lib/commons-logging-1.0.3.jar,$PLUGIN/lib/james-server-filesystem-api-3.0.0-beta5-SNAPSHOT.jar,$PLUGIN/lib/james-server-lifecycle-api-3.0.0-beta5-SNAPSHOT.jar,$PLUGIN/lib/james-server-protocols-imap4-3.0.0-beta5-SNAPSHOT.jar,$PLUGIN/lib/james-server-protocols-library-3.0.0-beta5-SNAPSHOT.jar,$PLUGIN/lib/james-server-util-3.0.0-beta5-SNAPSHOT.jar,$PLUGIN/lib/jcommon-1.0.23.jar,$PLUGIN/lib/jfreechart-1.0.19.jar,$PLUGIN/lib/jutf7-1.0.0.jar,$PLUGIN/lib/log4j-1.2.17.jar,$PLUGIN/lib/netty-3.3.1.Final.jar,$PLUGIN/lib/protocols-api-1.6.4-20150617.121129-1080.jar,$PLUGIN/lib/protocols-imap-1.6.4-20150617.121245-927.jar,$PLUGIN/lib/protocols-netty-1.6.4-20150617.121137-1044.jar,$PLUGIN/lib/slf4j-api-1.7.2.jar,$PLUGIN/lib/slf4j-log4j12-1.7.2.jar,$PLUGIN/lib/subethasmtp-3.1.7.jar
+webapps.i2pbote.classpath=$I2P/lib/jstl.jar,$I2P/lib/standard.jar,$PLUGIN/lib/i2pbote.jar,$PLUGIN/lib/mailapi-1.5.4.jar,$PLUGIN/lib/bcprov-jdk15on-152.jar,$PLUGIN/lib/flexi-gmss-1.7p1.jar,$PLUGIN/lib/ntruenc-1.2.jar,$PLUGIN/lib/scrypt-1.4.0.jar,$PLUGIN/lib/lzma-9.20.jar,$PLUGIN/lib/apache-james-mailbox-api-0.6-20150508.040939-710.jar,$PLUGIN/lib/apache-james-mailbox-store-0.6-20150508.041003-704.jar,$PLUGIN/lib/apache-mime4j-core-0.7.2.jar,$PLUGIN/lib/commons-codec-1.7.jar,$PLUGIN/lib/commons-collections-3.2.1.jar,$PLUGIN/lib/commons-configuration-1.9.jar,$PLUGIN/lib/commons-io-2.4.jar,$PLUGIN/lib/commons-lang-2.6.jar,$PLUGIN/lib/commons-logging-1.0.3.jar,$PLUGIN/lib/james-server-filesystem-api-3.0.0-beta5-SNAPSHOT.jar,$PLUGIN/lib/james-server-lifecycle-api-3.0.0-beta5-SNAPSHOT.jar,$PLUGIN/lib/james-server-protocols-imap4-3.0.0-beta5-SNAPSHOT.jar,$PLUGIN/lib/james-server-protocols-library-3.0.0-beta5-SNAPSHOT.jar,$PLUGIN/lib/james-server-util-3.0.0-beta5-SNAPSHOT.jar,$PLUGIN/lib/jcommon-1.0.23.jar,$PLUGIN/lib/jfreechart-1.0.19.jar,$PLUGIN/lib/jutf7-1.0.0.jar,$PLUGIN/lib/log4j-1.2.17.jar,$PLUGIN/lib/netty-3.3.1.Final.jar,$PLUGIN/lib/protocols-api-1.6.4-20150617.121129-1080.jar,$PLUGIN/lib/protocols-imap-1.6.4-20150617.121245-927.jar,$PLUGIN/lib/protocols-netty-1.6.4-20150617.121137-1044.jar,$PLUGIN/lib/slf4j-api-1.7.2.jar,$PLUGIN/lib/slf4j-log4j12-1.7.2.jar,$PLUGIN/lib/subethasmtp-3.1.7.jar,$PLUGIN/lib/csrfguard-3.1.0.jar

src/main/java/i2p/bote/Configuration.java

@@ -143,9 +143,9 @@ public class Configuration implements IdentityConfig {
     
     // I2CP parameters allowed in the config file
     // Undefined parameters use the I2CP defaults
-    private static final String PARAMETER_I2CP_DOMAIN_SOCKET_ENABLED = "i2cp.domainSocket";
+    private static final String PARAMETER_I2CP_DOMAIN_SOCKET = "i2cp.domainSocket";
     private static final List<String> I2CP_PARAMETERS = Arrays.asList(new String[] {
-            PARAMETER_I2CP_DOMAIN_SOCKET_ENABLED,
+            PARAMETER_I2CP_DOMAIN_SOCKET,
             "inbound.length",
             "inbound.lengthVariance",
             "inbound.quantity",
@@ -236,11 +236,10 @@ public class Configuration implements IdentityConfig {
      * @param enabled ignored if not on Android.
      * @since 0.2.10
      */
-    public void setI2CPDomainSocketEnabled(boolean enabled) {
+    public void setI2CPDomainSocket(String name) {
         if (SystemVersion.isAndroid())
             properties.setProperty(
-                    PARAMETER_I2CP_DOMAIN_SOCKET_ENABLED,
-                    String.valueOf(enabled));
+                    PARAMETER_I2CP_DOMAIN_SOCKET, name);
     }
 
     /**

src/main/java/i2p/bote/I2PBote.java

@@ -128,7 +128,7 @@ import org.apache.commons.configuration.ConfigurationException;
  */
 public class I2PBote implements NetworkStatusSource, EmailFolderManager, MailSender, PasswordVerifier {
     public static final int PROTOCOL_VERSION = 4;
-    private static final String APP_VERSION = "0.4.3";
+    private static final String APP_VERSION = "0.4.4";
     private static final int STARTUP_DELAY = 3;   // the number of minutes to wait before connecting to I2P (this gives the router time to get ready)
     private static volatile I2PBote instance;
     

src/main/java/i2p/bote/email/EmailIdentity.java

@@ -72,7 +72,7 @@ public class EmailIdentity extends EmailDestination {
         if ("".equals(vanityPrefix))
             vanityPrefix = null;
         if (vanityPrefix!=null && !cryptoImpl.getBase64InitialCharacters().contains(vanityPrefix.substring(0, 1))) {
-            String errorMsg = "This encryption type does not support destinations that start with a \"{0}\". Valid initial characters are {1}.";
+            String errorMsg = "This encryption type does not support destinations that start with {0}. Valid initial characters are {1}.";
             throw new IllegalDestinationParametersException(_t(errorMsg, vanityPrefix.charAt(0), cryptoImpl.getBase64InitialCharacters()));
         }
         

src/main/java/i2p/bote/web/CSRFLogger.java

@@ -0,0 +1,78 @@
+package i2p.bote.web;
+
+import net.i2p.util.Log;
+
+import org.owasp.csrfguard.log.ILogger;
+import org.owasp.csrfguard.log.LogLevel;
+
+public class CSRFLogger implements ILogger {
+
+    private static final long serialVersionUID = -4857601483759096198L;
+    
+    private static final Log LOGGER = new Log(CSRFLogger.class);
+
+    @Override
+    public void log(String msg) {
+        LOGGER.info(msg.replaceAll("(\\r|\\n)", ""));
+    }
+
+    @Override
+    public void log(LogLevel level, String msg) {
+        // Remove CR and LF characters to prevent CRLF injection
+        String sanitizedMsg = msg.replaceAll("(\\r|\\n)", "");
+        
+        switch(level) {
+            case Trace:
+                LOGGER.debug(sanitizedMsg);
+                break;
+            case Debug:
+                LOGGER.debug(sanitizedMsg);
+                break;
+            case Info:
+                LOGGER.info(sanitizedMsg);
+                break;
+            case Warning:
+                LOGGER.warn(sanitizedMsg);
+                break;
+            case Error:
+                LOGGER.error(sanitizedMsg);
+                break;
+            case Fatal:
+                LOGGER.log(Log.CRIT, sanitizedMsg);
+                break;
+            default:
+                throw new RuntimeException("unsupported log level " + level);
+        }
+    }
+
+    @Override
+    public void log(Exception exception) {
+        LOGGER.warn(exception.getLocalizedMessage(), exception);
+    }
+
+    @Override
+    public void log(LogLevel level, Exception exception) {
+            switch(level) {
+            case Trace:
+                LOGGER.debug(exception.getLocalizedMessage(), exception);
+                break;
+            case Debug:
+                LOGGER.debug(exception.getLocalizedMessage(), exception);
+                break;
+            case Info:
+                LOGGER.info(exception.getLocalizedMessage(), exception);
+                break;
+            case Warning:
+                LOGGER.warn(exception.getLocalizedMessage(), exception);
+                break;
+            case Error:
+                LOGGER.error(exception.getLocalizedMessage(), exception);
+                break;
+            case Fatal:
+                LOGGER.log(Log.CRIT, exception.getLocalizedMessage(), exception);
+                break;
+            default:
+                throw new RuntimeException("unsupported log level " + level);
+        }
+    }
+}

src/main/java/i2p/bote/web/JSPHelper.java

@@ -56,8 +56,31 @@ import net.i2p.util.Translate;
  * and serves as a bean for JSPs.
  */
 public class JSPHelper extends GeneralHelper {
+    private static final String CONSOLE_BUNDLE_NAME = "net.i2p.router.web.messages";
     private static final String RECIPIENT_KEY_PREFIX = "nofilter_recipient";
 
+    /**
+     * @since 0.4.4
+     */
+    public static String csrfErrorMsg() {
+        I2PAppContext ctx = I2PAppContext.getGlobalContext();
+        return "<p>" + consoleGetString(
+                "Invalid form submission, probably because you used the 'back' or 'reload' button on your browser. Please resubmit.",
+                ctx
+            ) + "</p><p>" + consoleGetString(
+                "If the problem persists, verify that you have cookies enabled in your browser.",
+                ctx
+            ) + "</p>";
+    }
+
+    /**
+     * Translate with the console bundle.
+     * @since 0.4.4
+     */
+    private static String consoleGetString(String s, I2PAppContext ctx) {
+        return Translate.getString(s, ctx, CONSOLE_BUNDLE_NAME);
+    }
+
     /**
      * Returns a new <code>SortedMap<String, String></code> that contains only those
      * entries from the original map whose key is <code>"nofilter_recipient"</code>,

src/main/java/i2p/bote/web/SameOriginFilter.java

@@ -0,0 +1,63 @@
+package i2p.bote.web;
+
+import net.i2p.util.Log;
+
+import java.io.IOException;
+import java.net.MalformedURLException;
+import java.net.URL;
+
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+public class SameOriginFilter implements Filter {
+    private static final Log log = new Log(SameOriginFilter.class);
+
+    @Override
+    public void init(FilterConfig config) throws ServletException {
+    }
+
+    @Override
+    public void doFilter(ServletRequest request, ServletResponse response, FilterChain next) throws IOException, ServletException {
+        HttpServletRequest req = (HttpServletRequest)request;
+        String name = req.getServerName();
+        String origin = getHost(req, "Origin");
+        String referer = getHost(req, "Referer");
+        if ((!"POST".equals(req.getMethod())) ||
+                rewriteLocalhost(name).equals(rewriteLocalhost(origin)) ||
+                rewriteLocalhost(name).equals(rewriteLocalhost(referer))) {
+            next.doFilter(request, response);
+        } else {
+            log.warn(
+                "Potential cross-site attack thwarted (server name: " + name + ", origin: " + origin + ", referer: " + referer + ")"
+            );
+        }
+        ((HttpServletResponse)response).addHeader("X-Frame-Options", "SAMEORIGIN");
+    }
+
+    private String getHost(HttpServletRequest request, String header) {
+        String val = request.getHeader(header);
+        if (val == null) {
+            return null;
+        }
+        try {
+            URL url = new URL(val);
+            return url.getHost();
+        } catch (MalformedURLException e) {
+            return null;
+        }
+    }
+
+    private String rewriteLocalhost(String host) {
+        return ("127.0.0.1".equals(host) || "[::1]".equals(host)) ? "localhost" : host;
+    }
+
+    @Override
+    public void destroy() {
+    }
+}

src/main/webapp/WEB-INF/classes/Owasp.CsrfGuard.properties

@@ -0,0 +1,29 @@
+org.owasp.csrfguard.Logger=i2p.bote.web.CSRFLogger
+org.owasp.csrfguard.configuration.provider.factory=org.owasp.csrfguard.config.PropertiesConfigurationProviderFactory
+org.owasp.csrfguard.Enabled = true
+org.owasp.csrfguard.ValidateWhenNoSessionExists = true
+
+org.owasp.csrfguard.UnprotectedMethods=GET
+
+org.owasp.csrfguard.TokenPerPage=true
+org.owasp.csrfguard.TokenPerPagePrecreate=false
+
+org.owasp.csrfguard.Rotate=true
+org.owasp.csrfguard.Ajax=false
+
+org.owasp.csrfguard.unprotected.IndexHtml=%servletContext%/index.html
+org.owasp.csrfguard.unprotected.Html=%servletContext%/html/*
+org.owasp.csrfguard.unprotected.Themes=%servletContext%/themes/*
+org.owasp.csrfguard.unprotected.ExtThemes=%servletContext%/externalThemes/*
+
+org.owasp.csrfguard.action.Log=org.owasp.csrfguard.action.Log
+org.owasp.csrfguard.action.Log.Message=potential cross-site request forgery (CSRF) attack thwarted (user:%user%, ip:%remote_ip%, method:%request_method%, uri:%request_uri%, error:%exception_message%)
+org.owasp.csrfguard.action.Redirect=org.owasp.csrfguard.action.Redirect
+org.owasp.csrfguard.action.Redirect.Page=%servletContext%/csrfError.jsp
+org.owasp.csrfguard.action.Rotate=org.owasp.csrfguard.action.Rotate
+
+org.owasp.csrfguard.TokenName=csrfToken
+org.owasp.csrfguard.SessionKey=OWASP_CSRFTOKEN
+org.owasp.csrfguard.TokenLength=32
+org.owasp.csrfguard.PRNG=SHA1PRNG
+org.owasp.csrfguard.PRNG.Provider=SUN

src/main/webapp/WEB-INF/tags/address.tag

@@ -22,6 +22,7 @@
 <%@ attribute name="address" required="true" description="The email address to display" %>
 
 <%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
+<%@ taglib prefix="csrf" uri="http://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project/Owasp.CsrfGuard.tld" %>
 <%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>
 <%@ taglib prefix="ib" uri="I2pBoteTags" %>
 
@@ -33,7 +34,7 @@
     <c:set var="emailDestination" value="${ib:extractEmailDestination(address)}"/>
     <c:set var="name" value="${ib:extractName(address)}"/>
     
-    <form action="editContact.jsp" method="POST">
+    <csrf:form action="editContact.jsp" method="POST">
         <input type="hidden" name="new" value="true"/>
         <input type="hidden" name="destination" value="${emailDestination}"/>
         <input type="hidden" name="name" value="${ib:escapeQuotes(name)}"/>
@@ -70,5 +71,5 @@
                 </c:if>
             </ib:expandable>
         </c:if>
-    </form>
-</div>
+    </csrf:form>
+</div>

src/main/webapp/WEB-INF/tlds/i2pbote.tld

@@ -366,6 +366,17 @@
     <body-content>empty</body-content>
 </tag>
 
+<function>
+    <name>csrfErrorMsg</name>
+    <description>
+        Returns the CSRF error message.
+    </description>
+    <function-class>i2p.bote.web.JSPHelper</function-class>
+    <function-signature>
+        java.lang.String csrfErrorMsg()
+    </function-signature>
+</function>
+
 <function>
     <name>createOrModifyIdentity</name>
     <function-class>i2p.bote.util.GeneralHelper</function-class>
@@ -749,4 +760,4 @@
     <path>/WEB-INF/tags/expandable.tag</path>
 </tag-file> 
 
-</taglib>
+</taglib>

src/main/webapp/WEB-INF/web.xml

@@ -12,7 +12,21 @@
     <listener>
         <listener-class>i2p.bote.web.ServiceInitializer</listener-class>
     </listener>
+    <listener>
+        <listener-class>org.owasp.csrfguard.CsrfGuardServletContextListener</listener-class>
+    </listener>
+    <listener>
+        <listener-class>org.owasp.csrfguard.CsrfGuardHttpSessionListener</listener-class>
+    </listener>
 
+    <filter>
+        <filter-name>SameOriginFilter</filter-name>
+        <filter-class>i2p.bote.web.SameOriginFilter</filter-class>
+    </filter>
+    <filter>
+        <filter-name>CSRFGuard</filter-name>
+        <filter-class>org.owasp.csrfguard.CsrfGuardFilter</filter-class>
+    </filter>
     <filter>
         <filter-name>XSSFilter</filter-name>
         <filter-class>net.i2p.servlet.filters.XSSFilter</filter-class>
@@ -44,6 +58,14 @@
         </init-param>
     </filter>
 
+    <filter-mapping>
+        <filter-name>SameOriginFilter</filter-name>
+        <url-pattern>/*</url-pattern>
+    </filter-mapping>
+    <filter-mapping>
+        <filter-name>CSRFGuard</filter-name>
+        <url-pattern>/*</url-pattern>
+    </filter-mapping>
     <filter-mapping>
         <filter-name>XSSFilter</filter-name>
         <url-pattern>/*</url-pattern>
@@ -102,4 +124,4 @@
         <servlet-name>DisplayChart</servlet-name>
         <url-pattern>/displayChart</url-pattern>
     </servlet-mapping>
-</web-app>
+</web-app>

src/main/webapp/about.jsp

@@ -41,17 +41,20 @@
     <div>
         <div class="contributor-name">
             <ib:message key="Click to send an email" var="linkTitle"/>
+            <a href="newEmail.jsp?nofilter_recipient0=TzKO~FlShiQEOPkPn7eIOkxqBy6pGxk1NDkVLLwzGk~kNPwo8qvHoyk4vKOZVZNGklsU7iOndYeQofMZtADm5yqbUxhogTmxyu7VcNsw6mXBub26FAUEQADf4Uj4Ph0dGAMyPbWzDEFUibdJyjpLYS9AaHgf~EU8B49DP8rpkh8d0T&amp;recipientType0=to&amp;subject=${subject}" title="${linkTitle}">str4d</a>
+        </div>
+        <div class="contributor-role"><ib:message key="Maintenance, user experience, extended features, Android app"/></div>
+    </div>
+    <br/>
+
+    <div class="contributor-category"><ib:message key="Past developers:"/></div>
+    <div>
+        <div class="contributor-name">
             <ib:message key="Feedback on I2P-Bote" var="subject"/>
             <a href="newEmail.jsp?nofilter_recipient0=hobo37SEJsEMfQHwcpVlvEgnrERGFz34GC1yjVyuRvl1QHnTi0UAoOtrLP~qkFY0oL59BBqj5sCep0RA8I5G8n&amp;recipientType0=to&amp;subject=${subject}" title="${linkTitle}">HungryHobo</a>
         </div>
         <div class="contributor-role"><ib:message key="Technical concept, implementation, user interface"/></div>
     </div>
-    <div>
-        <div class="contributor-name">
-            <a href="newEmail.jsp?nofilter_recipient0=TzKO~FlShiQEOPkPn7eIOkxqBy6pGxk1NDkVLLwzGk~kNPwo8qvHoyk4vKOZVZNGklsU7iOndYeQofMZtADm5yqbUxhogTmxyu7VcNsw6mXBub26FAUEQADf4Uj4Ph0dGAMyPbWzDEFUibdJyjpLYS9AaHgf~EU8B49DP8rpkh8d0T&amp;recipientType0=to&amp;subject=${subject}" title="${linkTitle}">str4d</a>
-        </div>
-        <div class="contributor-role"><ib:message key="User experience, extended features, Android app"/></div>
-    </div>
     <br/>
     
     <div class="contributor-category"><ib:message key="Contributors:"/></div>
@@ -155,5 +158,13 @@
         <div class="contributor-name">kay</div>
         <div class="contributor-role"><ib:message key="Code fixes"/></div>
     </div>
+    <div>
+        <div class="contributor-name">Jonathan Cross</div>
+        <div class="contributor-role"><ib:message key="Usability improvement"/></div>
+    </div>
+    <div>
+        <div class="contributor-name">Beardog</div>
+        <div class="contributor-role"><ib:message key="Bug hunting"/></div>
+    </div>
 
 <jsp:include page="footer.jsp"/>

src/main/webapp/addressBook.jsp

@@ -28,6 +28,7 @@
     pageEncoding="UTF-8"%>
 
 <%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
+<%@ taglib prefix="csrf" uri="http://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project/Owasp.CsrfGuard.tld" %>
 <%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>
 <%@ taglib prefix="ib" uri="I2pBoteTags" %>
 
@@ -49,6 +50,7 @@
     
     <c:if test="${param.select}">
         <form action="${param.forwardUrl}" method="POST">
+        <input type="hidden" name="<csrf:tokenname/>" value="<csrf:tokenvalue uri='${param.forwardUrl}'/>"/>
         <ib:copyParams paramsToCopy="${param.nofilter_paramsToCopy}"/>
     </c:if>
     
@@ -104,10 +106,10 @@
     <table>
         <c:if test="${!param.select}">
             <tr><td>
-                <form action="editContact.jsp" method="POST">
+                <csrf:form action="editContact.jsp" method="POST">
                     <input type="hidden" name="createNew" value="true"/>
                     <button type="submit" value="New"><ib:message key="New Contact"/></button>
-                </form>
+                </csrf:form>
             </td></tr>
         </c:if>
         <c:if test="${param.select}">
@@ -129,13 +131,13 @@
     <c:if test="${not param.select}">
         <p/><br/>
         <b><ib:message key="Import from the public address directory"/></b><br/>
-        <form action="importContact.jsp" method="POST">
+        <csrf:form action="importContact.jsp" method="POST">
             <ib:message key="Name:"/>
             <input type="text" name="name"/>
             <button type="submit"><ib:message key="Lookup"/></button>
-        </form><br/>
+        </csrf:form><br/>
         Note that only exact matches are found.
     </c:if>
 </ib:requirePassword>
 
-<jsp:include page="footer.jsp"/>
+<jsp:include page="footer.jsp"/>

src/main/webapp/buttonFrame.jsp

@@ -24,11 +24,12 @@
 <!DOCTYPE html>
 
 <%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
+<%@ taglib prefix="csrf" uri="http://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project/Owasp.CsrfGuard.tld" %>
 <%@ taglib prefix="ib" uri="I2pBoteTags" %>
 
 <jsp:include page="getStatus.jsp"/>
 
-<c:if test="${param.checkMail eq 1}">
+<c:if test="${pageContext.request.method eq 'POST' and param.checkMail eq 1}">
     <ib:requirePassword forwardUrl="checkMail.jsp">
         <ib:checkForMail/>
     </ib:requirePassword>
@@ -43,7 +44,7 @@
 <html>
 <head>
     <meta charset="utf-8">
-    <link rel="stylesheet" href="themes/${jspHelperBean.configuration.theme}/i2pbote.css" />
+    <link rel="stylesheet" href="themes/${jspHelperBean.configuration.theme}/i2pbote.css?v=${jspHelperBean.appVersion}" />
     
     <%-- Refresh until the Check Mail button becomes ungreyed --%>
     <c:if test="${checkingForMail or connStatus eq NOT_STARTED or connStatus eq DELAY}">
@@ -60,11 +61,11 @@
 </c:if>
 <c:if test="${!checkingForMail}">
     <div class="checkmail">
-        <c:set var="frame" value=""/>
+        <c:set var="frame" value="_self"/>
         <c:choose>
             <c:when test="${jspHelperBean.identities.none}">
                 <c:set var="url" value="noIdentities.jsp"/>
-                <c:set var="frame" value='target="_parent"'/>
+                <c:set var="frame" value="_parent"/>
             </c:when>
             <c:otherwise>
                 <%--
@@ -72,7 +73,7 @@
                     to checkMail.jsp and use the entire browser window
                 --%>
                 <c:if test="${jspHelperBean.passwordRequired}">
-                    <c:set var="frame" value='target="_parent"'/>
+                    <c:set var="frame" value="_parent"/>
                     <c:set var="url" value="checkMail.jsp"/>
                 </c:if>
                 <c:if test="${not jspHelperBean.passwordRequired}">
@@ -81,14 +82,14 @@
             </c:otherwise>
         </c:choose>
         
-        <form action="${url}" ${frame} method="GET">
+        <csrf:form action="${url}" target="${frame}" method="POST">
             <input type="hidden" name="checkMail" value="1"/>
             <c:set var="disable" value=""/>
             <c:if test="${connStatus != CONNECTED}">
                 <c:set var="disable" value="disabled=&quot;disabled&quot;"/>
             </c:if>
             <button type="submit" value="Check Mail" ${disable}><ib:message key="Check Mail"/></button>
-        </form>
+        </csrf:form>
     </div>
     <c:if test="${jspHelperBean.newMailReceived}">
         ${jspHelperBean.newEmailNotificationContent}
@@ -128,9 +129,9 @@
 </c:if>
 
 <div class="compose frame">
-    <form action="newEmail.jsp" target="_top" method="GET">
+    <csrf:form action="newEmail.jsp" target="_top" method="GET">
         <button type="submit" value="New"><ib:message key="Compose"/></button>
-    </form>
+    </csrf:form>
 </div>
 
 <div class="lastcheck">

src/main/webapp/csrfError.jsp

@@ -0,0 +1,34 @@
+<%--
+ Copyright (C) 2009  HungryHobo@mail.i2p
+ 
+ The GPG fingerprint for HungryHobo@mail.i2p is:
+ 6DD3 EAA2 9990 29BC 4AD2 7486 1E2C 7B61 76DC DC12
+ 
+ This file is part of I2P-Bote.
+ I2P-Bote is free software: you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation, either version 3 of the License, or
+ (at your option) any later version.
+ 
+ I2P-Bote is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ GNU General Public License for more details.
+ 
+ You should have received a copy of the GNU General Public License
+ along with I2P-Bote.  If not, see <http://www.gnu.org/licenses/>.
+ --%>
+
+<%@ page language="java" contentType="text/html; charset=UTF-8"
+    pageEncoding="UTF-8"%>
+
+<%@ taglib prefix="ib" uri="I2pBoteTags" %>
+
+<ib:message key="Security Violation" var="title" scope="request"/>
+<ib:message key="CSRF Security Violation" var="pagetitle" scope="request"/>
+<jsp:include page="header.jsp"/>
+
+    <h1><ib:message key="CSRF Security Violation"/></h1>
+    ${ib:csrfErrorMsg()}
+
+<jsp:include page="footer.jsp"/>

src/main/webapp/debug.jsp

@@ -22,22 +22,29 @@
 <%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%>
 
 <%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
+<%@ taglib prefix="csrf" uri="http://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project/Owasp.CsrfGuard.tld" %>
 <%@ taglib prefix="ib" uri="I2pBoteTags" %>
 
+<c:set var="action" value="${param.action}" scope="request"/>
+<c:if test="${not empty action and pageContext.request.method ne 'POST'}">
+    <c:set var="action" value="" scope="request"/>
+    <ib:message key="Form must be submitted using POST." var="errorMessage" scope="request"/>
+</c:if>
+
 <ib:message key="Debug" var="title" scope="request"/>
 <jsp:include page="header.jsp"/>
 
     <h1><ib:message key="Debug Page"/></h1>
     
-    <c:if test="${empty param.action}">
-        <form action="debug.jsp">
+    <c:if test="${empty action}">
+        <csrf:form action="debug.jsp" method="POST">
             <input type="hidden" name="action" value="checkFiles"/>
             <ib:message key="Test encrypted files" var="submitButtonText"/>
             <input type="submit" value="${submitButtonText}"/>
-        </form>
+        </csrf:form>
     </c:if>
     
-    <c:if test="${param.action eq 'checkFiles'}">
+    <c:if test="${action eq 'checkFiles'}">
         <jsp:useBean id="jspHelperBean" class="i2p.bote.web.JSPHelper"/>
         <ib:requirePassword>
             <c:set var="undecryptableFiles" value="${jspHelperBean.undecryptableFiles}"/>

src/main/webapp/editContact.jsp

@@ -23,6 +23,7 @@
     pageEncoding="UTF-8"%>
 
 <%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
+<%@ taglib prefix="csrf" uri="http://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project/Owasp.CsrfGuard.tld" %>
 <%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>
 <%@ taglib prefix="ib" uri="I2pBoteTags" %>
 
@@ -41,7 +42,14 @@
 --%>
 
 <ib:requirePassword>
-<c:if test="${param.action eq 'cancel'}">
+
+<c:set var="action" value="${param.action}" scope="request"/>
+<c:if test="${not empty action and pageContext.request.method ne 'POST'}">
+    <c:set var="action" value="" scope="request"/>
+    <ib:message key="Form must be submitted using POST." var="errorMessage" scope="request"/>
+</c:if>
+
+<c:if test="${action eq 'cancel'}">
     <c:set var="backUrl" value="${param.backUrl}"/>
     <c:if test="${empty backUrl}">
         <c:set var="backUrl" value="addressBook.jsp"/>
@@ -51,7 +59,7 @@
     </jsp:forward>
 </c:if>
 
-<c:if test="${param.action eq 'save'}">
+<c:if test="${action eq 'save'}">
     <c:choose>
         <c:when test="${empty param.destination}">
             <ib:message key="Please fill in the Destination field." var="errorMessage"/>
@@ -100,7 +108,7 @@
 </c:choose>
 <jsp:include page="header.jsp"/>
 
-    <form name="form" action="editContact.jsp" method="post">
+    <csrf:form name="form" action="editContact.jsp" method="POST">
         <ib:copyParams paramsToCopy="${param.paramsToCopy}"/>
         
         <div class="contact-form-label">
@@ -141,7 +149,7 @@
         <p>&nbsp;</p>
         <button name="action" value="save">${submitButtonText}</button>
         <button name="action" value="cancel"><ib:message key="Cancel"/></button>
-    </form>
+    </csrf:form>
 
     <script type="text/javascript" language="JavaScript">
         if (document.forms['form'].elements['destination'].value == "")

src/main/webapp/editIdentity.jsp

@@ -23,6 +23,7 @@
     pageEncoding="UTF-8"%>
 
 <%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
+<%@ taglib prefix="csrf" uri="http://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project/Owasp.CsrfGuard.tld" %>
 <%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>
 <%@ taglib prefix="ib" uri="I2pBoteTags" %>
 
@@ -58,7 +59,7 @@
             <jsp:include page="identitiesHelp.jsp"/>
         </ib:expandable>
     </c:if>
-    <form name="form" method="post" action="submitIdentity.jsp">
+    <csrf:form name="form" method="POST" action="submitIdentity.jsp">
         <div class="identity-form-label">
             <div class="field-label"><ib:message key="Public Name:"/></div>
             <div class="addtl-text"><ib:message key="(required field, shown to recipients)"/></div>
@@ -217,11 +218,11 @@
                 <button name="action" value="delete" title="<ib:message key='Delete this identity'/>"><ib:message key="Delete"/></button>
             </div>
         </c:if>
-    </form>
+    </csrf:form>
 
     <script type="text/javascript" language="JavaScript">
         document.forms['form'].elements['publicName'].focus();
     </script>
 </ib:requirePassword>
 
-<jsp:include page="footer.jsp"/>
+<jsp:include page="footer.jsp"/>

src/main/webapp/exportIdentities.jsp

@@ -20,13 +20,14 @@
     pageEncoding="UTF-8"%>
 
 <%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
+<%@ taglib prefix="csrf" uri="http://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project/Owasp.CsrfGuard.tld" %>
 <%@ taglib prefix="ib" uri="I2pBoteTags" %>
 
 <ib:message key="Export Identities" var="title" scope="request"/>
 <jsp:include page="header.jsp"/>
 
 <ib:requirePassword>
-    <form action="exportIdentitiesFile" method="POST">
+    <csrf:form action="exportIdentitiesFile" method="POST">
         <div class="password-label">
             <ib:message key="Password:"/>
             <div class="addtl-text"><ib:message key="(leave blank to not encrypt identities)"/></div>
@@ -35,7 +36,7 @@
         <div class="password-label"><ib:message key="Confirm:"/></div>
         <div class="password-field"><input type="password" name="nofilter_confirm"/></div>
         <button type="submit"><ib:message key="Export"/></button>
-    </form>
+    </csrf:form>
 </ib:requirePassword>
 
-<jsp:include page="footer.jsp"/>
+<jsp:include page="footer.jsp"/>

src/main/webapp/folder.jsp

@@ -23,6 +23,7 @@
     pageEncoding="UTF-8"%>
 
 <%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
+<%@ taglib prefix="csrf" uri="http://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project/Owasp.CsrfGuard.tld" %>
 <%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>
 <%@ taglib prefix="ib" uri="I2pBoteTags" %>
 
@@ -51,9 +52,9 @@
 <jsp:include page="header.jsp"/>
 
 <div class="compose float">
-    <form action="newEmail.jsp" target="_top" method="GET">
+    <csrf:form action="newEmail.jsp" target="_top" method="POST">
         <button type="submit" value="New"><img src="${themeDir}/images/compose.png"/></button>
-    </form>
+    </csrf:form>
 </div>
 
 <c:set var="folderName" value="${param.path}"/>
@@ -239,4 +240,4 @@
     </table>
 </ib:requirePassword>
 
-<jsp:include page="footer.jsp"/>
+<jsp:include page="footer.jsp"/>

src/main/webapp/folders.jsp

@@ -33,7 +33,7 @@
 <html>
 <head>
     <meta charset="utf-8">
-    <link rel="stylesheet" href="${themeDir}/i2pbote.css" />
+    <link rel="stylesheet" href="${themeDir}/i2pbote.css?v=${jspHelperBean.appVersion}" />
     <c:set var="refreshInterval" value="120"/>
     <c:if test="${ib:getMailFolder('Outbox').numElements gt 0}">
         <c:set var="refreshInterval" value="20"/>
@@ -52,4 +52,4 @@
 </div>
 
 </body>
-</html>
+</html>

src/main/webapp/header.jsp

@@ -57,7 +57,7 @@
         <meta http-equiv="refresh" content="${refreshInterval};url=${refreshUrl}" />
     </c:if>
     
-    <link rel="stylesheet" href="themes/${jspHelperBean.configuration.theme}/i2pbote.css" />
+    <link rel="stylesheet" href="themes/${jspHelperBean.configuration.theme}/i2pbote.css?v=${jspHelperBean.appVersion}" />
     <link rel="icon" type="image/png" href="${themeDir}/images/favicon.png" />
     <c:if test="${!empty title}">
         <title>${title} <ib:message key="- I2P-Bote"/></title>
@@ -169,4 +169,4 @@
   </c:if>
 </c:if>
 </div></div>
-</c:if>
+</c:if>

src/main/webapp/html/FAQ.html

@@ -516,6 +516,11 @@ licenses/BouncyCastle.txt).</blockquote>
 
 <p>(Both of which are free open source licences.)</p>
 
+<p>The source code can be found in the <code>i2p.i2p-bote</code> branch of
+<a href="https://geti2p.net/en/get-involved/guides/new-developers#monotone">the I2P Monotone repository</a>.
+There is also a <a href="https://github.com/i2p/i2p.i2p-bote">GitHub mirror</a>
+which can be used to view the code.
+
 <h3 id="Credits">Who made I2P-Bote?</h3>
 <p>Conception, technical design, implementation and original web user interface
 were done by HungryHobo, an anonymous developer.</p>

src/main/webapp/html/FAQ_de.html

@@ -101,8 +101,8 @@ person's hard drive? That sounds like a really dumb idea!</h3>
 <a href="http://www.eff.org/issues/nsa-spying">dich über dubiose Dienstanbieter ausspioniert</a>, welchen erachtest du als vertrauenswürdiger?</p>
 
 <h3 id="HowItWorks">Wie genau funktioniert es?</h3>
-<p>Siehe das <a href="userGuide.jsp#Technische%20Konzept">'Technical Concept'</a>
-den Abschnitt <a href="userGuide.jsp">Benutzerhandbuch</a>.</p>
+<p>Siehe den Abschnitt <a href="userGuide.jsp#Technical-Concept">'Technisches Konzept'</a>
+des <a href="userGuide.jsp">Benutzerhandbuchs</a>.</p>
 
 <p>Zusammengafaßt: I2P-Bote Nodes eines P2P-Netzwerkes leiten 
 gegenseitig Emailpakete weiter und speichern diese in einem DHT (Distributed Hash Table) ab. </p>
@@ -201,16 +201,16 @@ und 512 Zeichen lang und zwar abhängig von der Art der
 Verschlüsselung. Unterstützung für einfach zu merkende Email-
 Adressen ist für die Zukunft geplant. </p>
 
-<p>The e-mail identities consist of public and private keys, as well
-as a name the user chooses for it. The public part is your e-mail
-destination, your pseudonymous identity. And one real user can have
-more than one of those identities. They serve for addressing mails
-to certain users - therefore it is referred to as a
-'destination' or short 'dest' - as well as for encrypting
-the mails for them. Hence, your e-mail destination is the key
-others use in order to encrypt mails which they send to you, and in
-order to verify the authenticity and integrity of mails they
-receive from you.</p>
+<p>Die E-Mail Identitäten bestehen aus öffentlichen und privaten 
+Schlüsseln, so wie aus einem Name, den der Anwender dafür 
+aussucht. Der öffentliche Teil ist Ihre Emai-Adresse, Ihre pseudonyme
+Identität. Ein realer Anwender kann über mehr als eine solcher 
+Identitäten verfügen. Sie sind bestimmt um Mails an bestimmte User 
+zu adressieren; aus diesem Grund wird hierzu auch Bezug genommen 
+als 'Destination' oder kurz 'Dest' - so wie das Verschlüsseln von Mails 
+an Sie. Gleichfalls ist Ihre Email-Zieladresse der Schlüssel, mit dem 
+andere Ihre Emails an Sie verschlüsseln und mit dem Sie Emails, die 
+sie von Ihnen erhalten authentifizieren und auf Integrität überprüfen.   </p>
 
 <p>Ist es sicher, jemand deine Email-Zieladresse zu geben, von dem
 du Emails erhalten willst?</p>
@@ -220,24 +220,27 @@ Identifikation zu unterscheiden. Deine I2P-Bote Mail-Identität ist
 nicht gleich der Router / Node-Adresse, die für I2P-Bote Nodes 
 verwenden, um miteinander zu kommunizieren.  </p>
 
-<p>If you have problems with your I2P-Bote app – in the highly
-unlikely case it should be necessary – you can tell your I2P-Bote
-router id in irc2p, I2P's IRC channels, or the forum or manually
-add other peer's id's in order to connect, though until now this
-has never been necessary.</p>
+<p>Falls Sie, was höchst unwahrscheinlich ist, Verbindungsprobleme 
+mit Ihrer I2P-Bote-Anwendung haben, dann könnte es erforderlich 
+sein, dass Sie die Router-ID Ihres I2P-Boten in I2P's IRC-Kanal 
+oder im Forum veröffentlichen oder manuell ID's anderer Peers 
+hinzufügen müssen, um Verbinden zu können, wobei dies bis 
+heute nie vorgekommen ist. </p>
 
-<p>It is <b>not linked to your IP</b>. Nonetheless, do not relate your
-I2P-Bote router id with your I2P-Bote mail dests since this might
-destroy the additional anonymity I2P-Bote itself generates!</p>
+<p>Es ist <b>nicht mit Ihrer IP-Adresse verbunden</b>. Dennoch Sollten 
+Sie die I2P-Bote-Router-ID nicht mit Ihren I2P-Bote-Mail-Destinationen 
+in Verbindung bringen, da dies die Anonymität aufheben könnte, die 
+I2P-Bote selber generiert! </p>
 
 <h3 id="AddressLength">Warum sind die E-Mail-Adressen so lang?</h3>
-<p>In I2P-Bote every mail is (automatically) encrypted. In order not
-to require you to exchange an e-mail address <b>and</b> a long key,
-we simply made that key the address. This comes with two additional
-benefits: You won't have to worry if an e-mail address is already
-taken or not (at least not if you do not send or receive e-mails to
-or from the internet) and you don't need a key management app
-apart, for taking care of your keys.</p>
+<p>In I2P-Bote wird jede Mail (automatisch) verschlüsselt. Um zu 
+vermeiden, dass Sie eine E-Mail-Adresse <b>und</b> einen langen 
+Schlüssel austauschen müssen, haben wir diesen Schlüssel einfach 
+zur Adresse gemacht. Dies hat zwei weitere Vorteile: Sie müssen sich 
+keine Gedanken darum machen, ob eine Adresse bereits vergeben ist. 
+oder nicht (zumindest nicht, so lange Sie keine Emails ausserhalb des 
+I2P-Netzes senden oder empfangen) und Sie brauchen kein separates  
+Key-Management-System um Ihre Schlüssel handzuhaben. </p>
 
 <p>Es ist sicher, diesen Schlüssel weiterzugeben, da es der einzige 
 öffentliche Schlüssel ist, den jeder kennen darf, ohne deine 
@@ -247,31 +250,36 @@ Sicherheit zu kompromitieren. </p>
 E-Mail Zieladressen zur Folge.  </p>
 
 <h3 id="AddressBook">Aber ich kann mir diese Langen Zieladressen nicht merken&hellip;</h3>
-<p>That's what the integrated address book is there. Once you have
-become more acquainted with I2P-Bote, you will appreciate the
-built-in encryption and authentication, which can only be achieved
-using cryptographic keys.</p>
+<p>Dies ist, warum das integrierte Adressbuch da ist. Wenn Ihnen 
+I2P-Bote nach einiger Zeit mehr vertraut geworden ist, dann 
+werden Sie die integrierte Verschlüsselung und Authentifizierung, 
+die nur mittels kryptografischer Schlüssel realisierbar ist, zu 
+schätzen lernen.
 
-<p>Again, the alternative would be to have short and easy addresses
-<b>plus</b> a long key for encryption and authentication,
-<b>and</b> to rely on some authority to map the e-mail addresses to
-some anonymous recipient.</p>
+</p>
+
+<p>Nochmal, die Alternative wäre, kurze und einfache Adressen zu 
+haben <b>plus</b> einen langen Schlüssel für Verschlüsselung und 
+Authentikation <b>und</b> die Erfordernis, einer Instanz zu vertrauen, 
+die die Email-Adressen für einen anonymen Empfänger verwaltet.  </p>
 
 <h3 id="MultipleIdentities">Welchen Grund gibt es für die Verwendung multipler Identitäten? </h3>
-<p>I2P-Bote is not an instant messenger, so you can have several
-identities without having to keep many tunnels open. Only for
-fetching requests you'd use up more resources but at the same time
-provide more cover for others.</p>
+<p>I2P-Bote ist kein Instant-Messenger, so dass Sie mehrere Identitäten 
+haben können ohne viele Tunnel vorhalten zu müssen. Nur für das 
+Holen von Mails werden mehr Resourcen gebraucht, die aber 
+gleichzeitig als Schutz für andere dienen. </p>
 
-<p>Now, imagine you communicate with your friends unobservedly (see:
-data retention laws) via I2P-Bote, and want to quickly send out a
-mail that you'll be meeting each other in a different location
-tonight. Then, you need no super-anonymity and can renounce mail
-routes and delays. Your friends, on the other hand, would want to
-have a shorter check interval, so they will receive the mail in
-time. Yet you still want super high anonymity for some of your
-other communications - that's where a different mail identity with
-mail routes, delays and long check intervals comes in handy.</p>
+<p>Nun, Stellen Sie sich vor Sie würden mittels I2P-Bote ohne Über-
+wachung mit Ihren Freunden kommunizieren (siehe Gesetze zur 
+Voratsdatenspeicherung), und wollen schnell eine Email aussenden, 
+dass Sie sich heute Nacht an einem anderen Ort treffen werden. Sie 
+brauchen dann keine Super-Anonymität und können Mail-Routen 
+und Verzögerung vernachlässigen. Ihre Freunde mögen in diesem 
+Fall kürzere Abrufintervalle bevorzugen, um Ihre Nachricht zeitig zu 
+erhalten. Dennoch wollen Sie eine hohe Anonymität für andere 
+Kommunikation vorhalten - dies ist genau die Situation, in der 
+unterschiedliche Mail-Identitäten mit unterschiedlichen Mail-Routen, 
+Verzögerungen und langen Abrufintervallen sind dann von Vorteil. </p>
 
 <h3 id="EncryptionTypes">Welche Verschlüsselungsart ist die beste?</h3>
 <p>256-bit <a href="http://en.wikipedia.org/wiki/Elliptic_curve_cryptography">ECC</a>
@@ -282,10 +290,11 @@ ist stärker als 256-bit ECC, aber macht Email-Destinationen
 länger.</p>
 
 <p>2048-bit <a href="http://en.wikipedia.org/wiki/ElGamal">ElGamal</a>
-produces even longer Email Destinations, and it is the
-cryptographically weakest of the three options. However, ElGamal is
-better researched than ECC, which makes it less likely that there
-is an unknown weakness in ElGamal than in ECC.</p>
+generiert sogar noch längere Email Zieladressen und es ist die 
+kryptografisch schwächste der drei Optionen. Dennoch ist ElGamal 
+besser untersucht als ECC, was im Vergleich zu ECC die 
+Wahrscheinlichkeit unbekannter Schwächen verringert. 
+</p>
 
 <h3 id="Algorithms">Welche Algorhytmen werden für symmetische Verschlüsselung 
 und für Hashing eingesetzt? </h3>
@@ -294,12 +303,13 @@ im <a href="http://de.wikipedia.org/wiki/Cipher_Block_Chaining_Mode">
 CBC</a>-Modus und <a href="http://de.wikipedia.org/wiki/SHA-2">SHA-256</a>.</p>
 
 <h3 id="AntiSpam">Gibt es Anti-Spam-Maßnahmen?</h3>
-<p>I2P-Bote does no active spam filtering, but the fact that mass
-emails have to be sent individually should discourage spammers.
-Another line of defense is
-<a href="http://www.hashcash.org/">HashCash</a> which is supported at the
-protocol level and may be implemented in a future version if spam
-becomes a problem.</p>
+<p>I2P-Bote filtert Spam nicht aktiv, dennoch führt die Tatsache, dass 
+auch Massenemails bei I2P-Bote manuell zu versenden wären, dazu, 
+Spammern den Wind aus den Segeln zu nehmen. 
+Eine weitere Verteidigungslinie ist
+<a href="http://www.hashcash.org/">HashCash</a> , welches auf 
+Protokollebene unterstützt wird und in der Zukunft implementiert 
+werden kann, falls Spam zu einiem Problem wird. </p>
 
 <h3 id="HTML">Was ist mit HTML oder formatiertem Text?</h3>
 <p>Das Webinterface rendert HTML nicht.</p>
@@ -332,19 +342,23 @@ dann wird die Mail in der "Know" Zeile mit X markiert oder
 durch setzten von "(UNK)" vor die Adresse des Senders in 
 IMAP. </p>
 
-<p>This means that you have no proof this user is really who he claims
-to be, in his user name. Of course, if the signature is valid, you
-know he possesses the destination key with which the mail was
-signed, and that the mail content is from that person. But you
-cannot rely on the short name here. In case you had gotten a mail
-from a user with this name before, you cannot be sure it is the
-same user this time, even if the signature is valid. In this case
-you must compare the destination keys or add them to your
-addressbook. A user not locally known, is not necessarily evil, but
-you shouldn't trust it's the user you might think it is. But, if
-verified against locally stored keys, you know it's the same user
-when you receive another mail from him and “Know” has a green
-check.</p>
+<p>Dies bedeutet, dass es nicht beweisbar ist, ob dieser User wirklich 
+ist, wer er unter seinem Benutzername vorgibt zu sein. Natürlich, 
+wenn seine Signatur gültig ist, wissen Sie, dass er über den 
+Schlüssel für die Ziel-Adresse verfügt, mit der die Mail signiert ist 
+und dass der Inhalt der Mail von dieser Person stammt. Aber Sie 
+können sich hier nicht auf den Kurzname berufen. Wenn Sie bereits 
+zuvor eine Mail von diesem User erhalten hatten, können Sie nicht 
+sicher sein, dass dies nun der gleiche User ist, selbst dann, wenn 
+die Signatur gültig ist. In diesem Fall müssen Sie den Adress-
+Schlüssel vergleichen und ihn zu Ihrem Adressbuch hinzufügen. 
+Ein Benutzer, der nicht lokal bekannt ist, muss nicht zwangsläufig 
+volatil sein, aber Sie sollten nicht davon ausgehen, dass es der 
+User ist, den Sie hinter der Adresse vermuten. Aber wenn sie mit 
+den lokal gespeicherten Schlüsseln vergleichen, wissen Sie 
+spätestens, wenn Sie eine zweite Mail von Ihm erhalten, dass es 
+der gleiche User wie zuvor ist und Sie erhalten einen grünen 
+Hinweis. </p>
 
 <h3 id="Terms">Was bedeuten “BktPfx”, “Distance” and “Locked?”?</h3>
 <ul>
@@ -407,65 +421,72 @@ Ordner. Unter Windows, dieser Ordner kann unter
 <code>addressBook.txt</code>.</p>
 
 <h3 id="MailRoutes">Was ist eine <em>Mail-Route</em>?</h3>
-<p>See: What does high-latency transport mean?</p>
+<p>Siehe: Was bedeutet Transport mit hoher Latenzzeit?</p>
 <!-- <p>(When using mail routes, the timestamps are automatically disabled.) [yet to be implemented]</p> -->
 
-<h3 id="HighLatency">What does high-latency transport mean?</h3>
-<p>It means that you can enable an option where e-mail packets are not
-sent directly to storing nodes, but are relayed (forwarded) by
-other peers (who cannot read the e-mails, as they are encrypted
-with several layers and ripped into small parts), who do not send
-them on immediately but wait a user-specified time - in case of
-sending specified by the sender, in case of receiving specified by
-recipient.</p>
+<h3 id="HighLatency">Was bedeutet Transport mit hoher Latenzzeit?</h3>
+<p>Es bedeutet, dass Sie eine Option aktivieren können, die bewirkt, 
+dass Email-Pakete nicht direkt an speichernde Nodes gesandt 
+werden, sondern von anderen Peers relayed (weitergeleitet) werden 
+(und diese dabei die Mails nicht lesen können, da in mehreren Stufen 
+verschlüsselt und in Fragmente zerlegt), die sie nicht sofort weiterleiten, 
+sondern für eine vom User spezifizierte Zeit halten - im Fall von Senden 
+spezifiziert vom Sender, im Fall von Empfangen spezifiziert vom 
+Empfänger. </p>
 
-<p>Therefore it takes the mail some time to arrive. Thus an attacker
-cannot simply run stats on node uptimes (who was connected when)
-and times a message was received to be stored (which in a
-low-latency environment would be about the time it was sent), in
-order to uncover the real life identities behind I2P-Bote e-mail
-identities.</p>
+<p>Daher bedarf es einiger Zeit, bis eine Mail ankommt. Dennoch kann 
+ein Angreifer nicht einfach Statistiken über Up-Times von Nodes 
+(wer war wann verbunden) generieren und über die Zeiten, wann 
+Nachrichten empfangen und gespeichert wurden (welche in einem 
+Netzwerk mit niedriger Latenz etwa die Zeiten sind, in denen die 
+Nachricht gesandt wurde), um die Real-Life-Identitäten, die mit 
+den I2P-Bote-Email Identitäten verbunden sind, offenzulegen.</p>
 
-<h3 id="Latencies">What latencies are there, and how can they be controlled
-(if at all)?</h3>
-<p>I2P-Bote is distributed and running on top of the I2P network, so
-it takes some time. Speed is not our strength, but we compare well
-with other anon mail systems. Without mail routes enabled it takes
-3 to 10 minutes from hitting the “Send” button to being displayed
-in the receiver's inbox.</p>
+<h3 id="Latencies">Welche Latenzen gibt es und wie können sie (falls überhaupt,) 
+kontrolliert werden?</h3>
+<p>I2P-Bote wird on-top des I2P-Netzwerkes verteilt und ausgeführt, 
+so dass es einige Zeit in Anspruch nimmt. Geschwindigkeit ist nicht 
+unsere Stärke, aber wir stehen uns gut im Vergleich zu anderen 
+Anonymen Email-Systemen. Ohne aktivierte Mail-Routen dauert es 
+drei bis zehn Minuten vom Drücken des "Senden"-Buttons bis zur 
+Anzeige in der Inbox des Empfängers.  </p>
 
-<p>If speed is what you want, fully disable mail routes or set them to
-the minimum number of hops and minimum per-hop delay you can live
-with.</p>
+<p>Wenn es Ihnen auf Geschwindigkeit ankommt, dann schalten Sie 
+Mailrouten ganz ab oder setzten Sie sie auf ein Minimum von Hops 
+und auf eine minimale Verzögerung je Hop, mit der Sie noch leben 
+können. </p>
 
-<h3 id="WhyI2P">If I2P-Bote generates its own anonymity, why does it
-need I2P?</h3>
-<p>I2P-Bote is built on top of I2P mainly for five reasons:</p>
+<h3 id="WhyI2P">Wenn I2P-Bote seine eigene Anonymität generiert, wozu bedarf 
+es dann noch I2P?</h3>
+<p>I2P-Bote baut aus hauptsächlich fünf Gründen auf I2p auf: </p>
 <ul>
-<li><p>I2P was lacking a decentralized e-mail service and
-HungryHobo is an I2P user.</p></li>
-<li><p>I2P offers very good anonymity, is mature and
-incorporates years of experience.</p></li>
-<li><p>So being on top of it, kind of represents an anonymity
-fall-back even if there were some crucial bugs in I2P-Bote.</p></li>
-<li><p>Flexibility: We want to offer an easy way to
-anonymous low-latency e-mail communication as well, with still a
-high level of protection.</p></li>
-<li><p>I2P with it the many other apps running on top of
-it creates a lot of traffic that blends with I2P-Bote traffic.</p></li>
-<li><p>Even I2P-Bote relays are thus location-hidden.</p></li>
+<li><p>I2P mangelte es an einem dezentralen E-Mail-Service 
+und HungryHobo ist ein I2P-User. </p></li>
+<li><p>I2P bietet sehr gute Anonymität, ist alltagstauglich und basiert auf 
+Jahren an Erfahrung. </p></li>
+<li><p>Sogesehen On-Top zu sein, ergibt eine Art Rückfallsicherheit 
+an Anonymität, selbst dann, wenn I2P-Bote kritische Bugs aufweisen 
+würde. </p></li>
+<li><p>Flexibilität:  Wir möchten einfache Handhabung bieten für 
+Anonyme Email-Kommunikation mit niedriger Latenz
+mit dennoch hohem Level an Sicherheit. </p></li>
+<li><p>I2P, damit und den vielen anderen Apps, die darauf aufsetzen, 
+generieren eine Menge Datenverkehr, in den sich der Verkehr von 
+I2P-Bote einfügt.  </p></li>
+<li><p>Selbst I2P-Bote-Relays sind daher nicht lokalisierbar. </p></li>
 </ul>
 <h3 id="WithoutRoutes">Wie anonym/sicher ist I2P-Bote ohne Mail-Routen?</h3>
 <p>Ziemlich anonym und sehr sicher.</p>
 
-<p>It then basically enjoys the same anonymity other apps have on I2P,
-the anonymity provided by the I2P router – which is rather strong
-anonymity already. However, I2P is a low-latency network, with all
-the shortcomings a low-latency network comes with by its very
-nature. There are attacks against which I2P cannot protect you or
-not protect you very reliably. I2P-Bote does its best to augment
-I2P anonymity with its high-latency transport option, which make –
-if enabled – I2P-Bote mails <em>paranoidly</em> anonymous.</p>
+<p>Es profitiert dann von der gleichen Anonymität wie andere 
+Applikationen für I2P, nämlich der Anonymität, die der I2P-Router 
+bereitstellt - welche bereits sehr stark ist. Dennoch ist I2P ein 
+Netzwerk mit niedriger Latenz mit allen Nachteilen eines solchen 
+Netzwerkes aufgrund seiner ureigenen Natur. Es gibt Angriffe, 
+gegen die I2P nicht sehr zuverlässig schützen kann. I2P-Bote ist 
+maximal dafür ausgelegt, um I2P Anonymität mit seiner Option für 
+Transport mit hoher Latenz zu gewährleisten, was I2P-Bote-Mails 
+<em>paranoid</em> anonym macht.</p>
 
 <h3 id="OpenSource">Ist I2P-Bote quelloffen?</h3>
 <p>Natürlich!</p>
@@ -477,8 +498,12 @@ licenses/BouncyCastle.txt).</blockquote>
 
 <p>(Beides sind Freie und Open Source Lizenzen)</p>
 
+<p>The source code can be found in the <code>i2p.i2p-bote</code> branch of
+<a href="https://geti2p.net/en/get-involved/guides/new-developers#monotone">the I2P Monotone repository</a>.
+There is also a <a href="https://github.com/i2p/i2p.i2p-bote">GitHub mirror</a>
+which can be used to view the code.</p>
 <h3 id="Credits">Wer hat I2P-Bote gemacht?</h3>
-<p>Konzeptionierung, technisches Design, Implementation sowie die ursprüngliche Nutzeroberfläche im Web
+<p>Konzeptionierung, technisches Design, Implementierung sowie die ursprüngliche Benutzeroberfläche im Web
 wurden von HungryHobo erledigt, einem anonymen Entwickler.</p>
 
 <p>Der aktuelle Entwickler von I2P-Bote ist str4d.</p>

src/main/webapp/html/FAQ_es.html

@@ -22,7 +22,7 @@ con alguien?</a></p>
 <p><a href="#EmailDestination">¿Qué es un destino de correo electrónico? ¿Y qué pasa con las
 direcciones de correo normales?</a></p>
 <p><a href="#AddressLength">¿Por qué las direcciones de correo electrónico son tan largas?</a></p>
-<p><a href="#AddressBook">Pero no puedo recordar esos destinos tan largos&hellip;</a></p>
+<p><a href="#AddressBook">Pero no puedo recordar esos destinos I2P tan largos&hellip;</a></p>
 <p><a href="#MultipleIdentities">¿Para qué sirve tener varias identidades de correo?</a></p>
 <p>¿Qué tipo de cifrado es el mejor?</p>
 <p><a href="#Algorithms">¿Qué algoritmos se usan para los cifrados simétricos y para el
@@ -506,6 +506,9 @@ licenses/BouncyCastle.txt).</blockquote>
 
 <p>(Ambas licencias son licencias libres y de código abierto.)</p>
 
+<p>El código fuente se puede encontrar en el ramal (branch) <code>i2p.i2p-bote</code> de <a href="https://geti2p.net/es/get-involved/guides/new-developers#monotone">el repositorio Monotone de I2P</a>.
+También hay una <a href="https://github.com/i2p/i2p.i2p-bote">réplica en GitHub</a>
+que se puede usar para ver el código.</p>
 <h3 id="Credits">¿Quén hizo I2P-Bote?</h3>
 <p>La concepción, diseño técnico, implementación e interfaz web de usuario
 original, fueron realizados por HungryHobo, un desarrollador anónimo.

src/main/webapp/html/FAQ_fr.html

@@ -22,8 +22,8 @@ de personnes choisies aléatoirement ? C'est une idée de fou !</a></p>
 <p><a href="#AddressLength">Pourquoi les adresses sont-elles si longues ?</a></p>
 <p><a href="#AddressBook">Mais je n'arrive pas à mémoriser de si longues destinations&hellip;</a></p>
 <p><a href="#MultipleIdentities">Quel est l'intérêt d'utiliser de multiples identités ?</a></p>
-<p><a href="#EncryptionTypes">Quel est le meilleur cryptage ?</a></p>
-<p><a href="#Algorithms">Quels algorithmes sont-ils utilisés pour le cryptage symétrique
+<p><a href="#EncryptionTypes">Quel est le meilleur chiffrement ?</a></p>
+<p><a href="#Algorithms">Quels algorithmes sont utilisés pour le chiffrement symétrique
 et le hachage ?</a></p>
 <p><a href="#AntiSpam">Y a-t-il des protections anti-spam ?</a></p>
 <p><a href="#HTML">Et au sujet du HTML et du formatage de texte ?</a></p>
@@ -63,8 +63,8 @@ identités multiples et n'expose pas les en-têtes de messages. Il est
 encore en phase de développement et n'est accessible que via la console
 du routeur I2P. Il sera bientôt doté de la prise en charge de POP3, et
 de davantage d'anonymat via une option de transport à haute latence. Tous
-les messages bote sont automatiquement cryptés de bout en bout sans
-avoir à régler de cryptage de mails (bien que cette option soit
+les messages bote sont automatiquement chiffrés de bout en bout sans
+avoir à régler de chiffrement de courrier électronique (bien que cette option soit
 disponible), et ils sont authentifiés automatiquement. Comme il est
 décentralisé, aucun serveur de mail ne peut faire de rapprochement
 entre expéditeur et destinataire (profilage) : même les nœuds relayant
@@ -100,18 +100,18 @@ besoin est déjà prêt.</p>
 
 <p>Et ne vous y trompez pas, malgré son apparente simplicité et sa
 réelle facilité d'utilisation, I2P-bote vous offre un niveau de
-cryptage de qualité militaire et des options d'anonymat extrêmement
+chiffrement de qualité militaire et des options d'anonymat extrêmement
 efficaces.</p>
 
 <h3 id="Sending">Que se passe-t-il quand je clique sur "Envoyer"?</h3>
-<p>Le message est crypté et stocké sur des ordinateurs d'autres
+<p>Le message est chiffré et stocké sur les ordinateurs d'autres
 utilisateurs d'I2P-Bote. À partir de là, il est expédié au destinataire
 quand il relève son courrier.</p>
 
 <h3 id="RandomPeople">Une minute! Tous mes envois sont stockés dans les ordinateurs
 de personnes choisies aléatoirement? C'est une idée de fou!</h3>
 <p>Tout ce qu'elles peuvent voir n'est qu'un tas d'ordures car les
-données sont cryptée à un niveau militaire. Seuls vous et le
+données sont chiffrées à un niveau militaire. Seuls vous et le
 destinataire savez ce qu'il y a dans le message. De plus, si vous
 envoyez en ayant activé le relayage, il ne leur est même pas possible
 de savoir qui l'a envoyé.</p>
@@ -155,8 +155,8 @@ un fort niveau d'anonymat.</p>
 
 <h3 id="GPG">Et au sujet de <a href="http://www.pgp.com/">PGP</a> et
 <a href="http://gnupg.org/">GPG</a>?</h3>
-<p>PGP et GPG vous permettent de crypter le courrier et de l'envoyer
-par votre compte de messagerie existant. Il offrent du cryptage fort,
+<p>PGP et GPG vous permettent de chiffrer le courrier et de l'envoyer
+par votre compte de messagerie existant. Il offrent du chiffrement fort,
 mais uniquement du corps du message, pas des en-têtes, ce qui veut dire
 que les champs "Objet", le nom de votre ordinateur, et d'autres
 informations ne sont pas protégées.</p>
@@ -164,14 +164,14 @@ informations ne sont pas protégées.</p>
 <p>Une autre faiblesse de PGP/GPG est qu'ils ne peuvent pas empêcher
 de trouver qui parle à qui.</p>
 
-<p>I2P-Bote, au contraire, crypte tout sauf la destination (en fait, même
+<p>I2P-Bote, au contraire, chiffre tout sauf la destination (en fait, même
 la destination n'est visible que par les nœuds qui ignorent de qui
 vient le message). Il peut aussi envoyer le message via plusieurs
 relais (comme <a href="http://mixmaster.sourceforge.net/">Mixmaster</a>),
 de sorte que personne ne puisse trouver qui envoie à qui.</p>
 
 <h3 id="UsingGPG">Puis-je toujours utiliser GPG/PGP avec I2P-Bote?</h3>
-<p>Bien sûr. Cryptez le texte de votre message avec GPG avant de le coller
+<p>Bien sûr. Chiffrez le texte de votre message avec GPG avant de le coller
 dans le corps du message I2P-Bote, ou utilisez une application de
 messagerie compatible GPG.</p>
 
@@ -191,7 +191,7 @@ peut-être pour vous, aussi; décidez vous-même!), que:</p>
 <li><p>mixminion car il est facile à utiliser et aussi simple à prendre
 en main que nous avons pu.</p></li>
 <li><p>les services de mail anonymes n'utilisant pas le routage basé sur
-des clés de destination, car ils ne permettent pas le cryptage de bout en
+des clés de destination, car ils ne permettent pas le chiffrement de bout en
 bout.</p></li>
 <li><p>les services centralisés, car que le serveur pourrait s'arrêter (à
 cause d'attaques, de problèmes légaux, manque de financement ou
@@ -205,7 +205,7 @@ inclue dans les messages que vous envoyez.</p>
 <p>Les compteurs de transports à haute latence protègent des
 attaques de timing.</p>
 
-<p>Le cryptage de bout en bout et par saut, le relayage des paquets
+<p>Le chiffrement de bout en bout et par saut, le relayage des paquets
 pour d'autres nœuds, les paquets à taille unique* (bourrage/padding),
 le débit d'envoi constant (messages de test et bidons/dummy)*, et un
 rapport assez équilibré des taux d'envoi/réception* protègent des
@@ -249,7 +249,7 @@ joindre.</p>
 
 <h3 id="EmailDestination">Qu'est-ce qu'une destination? Et l'adresse mail?</h3>
 <p>La longueur des destinations est comprise entre 86 et 512
-caractères, suivant le type de cryptage. La prise en charge d'adresses
+caractères, suivant le type de chiffrement. La prise en charge d'adresses
 faciles à mémoriser et choisies par l'utilisateur est au programme d'un
 futur proche.</p>
 
@@ -257,17 +257,17 @@ futur proche.</p>
 nom que l'utilisateur lui attribue. La clé publique est la destination,
 votre identité pseudonymique. Un utilisateur réel peut en avoir
 plusieurs. Elles servent à envoyer des messages à certains utilisateurs
-- donc aussi appelés “destinations” - tout comme pour crypter les
-messages qui leur sont&hellip; destinés. Votre destination est donc
+- donc aussi appelés “destinations” - tout comme pour chiffrer les
+messages qui leur sont destinés. Votre destination est donc
 pour les autres aussi la clé qu'ils utilisent pour crypter les messages
 qu'ils vous envoient et pour pour vérifier l'intégrité et
-l'authenticité de ceux qu'ils reçoivent&hellip; de vous.</p>
+l'authenticité de ceux qu'ils reçoivent de vous.</p>
 
 <p>Il est sans danger (et indispensable) de donner votre destination
 à toute personne de laquelle vous voulez recevoir du courrier.</p>
 
 <p>Il est important de faire la distinction entre votre destination
-de messagerie et la destination de votre routeur I2P! Votre identité de
+de messagerie et la destination de votre routeur I2P ! Votre identité de
 messagerie n'a rien à voir avec l'identité de votre nœud/routeur
 I2P-Bote qui est utilisée pour permettre aux nœuds I2P-Bote de se
 contacter les uns les autres pour constituer le réseau Bote.</p>
@@ -286,8 +286,8 @@ réduirait à néant le niveau d'anonymat supplémentaire qu'I2P-Bote porte
 en lui-même!</p>
 
 <h3 id="AddressLength">Pourquoi les adresses sont-elles si longues?</h3>
-<p>Dans I2P-Bote chaque message est (automatiquement) crypté. Pour vous
-éviter d'avoir à échanger votre adresse <b>ET</b> de très longues clés
+<p>Dans I2P-Bote chaque message est (automatiquement) chiffré. Pour vous
+éviter d'avoir à échanger votre adresse <b>et</b> de très longues clés
 publiques, on a simplement fait de ces clés les adresses. Deux autres
 avantages en découlent: vous n'avez pas à vous soucier de la
 préexistence de votre adresse (au moins tant que vous ne recevez ni
@@ -299,16 +299,16 @@ elle n'est que la clé publique, que certains peuvent avoir à connaître,
 sans pour autant que cela compromette la confidentialité de vos
 messages.</p>
 
-<p>L'utilisation du cryptage ECC conduit à des clés plus courtes.</p>
+<p>L'utilisation du chiffrement ECC conduit à des clés plus courtes.</p>
 
 <h3 id="AddressBook">Mais je n'arrive pas à mémoriser de si longues destinations&hellip;</h3>
 <p>Le carnet d'adresses est là pour ça. Une fois convaincu par le
-principe d'I2P-Bote, vous apprécierez le cryptage et l'authentification
+principe d'I2P-Bote, vous apprécierez le chiffrement et l'authentification
 intégrés, qui ne peuvent être atteints que par l'utilisation de clés
 cryptographiques.</p>
 
 <p>Encore une fois, l'alternative serait d'avoir des adresses courtes et
-simples <b>plus</b> de longues clés de cryptage et authentification, <b>ET</b>
+simples <b>plus</b> de longues clés pour le chiffrement et l'authentification, <b>et</b>
 de se reposer sur quelqu'autorité pour faire la relation entre
 l'adresse et un destinataire anonyme.</p>
 
@@ -330,12 +330,12 @@ de communications, vous avez besoin d'un super niveau d'anonymat, et
 c'est là qu'une autre identité avec un relayage et des délais différents
 peut être utile.</p>
 
-<h3 id="EncryptionTypes">Quel est le meilleur cryptage?</h3>
-<p><a href="http://en.wikipedia.org/wiki/Elliptic_curve_cryptography">ECC</a>
+<h3 id="EncryptionTypes">Quel est le meilleur chiffrement ?</h3>
+<p><a href="https://fr.wikipedia.org/wiki/Cryptographie_sur_les_courbes_elliptiques">ECC</a>
 à 256 bits produit des adresses destinations courtes et maniables, et
 est considéré comme plus solide que l'ElGamal à 2048 bits.</p>
 
-<p><a href="http://en.wikipedia.org/wiki/Elliptic_curve_cryptography">ECC</a>
+<p><a href="https://fr.wikipedia.org/wiki/Cryptographie_sur_les_courbes_elliptiques">ECC</a>
 à 521 bits est plus solide que sa version à 256 bits, mais il génère
 des destinations (clés) très longues.</p>
 
@@ -345,12 +345,12 @@ faible des trois algorithmes. Cependant, ElGamal fait l'objet de plus
 recherches que ECC, ce qui rend moins probable qu'une faiblesse de cet
 algorithme passe inaperçue pendant plus longtemps que dans ECC.</p>
 
-<h3 id="Algorithms">Quels algorithmes sont-ils utilisés pour le cryptage symétrique
-et le hachage?</h3>
-<p><a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard">AES-256</a>
+<h3 id="Algorithms">Quels algorithmes sont utilisés pour le chiffrement symétrique
+et le hachage ?</h3>
+<p><a href="https://fr.wikipedia.org/wiki/Advanced_Encryption_Standard">AES-256</a>
 en mode
 <a href="http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation#Cipher-block_chaining_.28CBC.29">
-CBC</a> et <a href="http://en.wikipedia.org/wiki/SHA-2">SHA-256</a>.</p>
+CBC</a> et <a href="https://fr.wikipedia.org/wiki/SHA-2">SHA-256</a>.</p>
 
 <h3 id="AntiSpam">Y a-t-il des protections anti-spam?</h3>
 <p>I2P-Bote ne filtre pas le spam, mais le fait que l'envoi en masse doive
@@ -540,6 +540,10 @@ licenses/BouncyCastle.txt).</blockquote>
 
 <p>(Toutes deux sont des licences libres et ouvertes).</p>
 
+<p>Le code source est disponible dans la branche <code>i2p.i2p-bote</code> du
+<a href="https://geti2p.net/en/get-involved/guides/new-developers#monotone">dépôt Monotone d'I2P</a>.
+Il existe aussi un <a href="https://github.com/i2p/i2p.i2p-bote">miroir GitHub</a>
+qui peut être utilisé afin de voir le code.</p>
 <h3 id="Credits">Qui a créé I2P-Bote?</h3>
 <p>La conception, le design technique, la mise en œuvre et l'interface web utilisateur d'origine
 ont été faits par HungryHobo, un développeur anonyme.</p>

src/main/webapp/html/FAQ_ru.html

@@ -12,8 +12,7 @@
 <p><a href="#UsingGPG">Могу ли я использовать GPG/PGP с I2P-Bote?</a></p>
 <p><a href="#Susimail">Чем это отличается от Susimail?</a></p>
 <p><a href="#Comparison">Почему I2P-Bote лучше?</a></p>
-<p><a href="#Safeguards">How is my identity kept safe when I exchange mail with
-someone?</a></p>
+<p><a href="#Safeguards">Находится ли мой идентификатор в безопасности , когда я обмениваюсь с кем-либо почтой ?</a></p>
 <p><a href="#How">Как им пользоваться?</a></p>
 <p><a href="#EmailClients">Могу ли я пользоваться программами наподобие Thunderbird?</a></p>
 <p><a href="#Attachments">Могу ли я прикреплять файлы, и какое ограничение на них?</a></p>
@@ -21,7 +20,7 @@ someone?</a></p>
 <p><a href="#EmailDestination">Что, Destination  это моя электронная почта? Как насчет обычных адресов электронной почты?</a></p>
 <p><a href="#AddressLength">Почему адрес у почты такой длинный?</a></p>
 <p><a href="#AddressBook">Но я не могу запомнить тех длинных адресатов&hellip;</a></p>
-<p><a href="#MultipleIdentities">What's the point of using multiple mail identities?</a></p>
+<p><a href="#MultipleIdentities">В чём смысл использования нескольких почтовых идентификаторов?</a></p>
 <p><a href="#EncryptionTypes">Какой тип шифрования является наилучшим?</a></p>
 <p><a href="#Algorithms">Какие алгоритмы используются для симметричного шифрования, а какие для хеширования ?</a></p>
 <p><a href="#AntiSpam">У них есть анти-спам?</a></p>
@@ -38,7 +37,7 @@ inbox?</a></p>
 <p><a href="#Backups">Как я могу переместить свои параметры и и данные на другой 
 компьютер, или сделать резервную копию?</a></p>
 <p><a href="#MailRoutes">Каков <em>почтовый маршрут</em>?</a></p>
-<p><a href="#HighLatency">What does high-latency transport mean?</a></p>
+<p><a href="#HighLatency">Что такое high-latency transport?</a></p>
 <p><a href="#Latencies">Что здесь с задержками и как можно ими управлять (если вообще возможно)?</a></p>
 <p><a href="#WhyI2P">Если I2P-Bote сам по себе обеспечивает анонимность, зачем ему нужен I2P?</a></p>
 <p><a href="#WithoutRoutes">Насколько анонимно/безопасно I2P-Bote без почтовых маршрутов</a></p>
@@ -85,8 +84,7 @@ account and end-to-end encrypt your mails, but they are still not
 anonymous. You can use anonymous server-bound e-mails, yet they are
 not automatically end-to-end encrypted.</p>
 
-<p>Or you can use I2P-Bote in which your mails are anonymous and
-<em>automatically</em> end-to-end-encrypted.</p>
+<p>Или вы можете использовать I2P-Bote, в котором ваши почтовые сообщения анонимны и <em>автоматически</em> шифруются сквозным шифрованием.</p>
 
 <p>В отличие от стандартных почтовых систем нет никакой необходимости устанавливать дополнительное приложение для управления ключами. Все, в чем Вы нуждаетесь, уже там.</p>
 
@@ -104,9 +102,9 @@ that doesn't respect your privacy</a>, over an internet line that
 <a href="http://www.eff.org/issues/nsa-spying">is being spied on by
 shady agencies</a>, which would you say is more trustworthy?</p>
 
-<h3 id="HowItWorks">How does it work exactly?</h3>
-<p>See the <a href="userGuide.jsp#Technical-Concept">'Technical Concept'</a>
-section of the <a href="userGuide.jsp">User Manual</a>.</p>
+<h3 id="HowItWorks">Как это конкретно работает?</h3>
+<p>Смотри главу <a href="userGuide.jsp#Technical-Concept">'Техническую концепцию'</a>
+ <a href="userGuide.jsp">Руководства пользователя</a>.</p>
 
 <p>In short: I2P-Bote nodes form a P2P-network, relaying mail packets
 for one another and storing them into a DHT.</p>
@@ -176,7 +174,7 @@ intersection attacks.</p>
 <p>Способ распространения I2P-Bote - open source, гарантирует, что Вы сами можете 
 посмотреть его реализацию и проверить его на ошибки.</p>
 
-<p>*[not yet implemented]</p>
+<p>*[пока не реализовано]</p>
 
 <h3 id="How">Как им пользоваться?</h3>
 <p>Читайте <a href="userGuide.jsp">мануал</a> или смотрите другие вопросы и ответы здесь!</p>
@@ -238,7 +236,7 @@ has never been necessary.</p>
 I2P-Bote router id with your I2P-Bote mail dests since this might
 destroy the additional anonymity I2P-Bote itself generates!</p>
 
-<h3 id="AddressLength">Why are the e-mail addresses so long?</h3>
+<h3 id="AddressLength">Почему e-mail адреса такие длинные?</h3>
 <p>In I2P-Bote every mail is (automatically) encrypted. In order not
 to require you to exchange an e-mail address <b>and</b> a long key,
 we simply made that key the address. This comes with two additional
@@ -302,7 +300,7 @@ for hashing?</h3>
 in <a href="http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation#Cipher-block_chaining_.28CBC.29">
 CBC</a> mode and <a href="http://en.wikipedia.org/wiki/SHA-2">SHA-256</a>.</p>
 
-<h3 id="AntiSpam">Are there any anti-spam measures?</h3>
+<h3 id="AntiSpam">У них есть анти-спам?</h3>
 <p>I2P-Bote does no active spam filtering, but the fact that mass
 emails have to be sent individually should discourage spammers.
 Another line of defense is
@@ -408,10 +406,10 @@ anonymity can be reduced.</p>
 <code>addressBook.txt</code>.</p>
 
 <h3 id="MailRoutes">Каков <em>почтовый маршрут</em>?</h3>
-<p>See: What does high-latency transport mean?</p>
+<p>Смотри: Что такое high-latency transport?</p>
 <!-- <p>(When using mail routes, the timestamps are automatically disabled.) [yet to be implemented]</p> -->
 
-<h3 id="HighLatency">What does high-latency transport mean?</h3>
+<h3 id="HighLatency">Что такое high-latency transport?</h3>
 <p>It means that you can enable an option where e-mail packets are not
 sent directly to storing nodes, but are relayed (forwarded) by
 other peers (who cannot read the e-mails, as they are encrypted
@@ -456,7 +454,7 @@ high level of protection.</p></li>
 it creates a lot of traffic that blends with I2P-Bote traffic.</p></li>
 <li><p>Even I2P-Bote relays are thus location-hidden.</p></li>
 </ul>
-<h3 id="WithoutRoutes">How anonymous/secure is I2P-Bote without mail routes?</h3>
+<h3 id="WithoutRoutes">Насколько анонимен/безопасен I2P-Bote без почтовых маршрутов?</h3>
 <p>Pretty anonymous and very secure.</p>
 
 <p>It then basically enjoys the same anonymity other apps have on I2P,
@@ -468,17 +466,20 @@ not protect you very reliably. I2P-Bote does its best to augment
 I2P anonymity with its high-latency transport option, which make –
 if enabled – I2P-Bote mails <em>paranoidly</em> anonymous.</p>
 
-<h3 id="OpenSource">Is I2P-Bote open source?</h3>
+<h3 id="OpenSource">У I2P-Bote открытый исходный код?</h3>
 <p>Естественно!</p>
 
-<blockquote>This software is licensed under the GPL version 3 (see
-licenses/GPLv3.txt), except for the BouncyCastle Provider which is
-licensed under the Bouncy Castle License (see
+<blockquote>Это программное обеспечение распространяется под лицензией GPL версии 3 (см.
+licenses/GPLv3.txt), кроме BouncyCastle Provider который распространяется под the Bouncy Castle License (см.
 licenses/BouncyCastle.txt).</blockquote>
 
-<p>(Both of which are free open source licences.)</p>
+<p>(Оба под свободными лицензиями)</p>
 
-<h3 id="Credits">Who made I2P-Bote?</h3>
+<p>The source code can be found in the <code>i2p.i2p-bote</code> branch of
+<a href="https://geti2p.net/en/get-involved/guides/new-developers#monotone">the I2P Monotone repository</a>.
+There is also a <a href="https://github.com/i2p/i2p.i2p-bote">GitHub mirror</a>
+which can be used to view the code.</p>
+<h3 id="Credits">Кто сделал I2P-Bote?</h3>
 <p>Conception, technical design, implementation and original web user interface
 were done by HungryHobo, an anonymous developer.</p>
 
@@ -487,20 +488,19 @@ were done by HungryHobo, an anonymous developer.</p>
 <p>For feedback or if you want to offer help, see
 <a href="about.jsp">the About page</a> for contact details.</p>
 
-<h3 id="Languages">What languages are available?</h3>
+<h3 id="Languages">Какие языки доступны?</h3>
 <p>Английский, немецкий, русский, французский, испанский, португальский, нидерландский, шведский,  китайский и арабский.</p>
 
-<h3 id="Translate">How can I help translate I2P-Bote into my
-language?</h3>
+<h3 id="Translate">Как я могу помочь перевести I2P-Bote на мой язык?</h3>
 <p>Translations are done the same way as the rest of I2P. If you would
 like to help and have questions, please <a href="about.jsp">contact the author.</a></p>
 
-<h3 id="Technical">How does it work on a technical level?</h3>
+<h3 id="Technical">Как это работает на техническом уровне?</h3>
 <p>Have a look at the file <code>doc/techdoc.txt</code> in the source code.</p>
 
-<h3 id="GetInvolved">What are some other ways I can help?</h3>
+<h3 id="GetInvolved">Какими способами я еще могу помочь?</h3>
 <ul>
-<li><p>Use I2P-Bote and give feedback</p></li>
+<li><p>Используйте I2P-Bote и оставьте свой отзыв</p></li>
 <li><p>Tell your friends, family, collegues et al. about I2P-Bote and lend them a hand</p></li>
 <li><p>Mention I2P-Bote on your blog, eepsite or website</p></li>
 <li><p>Write a user's guide or improve the technical documentation</p></li>

src/main/webapp/html/FAQ_sv.html

@@ -316,6 +316,10 @@ På Windows kan den mappen hittas i
 
 <p>(Vilka båda är fria open source bibliotek.)</p>
 
+<p>The source code can be found in the <code>i2p.i2p-bote</code> branch of
+<a href="https://geti2p.net/en/get-involved/guides/new-developers#monotone">the I2P Monotone repository</a>.
+There is also a <a href="https://github.com/i2p/i2p.i2p-bote">GitHub mirror</a>
+which can be used to view the code.</p>
 <h3 id="Credits">Vem har skapat I2P-Bote?</h3>
 <p>Koncept, teknisk design, implementation och ursprungligt webinterface gjordes av HungryHobo, en anonym utvecklare.</p>
 

src/main/webapp/html/userGuide_de.html

@@ -0,0 +1,562 @@
+<div>
+<h1>Benutzerhandbuch</h1>
+
+<nav><p><a href="#Introduction">1. Einführung</a></p>
+<p><a href="#How-To">2. I2P-Bote anwenden</a></p>
+<p><a href="#Starting">2.1. I2P-Bote starten</a></p>
+<p><a href="#Creating-Identities">2.2. Erstellen einer Identität</a></p>
+<p><a href="#Sending-Receiving">2.3. E-Mails senden und empfangen</a></p>
+<p><a href="#Address-Book">2.4. Lokales Adressbuch</a></p>
+<p><a href="#Settings">2.5. Einstellungen (und was sie bedeuten)</a></p>
+<p><a href="#Gateway">2.6. E-Mail-Gateway ins Internet</a></p>
+<p><a href="#Considerations">3. Mögliche Anonymität</a></p>
+<p><a href="#Troubleshooting">4. Problemlösung</a></p>
+<p><a href="#Technical-Concept">5. Technisches Konzept</a></p>
+<p><a href="#Technical-Details">6. Technische Details</a></p>
+<p><a href="#Terminology">7. Terminologie/Übersicht der Themen</a></p>
+<p><a href="#Credits">8. Dank an</a></p>
+</nav><h2 id="Introduction">1. Einführung</h2>
+
+<p>I2P-Bote ist eine einfach zu verwendende, hoch-anonyme, sichere, E-Mail-Anwendung für I2P.  Sie ist ein voll dezentralisiertes System, welches ein 
+Peer-to-Peer-Netzwerk formt / erstellt und unabhängig von Servern ist. 
+Sie basiert auf der aktuellsten Version des Anonymisierungsnetzwerk I2P 
+mit niedriger Latenz bei letzten Wissensstand. I2P fügt dabei optional ein 
+Mixminion-ähnlichen Netzwerklayer mit hoher Latenz hinzu und das bei 
+gleichzeitiger Vermeidung der Nachteile eines Niedrig-Latenz-Netzwerkes. </p>
+
+<p>Daher profitiert I2P-Bote von der Anonymität, die durch I2P bereitgestellt 
+wird und es generiert seine eigene Anonymität durch Hinzufügen einer 
+weiteren Netzwerkschicht (overlay network).</p>
+
+<p>Dieses Konzept der geschichteten Anonymität ist, was I2P-Bote so flexibel 
+macht: es kann so konfiguriert werden, dass es extrem anonym und langsam
+ ist, oder weniger anonym, aber schneller und effizienter. Auf jeden Fall stellt 
+I2P-Bote für beide, den Sender und Empfägner immer ein hohes Mass an 
+Anonymität so wie Ende-Zu-Ende-Verschlüsselung bereit. Falls nicht 
+vorgesehen ist, E-Mails vom regulären Internet zu senden oder zu 
+emfpangen, dann werden von ALLEN E-Mails - dem Körper, Anhänge und 
+der Kopf (Betreff, Datum, Zeit, Senderadresse, [&hellip; ?]), ausser der 
+Empfängeradresse automatisch und transparent Ende-zu-Ende-Verschlüsselt. 
+Die Empfängeradresse ist nur für den letzten Node der Mail-Route sichtbar, 
+der die Pakete in das KAD-Netzwerk speichert und für die entsprechenden 
+peichernden Nodes, aber sie können den Inhalt der Mail nicht lesen, noch 
+wer sie sandte oder empfängt. </p>
+
+<p>I2P-Bote bietet die Option, Ihre Kommunikation sogar noch sicherer zu machen, 
+und zwar durch die Einstellung der Mail-Routen mit hoher Latenz, dies jedoch zu 
+Lasten der Performance. Anwender, deren Ziel es ist, dass Ihre Mails so schnell wie 
+möglich ankommen, können die Mail Routen abschalten und verwenden das 'direkte' 
+Senden über I2P. Es ist garantiert, dass Sie niemals weniger anonym sind, als es über 
+die Standard I2P Verbindungen gegeben ist. 
+
+</p>
+
+<p>Um ein hohes Mass an Alltagstautlichkeit zu gewährleisten, haben wir die Möglichkeit des Einsatzes von Email-Clients wie Thunderbird, Evolution oder Kmail  geschaffen, so dass man sich keine Gedanken darüber machen müss, welche zusätzlichen Informationen diese Programme in Ihren Kopfzeilen versenden.  Darüber hinaus gibt es ein Web Interface, welches es ermöglicht, Ihre eigenen Einstellungen und Identitäten zu verwalten. </p>
+
+<h2 id="How-To">2. I2P-Bote benutzen</h2>
+
+<h3 id="Starting">2.1. I2P-Bote starten</h3>
+<p>Nach dem Start von I2P-Bote (Standard ist Start nach jedem Hochfahren 
+des I2P-Routers) dauert es knapp über drei Minuten, bis alles läuft.  </p>
+
+<p>Also siehe 'Netzwerkstatus' auf der linken Seite. Er sollte 'Connected' 
+anzeigen. </p>
+
+<p>Um I2P-Bote zu verwenden, muss zunächst eine neue Identität
+erstellt werden.</p>
+
+<h3 id="Creating-Identities">2.2. Erstellen einer Identität</h3>
+<p>Clicke auf 'Identitäten' auf der linken Seite, dann drücke den Button 
+'Neue Identität'</p>
+
+<p>Geben Sie mindestens einen 'öffentlichen Name' ein und drücken Sie 'Erstellen'. Das ist alles, was es braucht, um eine Identität zu erstellen. </p>
+
+<p>Der öffentliche Name ist der Name, den Sie für diese Identität sehen. Dies 
+ist nützlich wenn Sie über unterschiedliche Identitäten verfügen um mit 
+unterschiedlichen Benutzern zu kommunizieren oder aufgrund anderer Ziele. 
+Er wird als Sendername an den Email-Empfänger gesendet. Es besteht dabei 
+keine Notwendigkeit, Unverwechselbarkeit. </p>
+
+<p>(Da Sie hier jeden Namen wählen können - kann jeder sich HungryHobo 
+nennen) - es ist für den Empfänger nicht geeignet, um festzustellen, ob 
+zwei Mails vom gleichen Abstender stammen. Aus diesem Grund wird 
+der Name im lokalen Adressbuch gespeichert (es gibt nur genau einen 
+Name je Zeiladresse), der, sofern gegeben, angezeigt wird. In der 
+"Bekannt"-Zeile erscheint eine grüne Markierung, die aufzeigt, dass es sich 
+sich um den lokal bekannten Name handelt. Wenn im lokalen Adressbuch 
+keine Ziel-Adresse gespeichert ist, dann wird der vom Sender spezifizierte 
+Name mit einem Präfix im Mail Client angezeigt. 
+</p>
+
+<p>Falls gewünscht, können jetzt die anderen Felder ausgefüllt werden. </p>
+
+<p>'Beschreibung' - dieses Feld ist lokal und zur Verfügung des Anwenders. 
+Wenn zusätzliche Information zu dieser Identität hinzugefügt werden, 
+soll, dann kann dies hier erfolgen. </p>
+
+<p>Email-Adresse - dieses Feld wird noch nicht verwendet.</p>
+
+<p>Wähle eine der gegebenen Verschlüsselungs-Algorithmen. Im Zweifel, 
+kann der Standard belassen werden. </p>
+
+<p>Sie können auf den Name einer Ihre Identitäten klicken und den langen 
+Schlüssel kopieren, der unter 'Email-Zieladresse' angezeigt ist. Dies ist 
+Ihre I2P-Bote E-Mail-Adresse. Wenn Sie es jemand ermöglichen wollen, 
+Ihnen eine Email zu schreiben, dann müssen Sie ihm diesen langen 
+Schlüssel geben. </p>
+
+<p>Sie können nun I2P-Bote-Mails senden und empfangen.</p>
+
+<p>Aber es sollte ein Blick auf die I2P-Bote-Einstellungen geworfen werden, um zu sehen, ob Sie Ihren Ansprüchen entsprechen. </p>
+
+<p>(Sie können ebenfalls unterschiedliche Identitäten erstellen und jeder 
+dieser individuelle Einstellungen zordnen.)</p>
+
+<h3 id="Sending-Receiving">2.3. E-Mails senden und empfangen</h3>
+<p>Sie müssen die I2P-Bote E-Mail-Ziel-Adresse des Nutzers haben, dem 
+Sie eine Mail zusenden wollen. </p>
+
+<p>Um eine Nachricht zu senden clicken sie auf 'Neu', wählen Sie im Feld 
+'Von' Ihre eigene Sender-Identität oder 'Anonym'; geben Sie dann im Feld 
+'Von' die E-Mail-Zieladresse in das Empfängerfeld oder alternativ eine 
+Adresse ein.  </p>
+
+<p>(Alternativ können Sie den 'Adressbuch'-Button unmittelbar unter der 
+Linie klicken um von Email-Destinationen auszusuchen, die lokal in Ihrem 
+Adressbuch gespeichert sind. Markieren Sie dein / die Benutzer, an den 
+Sie Ihre Mail senden wollen und drücken Sie den 'Empfänger 
+hinzufügen'-Button.)</p>
+
+<p>Sie können mehrfache Empfänger hinzufügen und 'An' ändern in 'CC' oder 'BCC'.</p>
+
+<p>Die Schaltfläche '+' fügt zusätzliche Empfängerzeilen hinzu.</p>
+
+<p>Schreiben Sie jetzt Ihre Bote Mail und drücken Sie 'Senden' zum senden 
+oder 'Speichern',um sie als Entwurf in Ihrem 'Entwürfe'-Ordner oder 
+einem anderen Ordner [noch nicht implementiert] zu speichern.</p>
+
+<p>Klick auf 'Senden' placiert Ihre Email im Outbox-Ordner und Sie können 
+I2p-Bote weiter verwenden, z.B. um eine weitere EMail zu schreiben oder 
+andere Dinge zu tun; I2P-Bote sendet Ihre Email nun. Wenn gesendet, dann 
+wird die Nachricht automatisch in Outbox entfernt und im Ordner Gesendet 
+eingestellt. Dies bedeutet, Ihre Email ist absolut auf dem Weg zu Ihrem Ziel 
+(eventuell verzögert durch eine Delay-Time, die aber als Standard-Einstellung
+ nicht gesetzt ist)</p>
+
+<p>I2P-Bote-Emails sind automatisch  unterschrieben, es sei denn Sie senden 
+ohne Absenderidentität. </p>
+
+<p>You can also send e-mails without specifying <em>any</em> sender
+identity/destination/address, just select 'Anonymous' in the scroll-down
+menu 'From:'.</p>
+
+<p>In der Standardeinstellung wird I2P-Bote automatisch neue Nachrichten abfragen und alles was Sie machen müssen um zu sehen, ob Nachrichten eingegangen sind, ist in Ihrer Inbox nachzusehen (Link 'Inbox' links).</p>
+
+<p>Sie können manuell prüfen, ob Emails vorhanden sind, indem Sie auf den 'Check Mail' Button klicken. Dies ist eine globale Prüfung auf Emails für alle Ihre Identitäten, ausser denen, die Sie für diese Funktion ausgeschlossen haben [letztere Funktion ist noch nicht implementiert].</p>
+
+<p>Die Anzahl der ungelesenen Emails wird in Klammern neben dem Ordnername in der Seitenleiste angezeigt. </p>
+
+<p>Clicken Sie auf 'Inbox', um die Liste der eingegangenen Emails angezeigt zu bekommen. Sie sehen zwei Spalten mit x'en oder gründen Haken. Letztere zeigen Ihnen ob eine Email eine gültige Signatur enthält und ob sich authentisch ist und ob die Email-Destinatination des Senders lokal bekannt ist (Signatur), üblicherweise in Ihrem Adressbuch enthalten ist. Darüber hinaus bedeuten zwei grüne Haken neben Ihrer Email-Eingabe, dass die Email über eine gültige Signatur verfügt und dass diese Signatur lokal bekannt ist. </p>
+
+<p>Wenn Sie einen bestimmten Name in Ihrem Adress-Buch haben und Sie eine Mail von dieser Identität erhalten, in dem Wissen, dass der grüne Haken nicht angezeigt wird, dann ist es eine andere Adresse, die die Mails gesendet und signiert hat; der Absender hat dann einfach nur den gleichen Name gewählt, den Sie Ihren Kontakten zugewiesen haben.&nbsp;</p>
+
+<p>Wenn ein grüner Haken für 'Sig' angezeigt wird, dann wurde die Mail korrekt für den Sender signiert und Sie können den Absender Ihrem Adressbuch unter einem neuen Name hinzfügen; dieser wird ab sofort als der Sender angezeigt.&nbsp; &lt;br&gt;</p>
+
+<p>Natürlich hat eine Mail ohne Sender-Angabe ('Anonym' ist als Sender angezeigt) hat zwei x'e.</p>
+
+<p>Clicken einer der in Ihrer Inbox angezeiten Emails öffnet die Mail.</p>
+
+<p>Das gleiche gilt für andere Ordner. </p>
+
+<p>(Aufgrund der verteilten Natur von I2P-Bote dauert es eine Zeit um auf Emails zu prüfen oder sie herungerzuladen; bei aktivierten Mail-Routen noch länger. Es ist nicht erforderlich den Browser offen zu lassen, lassen Sie I2P-Bote einfach als Hintergrundprozess laufen - dieses unterstützt auch Ihre Anonymität. ) &lt;br&gt;</p>
+
+<h3 id="Address-Book">2.4. Lokales Adressbuch</h3>
+<p>Wenn Sie den I2P-Bote-Email-Schlüssel von jemandem erhalten haben, dem Sie öfters schreiben wollen, dann geht es gut von der Hand, diesen Schlüssel in Ihr lokales Adress-Buch aufzunehmen (Link auf der linken Seite), und zwar unter einem Name Ihrer eigenen Wahl für diesen Kontakt. Fügen Sie die betreffende Email-Zeil-Adresse in die entsprechenden Zeilen ein, dann speichern. &lt;br&gt;</p>
+
+<p>You should normally save destinations to your address book, so that next time
+you get a mail from the same sender it will be shown to be from the same,
+locally known sender ('Loc' is checked) and a mail sent by someone else who
+is just using the same user name will be marked as NOT known locally (an x in
+web-UI's 'Know' column or {UNK} before the sender address in IMAP), so you know
+it's a new/different one.</p>
+
+<h3 id="Settings">2.5. Einstellungen (und was sie bedeuten)</h3>
+<p>Under settings you can choose the I2P-Bote interface's <em>language</em>
+(currently English or German) and decide whether even with a non-English
+language setting everything that will be automatically added to an e-mail when
+replying will nonetheless stay in English, so that the recipient does not know
+your I2P-Bote is set to a different language. Otherwise the recipient could
+guess about your nationality which would decrease your anonymity.</p>
+
+<p>Here you can also adjust the interval for <em>automatic checking</em> of
+e-mails and decide whether or not to send any <em>time stamp</em> with your
+mails, indicating date and time when the mail was sent. The time stamps are
+always in UTC.</p>
+
+<p>(When using mail routes, the timestamps are automatically disabled.) [not
+yet implemented]</p>
+
+<p>automatischer Abruf von E-Mails:</p>
+
+<p>For more comfort there is the 'Check for mail every XX minutes'
+option.</p>
+
+<p>Here you can specify how often your I2P-Bote app should try to fetch unread
+mails for your identities. This can be set on a per-identity basis [not yet
+implemented]</p>
+
+<p>If you specify a random offset, then it will not check _exactly_ every XX
+minutes, but rather every (XX+-offset*XX) minutes, i.e. after a randomly chosen
+time between (1-offset)XX minutes and (1+offset)XX minutes. [not yet
+implemented]</p>
+
+<p>You can also totally disable the automatic checking for a given
+identity.</p>
+
+<p>(If you are not sure about these settings, the defaults should be ok for
+you.)</p>
+
+<p><em>Mail routes</em> are chains of I2P-Bote nodes acting as relays/routers for
+other peers and obeying to per-hop delays, thus providing the high-latency
+transport for increased anonymity.</p>
+
+<p>You can specify the number of nodes (here called hops) that should be
+chained to form a mail route. Then each of the e-mail packets sent by the
+identity that has mail routes enabled will go through a mail route of n hops
+before being stored. You can set a delay for each hop individually, as no hop
+should know the time a packet will wait at the next hop, making the timing
+unpredictable. [individual per-hop and per-identity setting of delays not yet
+implemented]</p>
+
+<p>As delay you can specify a time frame (e.g. 60-600 minutes) - then a
+random wait time between the two values will be chosen for the packet at that
+hop - or a fix time, then the packet will be forwarded at that fix time, e.
+g. noon UTC, no matter when it arrived. [fix time not yet implemented]</p>
+
+<p>(When using mail routes, the timestamps are automatically disabled.) [not yet
+implemented]</p>
+
+<p>Under <em>Mixing anonymity</em> (minimum threshold number of relay
+packets that will be sent) you can specify a threshold. As your node can only
+act reliably as a mix if there are enough foreign packets to mix and to blend
+own packets with, it will accumulate messages whose delay time is over until
+reaching this lower limit. Only when it is surpassed, your node starts sending
+them out in random order. [Not yet implemented]</p>
+
+<p><em>exclude identity from global checking</em> [Not yet implemented]</p>
+
+<p>If you enable this option for one of your identities, then this one will not
+be affected by the global manual checking for mails nor by any global automatic
+mail checking.</p>
+
+<h3 id="Gateway">2.6. E-Mail-Gateway ins Internet</h3>
+<p>[NOCH NICHT VOLLSTÄNDIG IMPLEMENTIERT!]</p>
+
+<p>In order to be able to send bote mails to the internet and to receive
+e-mails from the internet with your I2P-Bote application, you must first
+register with an appropriate mail gateway. Currently there is only one:
+postman.</p>
+
+<ol>
+<li><p>First, go to
+<a href="http://hq.postman.i2p/?page_id=16">http://hq.postman.i2p/?page_id=16</a>
+and register an account. If you already have an account or if you have just
+created one as described, proceed with #2.</p></li>
+
+<li><p>For an existing account you can add your I2P-Bote mail destination, so
+that e-mails coming from the internet are forwarded to your I2P-Bote app. To do
+so go to
+<a href="http://hq.postman.i2p/?page_id=74">http://hq.postman.i2p/?page_id=74</a>
+and provide the requested information.</p></li>
+</ol>
+<p>Now all e-mails sent to that address
+(<a href="mailto:name@i2pmail.org">name@i2pmail.org</a> from the outer internet
+or <a href="mailto:name@mail.i2p">name@mail.i2p</a> for mails from other postman
+subscribers) will be forwarded via the I2P-Bote network to your I2P-Bote
+app.</p>
+
+<p>(N.B. When using the <a href="mailto:name@mail.i2p">name@mail.i2p</a> or
+<a href="mailto:name@i2pmail.org">name@i2pmail.org</a> addresses instead of the
+long addresses, e-mails are no longer end-to-end encrypted. Therefore, it is
+recommended to exchange the I2P-Bote mail destination keys for communicating
+within the network. Postman has offered high quality services in I2P for quite
+a while already, but be aware that it's a centralized point that might go
+offline one day, or worse be taken over by an evildoer that will manipulate
+mails. As for network-internal e-mail communication, I2P-Bote makes sure that
+if you use the address keys, nobody can tamper with the mails you send or
+receive.)</p>
+
+<p>If you want not only to receive e-mails from the internet, but also enable
+sending e-mails from I2P-Bote to the internet, you must provide your I2P-Bote
+client with the gateway's mail destination key, so that your I2P-Bote knows
+where to send those mails to.</p>
+
+<p>You can do this under 'Settings'. This gateway will allow I2P-Bote users
+to communicate with the standard e-mail users on the internet as well as with
+users of postman's classical i2pmail service (@mail.i2p).</p>
+
+<p>In order to fight abuse, there will be a limitation of the number of e-mails
+you can send out to the internet; just like for normal postman mail service
+users: If an I2P-Bote user exceeds the quota with outgoing e-mails, the
+additional e-mails will be sent back as bounce.</p>
+
+<h2 id="Considerations">3. Überlegungen über Anonymität</h2>
+<p>Don't send identifying information about you (name, address, geographic
+location, time zone, age, websites you have just visited or blogged about, user
+names, ip numbers, I2P router id, I2P-Bote id, social security number, credit
+card number, &hellip;, copies of your passport, driver's license, home rental
+contract, photos (nude or with clothes), documents that contain your
+username in author's settings, and many many more)!</p>
+
+<p>Wenn möglich,</p>
+<ul>
+<li><p>lassen Sie I2P-Bote 24/7 laufen,</p></li>
+<li><p>use mailroutes with randomized per-hop delays and/or per-hop fixed send
+times, [not yet <em>fully</em> implemented]</p></li>
+<li><p>verwenden Sie ein langes Abrufintervall,</p></li>
+<li><p>verwenden Sie eine lange lokale Verzögerung für eigene Pakete,</p></li>
+<li><p>verwende große Intervalle nach zufälligem Muster [noch nicht 
+implementiert]</p></li>
+</ul>
+<p>You can suppress the sending of date and time in the e-mails' header.</p>
+
+<p>When you reply to an e-mail, certain markers are added to show the recipient
+that this is a reply, such as 'Re: [subject of the mail you're replying to]' or
+'[username] wrote:'. Those are different for the languages you can chose from in
+your language settings. However, if you don't want the recipient to know what
+language you have set, you can suppress translation of these markers, so that
+they will be in English, no matter what you language setting is. In order to do
+so, mark 'Use English for text added to outgoing email ('Re:', 'wrote:',
+etc.)'</p>
+
+<p>Be careful with the contents you send! Don't include personal information or
+information that only you can possess. Don't write 'I'm going to bed now, it's
+late' when including time stamps.</p>
+
+<p>The language in which you write your e-mails, your style and formulations
+can also be of interest for an attacker.</p>
+
+<p>I2P-Bote also offers the possibility to use different e-mail identities.
+Suppose one of you contacts learns about your identity, as you forgot to erase
+identifying information in a secret document you have sent to him. Now if this
+e-mail's recipient was to collaborate with others you are in contact with, he
+could tell them the real world identity belonging to the Bote address he knows
+from you. Thusly, if you communicate with those others using the same Bote
+address, they will know who you are. Not so, if you used a different address
+for sending mails to them.</p>
+
+<h2 id="Troubleshooting">4. Problemlösung</h2>
+<h3 id="Unlimited-Strength-Crypto">4.1. Notification about JCE Unlimited Strength Jurisdiction Policy files</h3>
+<p>If you have a notification at the bottom of your screen about JCE Unlimited
+Strength Jurisdiction Policy files, it means that your Java installation is
+restricted from using the strong cryptography that I2P-Bote requires.</p>
+
+<p>You can enable the strong cryptography by following the steps below:</p>
+<ol>
+<li><p>Download the JCE Unlimited Strength Jurisdiction Policy files from <a href="http://www.oracle.com/technetwork/java/javase/downloads/index.html" target="_blank">Oracle's website</a>. You may need to use your regular browser.</p></li>
+<li><p>Packen Sie die heruntergeladene ZIP-Datei aus.</p></li>
+<li><p>Move the files <code>local_policy.jar</code> and <code>US_export_policy.jar</code> into the folder shown in the notification on your screen. Overwrite any existing files with the same names.</p></li>
+<li><p>I2P neu starten.</p></li>
+</ol>
+<p>Some countries have restrictions on the allowed strengths of cryptographic
+software. If you are unsure about the restrictions in your country, consult
+with a lawyer.</p>
+
+<h2 id="Technical-Concept">5. Technisches Konzept</h2>
+<p>I2P-Bote is an end-to-end encrypted, network-internal, fully decentralized
+(i.e. serverless) e-mail system. It supports different identities and does not
+expose e-mail headers. Currently, it is still alpha software. It can be
+accessed via web console, and it has IMAP and SMTP support, so bote-mails can
+be read and written by regular email clients. It is planned to guarantee
+additional anonymity by providing a high-latency transport option. All
+bote-mails are automatically end-to-end encrypted, so that there's no need to
+set up extra e-mail encryption (though you can do that), and bote-mails will be
+authenticated automatically. As it is decentralized, there is no e-mail server
+that could link different e-mail identities as communicating with each other
+(<em>profiling</em>): Even the nodes relaying the mails will not know the sender
+and apart from sender and receiver, only the end of the high-latency mail
+tunnel and the storing nodes will know to whom (anonymous identity) the mail is
+destined. The original sender can have gone offline long before the mail
+becomes available on the other side. This adds on the degree of anonymity that
+can be reached with I2P-Bote. For those who do not want high delays: All these
+settings are user-adjustable, so each user decides on how much anonymity he
+wants.</p>
+
+<p>I2P-Bote nodes store encrypted e-mails into a Kademlia DHT. Therefore, an
+e-mail can be sent through a number of other nodes (relays) for increased
+security, or directly to a set of storage nodes for faster delivery. The same
+applies to retrieving email.</p>
+
+<p>(When using mail routes, timestamps are automatically disabled.) [Retrieving
+via relays not yet implemented]</p>
+
+<p>All nodes are created equal: There are no 'supernodes' or designated
+relay/storage nodes. Everybody acts as a potential relay and storage node. The
+maximum amount of disk space used for relayed/stored email packets can be
+configured by the user.</p>
+
+<p>Before an email is sent to a relay, it is broken up into packets and
+encrypted with the recipient's public key. These packets are stored redundantly
+in a distributed hash table (DHT).</p>
+
+<p>They are kept for at least 100 days, during which the recipient can download
+them.</p>
+
+<p>Relay packets also expire after 100 days or more.</p>
+
+<p>If a node runs out of email storage space, and there are no old packets that
+can be deleted, the node refuses storage requests.</p>
+
+<p>Furthermore, I2P-Bote sanitizes the mail headers and does not allow any
+unneeded information to be transmitted, thus allowing the use of e-mail clients
+without prior checks of what this client sends in the mail headers.</p>
+
+<p>All the encryption, path choosing and profiling is done locally so that
+there is no trusted party involved.</p>
+
+<p>Not even for bootstrapping I2P-Bote depends on a central node, as it uses
+Seedless.</p>
+
+<p>Using I2P-Bote appropriately, that means keeping in mind the considerations
+given above and showing some common sense, nobody will be able to find out who
+or where you are. And if you are already being observed and your internet
+connection sniffed, the observer will not be able to find out what you send or
+receive or to whom you are sending to or receiving from or where your contacts
+are located.</p>
+
+<p>Let's go a bit more into detail:</p>
+
+<h3>Was I2P-Bote <em>versteckt</em>:</h3>
+
+<p>I2P-Bote hides both, the identity and location of sender and receiver, as
+well as those of intermediary nodes (relays and storing nodes), the content of
+your mails, their size, the number of mails you send.</p>
+
+<p>Only the recipient can know the sender's bote mail destination, and if he
+choses not to send his destination, not even the recipient will know it.</p>
+
+<p>Even if you send time stamps, your time zone will not be disclosed.</p>
+
+<p>Darüberhinaus verbirgt I2P-Bote:</p>
+<ul>
+<li><p>the fact that you run I2P-Bote</p></li>
+<li><p>the fact that you send a mail</p></li>
+<li><p>the fact that you receive a mail</p></li>
+<li><p>the time you send a mail</p></li>
+<li><p>the time you receive a mail</p></li>
+<li>
+<p>the upper limit of number of mails an unknown user receives</p>
+<ul>
+<li><p>an abstract user, no concrete one, just concluding its existence from
+the existence of the mail identity as he could always have more than one e-mail
+identity</p></li>
+</ul>
+</li>
+<li><p>the lower limit, as an identity also sends out test and dummy messages</p></li>
+</ul>
+<h3>What I2P-Bote <em>hides partially</em>:</h3>
+
+<p>The I2P-Bote address of the recipient will only be known to sender and
+recipient(s).</p>
+
+<p>In case of multiple recipients, each one will see all other recipients that
+the mail was addressed to via 'To:' or 'CC:'</p>
+
+<p>All entries that were under 'BCC:' will only be visible to the sender and
+this very recipient.</p>
+
+<p>The sent time will, if at all, only be visible to sender and
+recipient.</p>
+
+<h3>What I2P-Bote <em>can hide optionally</em>:</h3>
+<ul>
+<li><p>If mail routes are used, the time a bote mail is sent</p></li>
+<li><p>If mail routes are used, the time a bote mail is fetched. [not yet
+implemented]</p></li>
+<li><p>If the sender suppresses timestamps only the sender himself will know when
+he sent a mail.</p></li>
+</ul>
+<h3>Was I2P-Bote <em>nicht verstecken kann</em>:</h3>
+<p>I2P-Bote cannot hide the frequency a given identity checks for new mails nor
+the number of mails a given identity receives.</p>
+
+<h2 id="Technical-Details">6. Technische Details</h2>
+<p>Siehe techdoc.txt</p>
+
+<h2 id="Terminology">7. Terminology/Glossary of Terms</h2>
+
+<h3>I2P-Bote (Router-/Knoten-)Kennung:</h3>
+<p>This is the id an I2P-Bote router is known as. It is used for contacting
+this router, for storing, relaying and fetching mails, but also used in the
+hop-to-hop encryption and for simply contacting it via I2P, as it is at the
+same the I2P-Bote router's I2P tunnel destination. It is displayed to represent
+an I2P-Bote node in the stats.</p>
+
+<p>So the router id corresponds to the I2P destination (the address of an
+I2P-Bote node on the I2P network - there is no need to know it unless you are
+having problems connecting to other I2P-Bote nodes).</p>
+
+<h3>I2P-Bote E-Mail-Ziel:</h3>
+<p>The I2P-Bote e-mail destination (key) is an identifier by which somebody can
+be reached via I2P-Bote, so as the name states: an e-mail destination. Thus it
+is for I2P-Bote what an e-mail address is for standard e-mail system: The
+e-mail destination is the actual address for sending e-mails, for storing them
+into and for fetching them from the DHT. At the same time it used for the
+end-to-end encryption of e-mails, header information and attachments.</p>
+
+<p>An I2P-Bote e-mail destination is a Base64 string containing a public
+encryption key and a signature verification key. Example:</p>
+<pre>uQtdwFHqbWHGyxZN8wChjWbCcgWrKuoBRNoziEpE8XDt8koHdJiskYXeUyq7JmpG
+    In8WKXY5LNue~62IXeZ-ppUYDdqi5V~9BZrcbpvgb5tjuu3ZRtHq9Vn6T9hOO1fa
+    FYZbK-FqHRiKm~lewFjSmfbBf1e6Fb~FLwQqUBTMtKYrRdO1d3xVIm2XXK83k1Da
+    -nufGASLaHJfsEkwMMDngg8uqRQmoj0THJb6vRfXzRw4qR5a0nj6dodeBfl2NgL9
+    HfOLInwrD67haJqjFJ8r~vVyOxRDJYFE8~f9b7k3N0YeyUK4RJSoiPXtTBLQ2RFQ
+    gOaKg4CuKHE0KCigBRU-Fhhc4weUzyU-g~rbTc2SWPlfvZ6n0voSvhvkZI9V52X3
+    SptDXk3fAEcwnC7lZzza6RNHurSMDMyOTmppAVz6BD8PB4o4RuWq7MQcnF9znElp
+    HX3Q10QdV3omVZJDNPxo-Wf~CpEd88C9ga4pS~QGIHSWtMPLFazeGeSHCnPzIRYD</pre>
+
+<p>I2P-Bote router/node id and I2P-Bote e-mail destinations look similar, but
+are completely independent of each other.</p>
+
+<h3>E-Mail-Adresse:</h3>
+<p>E-Mail-Adressen in I2P-Bote sind Verknüpfungen für E-Mail-Ziele.</p>
+
+<p>The e-mail address &lt;--&gt; e-mail destination mappings are stored in two
+places: the local address book and the distributed address directory [the
+latter not yet implemented].</p>
+
+<h3>I2P-Bote E-Mail-Identität:</h3>
+<p>The I2P-Bote e-mail identity is a set of an I2P-Bote e-mail destination key,
+the corresponding private keys and a name given to it by the user. This name
+will be sent with the destination key if you do not suppress sending
+information about the sender.</p>
+
+<p>However it will only be displayed for the recipient in case he does not have
+a name for this destination in his local address book.</p>
+
+<p>So technically speaking, an e-mail identity consists of four things:</p>
+<ul>
+<li><p>ein E-Mail-Ziel (z.B. zwei öffentliche Schlüssel)</p></li>
+<li><p>zwei private Schlüssel für das E-Mail-Ziel</p></li>
+<li><p>ein öffentlicher Name, der anderen Leuten in E-Mails gezeigt werden kann</p></li>
+<li><p>a description which is not shown to anybody but you (it helps you remember
+which e-mail identity you use for which purpose).</p></li>
+</ul>
+<p>An e-mail identity is not required for sending emails (although then only
+'Anonymous' can be selected for the 'sender' field).</p>
+
+<h3>Mailrouten:</h3>
+<p>Mail routes are an additional high-latency transport for I2P-Bote. For this,
+a chain of I2P-Bote nodes is built, acting as relays/routers for packets and
+obeying to individual per-hop delays. [still no individual setting for delays
+implemented]</p>
+
+<p><strong>BEWARE!</strong> If you choose this option - especially with many
+hops and / or long delay times, don't be surprised if your mail does not reach
+its destination too soon. It will, of course, take longer - up to several days!</p>
+
+<h2 id="Credits">8. Credits</h2>
+<p>Siehe die Seite <a href="about.jsp">Über</a>.</p>
+
+<h2>GENIESSEN SIE DAS BOTE-GEFÜHL!!</h2>
+</div>

src/main/webapp/identities.jsp

@@ -23,6 +23,7 @@
     pageEncoding="UTF-8"%>
 
 <%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
+<%@ taglib prefix="csrf" uri="http://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project/Owasp.CsrfGuard.tld" %>
 <%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>
 <%@ taglib prefix="ib" uri="I2pBoteTags" %>
 
@@ -64,14 +65,15 @@
                 <img src="${themeDir}/images/default.png"/>
             </c:if>
         </td>
+        <%-- Insert a random number into the request string so others can't see contacts or identities using the CSS history hack --%>
+        <c:set var="editIdentityURL" value="editIdentity.jsp?rnd=${jspHelperBean.randomNumber}&amp;createNew=false&amp;key=${identity.key}&amp;cryptoImpl=${identity.cryptoImpl}&amp;publicName=${ib:escapeQuotes(identity.publicName)}&amp;description=${ib:escapeQuotes(identity.description)}&amp;emailAddress=${ib:escapeQuotes(identity.emailAddress)}&amp;defaultIdentity=${identity.defaultIdentity}"/>
         <td>
-            <%-- Insert a random number into the request string so others can't see contacts or identities using the CSS history hack --%>
-            <a href="editIdentity.jsp?rnd=${jspHelperBean.randomNumber}&amp;createNew=false&amp;key=${identity.key}&amp;cryptoImpl=${identity.cryptoImpl}&amp;publicName=${ib:escapeQuotes(identity.publicName)}&amp;description=${ib:escapeQuotes(identity.description)}&amp;emailAddress=${ib:escapeQuotes(identity.emailAddress)}&amp;defaultIdentity=${identity.defaultIdentity}">
+            <a href="${editIdentityURL}" title="Click to see identity details">
                 ${fn:escapeXml(identity.publicName)}
             </a>
         </td>
         <td>${identity.description}</td>
-        <td class="ellipsis">${identity.key}</td>
+        <td class="ellipsis"><a href="${editIdentityURL}" title="Click to see identity details">${identity.key}</a></td>
         <td><c:choose>
         <c:when test="${ib:isCheckingForMail(identity)}">
             <img src="${themeDir}/images/wait.gif" alt="<ib:message key='Checking for mail...'/>" title='<ib:message key='Checking for mail...'/>'/>
@@ -87,14 +89,15 @@
     </table>
     
     <p/>
-    <form class="onebutton" action="editIdentity.jsp?createNew=true" method="POST">
+    <csrf:form class="onebutton" action="editIdentity.jsp" method="POST">
+        <input type="hidden" name="createNew" value="true"/>
         <button type="submit" value="New"><ib:message key="New Identity"/></button>
-    </form>
-    <form class="onebutton" action="importIdentities.jsp" method="POST">
+    </csrf:form>
+    <csrf:form class="onebutton" action="importIdentities.jsp" method="POST">
         <button type="submit"><ib:message key="Import Identities"/></button>
-    </form>
-    <form class="onebutton" action="exportIdentities.jsp" method="POST">
+    </csrf:form>
+    <csrf:form class="onebutton" action="exportIdentities.jsp" method="POST">
         <button type="submit"><ib:message key="Export Identities"/></button>
-    </form>
+    </csrf:form>
 
 <jsp:include page="footer.jsp"/>

src/main/webapp/importContact.jsp

@@ -23,6 +23,7 @@
     pageEncoding="UTF-8"%>
 
 <%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
+<%@ taglib prefix="csrf" uri="http://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project/Owasp.CsrfGuard.tld" %>
 <%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>
 <%@ taglib prefix="ib" uri="I2pBoteTags" %>
 
@@ -30,6 +31,11 @@
 
 <ib:message key="Address Directory Lookup" var="title" scope="request"/>
 
+<c:if test="${pageContext.request.method ne 'POST'}">
+    <ib:message key="Form must be submitted using POST." var="errorMessage" scope="request"/>
+    <jsp:forward page="addressBook.jsp"/>
+</c:if>
+
     <c:if test="${param.confirm eq true}">
         <ib:requirePassword>
             <c:set var="errorMessage" value="${ib:saveContact(param.destination, param.name, param.picture, param.text)}"/>
@@ -87,7 +93,7 @@
                 ${result.destination}
             </div>
             
-            <form action="importContact.jsp" method="post">
+            <csrf:form action="importContact.jsp" method="post">
                 <input type="hidden" name="confirm" value="true"/>
                 <input type="hidden" name="name" value="${param.name}"/>
                 <input type="hidden" name="destination" value="${result.destination}"/>
@@ -95,8 +101,8 @@
                 <input type="hidden" name="text" value="${fn:escapeXml(result.text)}"/>
                 <ib:message key="Import" var="import" scope="request"/>
                 <input type="submit" value="${import}"/>
-            </form>
+            </csrf:form>
         </c:if>
     </c:if>
 
-<jsp:include page="footer.jsp"/>
+<jsp:include page="footer.jsp"/>

src/main/webapp/importIdentities.jsp

@@ -20,6 +20,7 @@
     pageEncoding="UTF-8"%>
 
 <%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
+<%@ taglib prefix="csrf" uri="http://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project/Owasp.CsrfGuard.tld" %>
 <%@ taglib prefix="ib" uri="I2pBoteTags" %>
 
 <%--
@@ -34,6 +35,12 @@
         replace           - True if duplicate identities should overwrite the existing ones
 --%>
 
+<c:set var="action" value="${param.action}" scope="request"/>
+<c:if test="${not empty action and pageContext.request.method ne 'POST'}">
+    <c:set var="action" value="" scope="request"/>
+    <ib:message key="Form must be submitted using POST." var="errorMessage" scope="request"/>
+</c:if>
+
 <%--
     The identitiesFile request attribute contains a UploadedFile object, see MultipartFilter.java.
     When action='attach', originalIdentitiesFilename contains the name of the file selected by the user.
@@ -41,7 +48,7 @@
 <c:set var="originalIdentitiesFilename" value="${requestScope['identitiesFile'].originalFilename}"/>
 
 <ib:message key="Import Identities" var="title" scope="request"/>
-<c:if test="${param.action eq 'import' and empty originalIdentitiesFilename}">
+<c:if test="${action eq 'import' and empty originalIdentitiesFilename}">
     <ib:message key="Please select an identities file and try again." var="noIdentitiesMsg"/>
     <c:set var="errorMessage" value="${noIdentitiesMsg}" scope="request"/>
 </c:if>
@@ -49,14 +56,17 @@
 
 <ib:requirePassword>
     <c:choose>
-        <c:when test="${param.action eq 'import' and not empty originalIdentitiesFilename}">
+        <c:when test="${action eq 'import' and not empty originalIdentitiesFilename}">
             <c:set var="identitiesFilename" value="${requestScope['identitiesFile'].tempFilename}"/>
             <ib:importIdentities identitiesFilename="${identitiesFilename}" password="${param.nofilter_password}" overwrite="${param.overwrite}" replace="${param.replace}"/>
             <ib:message var="infoMessage" scope="request" key="The identities have been imported."/>
             <jsp:forward page="identities.jsp"/>
         </c:when>
         <c:otherwise>
-            <form action="importIdentities.jsp?action=import" method="POST" enctype="multipart/form-data" accept-charset="UTF-8">
+            <c:set var="csrf_tokenname"><csrf:tokenname/></c:set>
+            <c:set var="csrf_tokenvalue"><csrf:tokenvalue uri="importIdentities.jsp"/></c:set>
+            <form action="importIdentities.jsp?${csrf_tokenname}=${csrf_tokenvalue}" method="POST" enctype="multipart/form-data" accept-charset="UTF-8">
+                <input type="hidden" name="action" value="import"/>
                 <div class="import-form-label">
                     <ib:message key="Identities file:"/>
                 </div>
@@ -88,4 +98,4 @@
     </c:choose>
 </ib:requirePassword>
 
-<jsp:include page="footer.jsp"/>
+<jsp:include page="footer.jsp"/>

src/main/webapp/newEmail.jsp

@@ -23,6 +23,7 @@
     pageEncoding="UTF-8"%>
 
 <%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
+<%@ taglib prefix="csrf" uri="http://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project/Owasp.CsrfGuard.tld" %>
 <%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>
 <%@ taglib prefix="ib" uri="I2pBoteTags" %>
 
@@ -41,11 +42,17 @@
         new    - true for new contact, false for existing contact
 --%>
 
+<c:set var="action" value="${param.action}" scope="request"/>
+<c:if test="${not empty action and pageContext.request.method ne 'POST'}">
+    <c:set var="action" value="" scope="request"/>
+    <ib:message key="Form must be submitted using POST." var="errorMessage" scope="request"/>
+</c:if>
+
 <c:choose>
-    <c:when test="${param.action eq 'send'}">
+    <c:when test="${action eq 'send'}">
         <jsp:forward page="sendEmail.jsp"/>
     </c:when>
-    <c:when test="${param.action eq 'addToAddrBook'}">
+    <c:when test="${action eq 'addToAddrBook'}">
         <c:set var="destparam" value="${param.destparamname}"/>
         <jsp:forward page="editContact.jsp">
             <jsp:param name="new" value="true"/>
@@ -55,7 +62,7 @@
             <jsp:param name="paramsToCopy" value="nofilter_sender,nofilter_recipient*,to*,cc*,bcc*,replyto*,subject,message,attachmentNameOrig*,attachmentNameTemp*,forwardUrl,backUrl,paramsToCopy"/>
         </jsp:forward>
     </c:when>
-    <c:when test="${param.action eq 'lookup'}">
+    <c:when test="${action eq 'lookup'}">
         <jsp:forward page="addressBook.jsp">
             <jsp:param name="select" value="true"/>
             <jsp:param name="forwardUrl" value="newEmail.jsp"/>
@@ -71,14 +78,16 @@
 <c:set var="originalAttachmentFilename" value="${requestScope['newAttachment'].originalFilename}"/>
 
 <ib:message key="New Email" var="title" scope="request"/>
-<c:if test="${param.action eq 'attach' and empty originalAttachmentFilename}">
+<c:if test="${action eq 'attach' and empty originalAttachmentFilename}">
     <ib:message key="Please select a file to attach and try again." var="noAttachmentMsg"/>
     <c:set var="errorMessage" value="${noAttachmentMsg}" scope="request"/>
 </c:if>
 <jsp:include page="header.jsp"/>
 
 <ib:requirePassword>
-    <form id="emailform" action="newEmail.jsp" method="post" enctype="multipart/form-data" accept-charset="UTF-8">
+    <c:set var="csrf_tokenname"><csrf:tokenname/></c:set>
+    <c:set var="csrf_tokenvalue"><csrf:tokenvalue uri="newEmail.jsp"/></c:set>
+    <form id="emailform" action="newEmail.jsp?${csrf_tokenname}=${csrf_tokenvalue}" method="post" enctype="multipart/form-data" accept-charset="UTF-8">
         <div class="email-form-button-send">
             <button type="submit" name="action" value="send">&#x2794; <ib:message key="Send"/></button>
         </div>
@@ -164,7 +173,7 @@
                 <c:if test="${fn:startsWith(parameter.key, 'attachmentNameOrig')}">
                     <c:set var="attachmentIndex" value="${fn:substringAfter(parameter.key, 'attachmentNameOrig')}"/>
                     <c:set var="removeAction" value="removeAttachment${attachmentIndex}"/>
-                    <c:set var="removed" value="${param.action eq removeAction}"/>
+                    <c:set var="removed" value="${action eq removeAction}"/>
                     <c:if test="${!removed}">
                         <c:if test="${attachmentIndex gt maxAttachmentIndex}">
                             <c:set var="maxAttachmentIndex" value="${attachmentIndex}"/>
@@ -189,7 +198,7 @@
                 </c:if>
             </c:forEach>
             
-            <c:if test="${param.action eq 'attach' and not empty originalAttachmentFilename}">
+            <c:if test="${action eq 'attach' and not empty originalAttachmentFilename}">
                 <c:set var="tempAttachmentFilename" value="${requestScope['newAttachment'].tempFilename}"/>
                 <c:set var="maxAttachmentIndex" value="${maxAttachmentIndex + 1}"/>
                 <div class="email-form-attach-files">

src/main/webapp/noIdentities.jsp

@@ -23,6 +23,7 @@
     pageEncoding="UTF-8"%>
 
 <%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
+<%@ taglib prefix="csrf" uri="http://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project/Owasp.CsrfGuard.tld" %>
 <%@ taglib prefix="ib" uri="I2pBoteTags" %>
 
 <ib:message key="No Identity" var="title" scope="request"/>
@@ -32,8 +33,9 @@
     <h1><ib:message key="No Email Identity Defined"/></h1>
     <p>
     <jsp:include page="identitiesHelp.jsp"/>
-    <form action="editIdentity.jsp?new=true" method="POST">
+    <csrf:form action="editIdentity.jsp" method="POST">
+        <input type="hidden" name="createNew" value="true"/>
         <button type="submit" value="New"><ib:message key="Create a New Email Identity"/></button>
-    </form>
+    </csrf:form>
 
-<jsp:include page="footer.jsp"/>
+<jsp:include page="footer.jsp"/>

src/main/webapp/outbox.jsp

@@ -23,6 +23,7 @@
     pageEncoding="UTF-8"%>
 
 <%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
+<%@ taglib prefix="csrf" uri="http://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project/Owasp.CsrfGuard.tld" %>
 <%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>
 <%@ taglib prefix="ib" uri="I2pBoteTags" %>
 
@@ -46,9 +47,9 @@
 <jsp:include page="header.jsp"/>
 
 <div class="compose float">
-    <form action="newEmail.jsp" method="GET">
+    <csrf:form action="newEmail.jsp" method="POST">
         <button type="submit" value="New"><img src="${themeDir}/images/compose.png"/></button>
-    </form>
+    </csrf:form>
 </div>
 
 <c:set var="sortcolumn" value="${CREATE_TIME}"/>
@@ -168,4 +169,4 @@
     </table>
 </ib:requirePassword>
 
-<jsp:include page="footer.jsp"/>
+<jsp:include page="footer.jsp"/>

src/main/webapp/password.jsp

@@ -22,12 +22,19 @@
 <%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%>
 
 <%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
+<%@ taglib prefix="csrf" uri="http://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project/Owasp.CsrfGuard.tld" %>
 <%@ taglib prefix="ib" uri="I2pBoteTags" %>
 
+<c:set var="action" value="${param.passwordJspAction}" scope="request"/>
+<c:if test="${not empty action and pageContext.request.method ne 'POST'}">
+    <c:set var="action" value="" scope="request"/>
+    <ib:message key="Form must be submitted using POST." var="errorMessage" scope="request"/>
+</c:if>
+
 <ib:message key="Password Required" var="title" scope="request"/>
 <jsp:include page="header.jsp"/>
 
-<c:if test="${param.passwordJspAction eq 'check'}">
+<c:if test="${action eq 'check'}">
     <c:choose>
         <c:when test="${ib:tryPassword(param.nofilter_password)}">
             <jsp:forward page="${param.passwordJspForwardUrl}"/>
@@ -40,14 +47,15 @@
 
     <h1><ib:message key="Password required"/></h1>
     
-    <form name="form" action="password.jsp?passwordJspAction=check" method="POST">
+    <csrf:form name="form" action="password.jsp" method="POST">
+        <input type="hidden" name="passwordJspAction" value="check"/>
         <ib:copyParams paramsToCopy="*" paramsToExclude="nofilter_password"/>
         <ib:message key="Password:"/> <input type="password" name="nofilter_password"/>
         <button type="submit"><ib:message key="OK"/></button>
-    </form>
+    </csrf:form>
 
     <script type="text/javascript" language="JavaScript">
         document.forms['form'].elements['nofilter_password'].focus();
     </script>
 
-<jsp:include page="footer.jsp"/>
+<jsp:include page="footer.jsp"/>

src/main/webapp/publishDestination.jsp

@@ -23,6 +23,7 @@
     pageEncoding="UTF-8"%>
 
 <%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
+<%@ taglib prefix="csrf" uri="http://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project/Owasp.CsrfGuard.tld" %>
 <%@ taglib prefix="ib" uri="I2pBoteTags" %>
 
 <%--
@@ -38,10 +39,16 @@
         text        - Text to include in the DHT record
 --%>
 
+<c:set var="action" value="${param.action}" scope="request"/>
+<c:if test="${not empty action and pageContext.request.method ne 'POST'}">
+    <c:set var="action" value="" scope="request"/>
+    <ib:message key="Form must be submitted using POST." var="errorMessage" scope="request"/>
+</c:if>
+
 <ib:message key="Add Email Destination to Directory" var="title" scope="request"/>
 <jsp:include page="header.jsp"/>
 
-    <c:if test="${param.action eq 'start'}">
+    <c:if test="${action eq 'start'}">
         <%-- If the user changed the Public Name to try a new name that isn't taken, update it so they don't have to click save first --%>
         <ib:requirePassword>
             ${ib:modifyIdentity(param.key, param.publicName, param.description, null, param.emailAddress, null, false)}
@@ -59,9 +66,12 @@
             </jsp:forward>
         </c:if>
     </c:if>
-    <c:if test="${param.action eq 'step2'}">
+    <c:if test="${action eq 'step2'}">
         <h1><ib:message key="Publish to the Address Directory"/></h1>
-        <form action="publishDestination.jsp?action=store" method="post" enctype="multipart/form-data" accept-charset="UTF-8">
+        <c:set var="csrf_tokenname"><csrf:tokenname/></c:set>
+        <c:set var="csrf_tokenvalue"><csrf:tokenvalue uri="publishDestination.jsp"/></c:set>
+        <form action="publishDestination.jsp?${csrf_tokenname}=${csrf_tokenvalue}" method="post" enctype="multipart/form-data" accept-charset="UTF-8">
+            <input type="hidden" name="action" value="store"/>
             <input type="hidden" name="name" value="${param.publicName}"/>
             <input type="hidden" name="destination" value="${param.key}"/>
             <div class="publish-form-label">
@@ -81,7 +91,7 @@
             <button type="submit"><ib:message key="Publish"/></button>
         </form>
     </c:if>
-    <c:if test="${param.action eq 'store'}">
+    <c:if test="${action eq 'store'}">
         <c:set var="picFilename" value="${requestScope['picture'].tempFilename}"/>
         <ib:publishDestination destination="${param.destination}" pictureFilename="${picFilename}" text="${param.text}"/>
         <ib:message var="infoMessage" scope="request" key="The identity has been added to the address directory."/>
@@ -89,4 +99,4 @@
         <jsp:forward page="editIdentity.jsp?rnd=${jspHelperBean.randomNumber}&new=false&key=${param.destination}"/>
     </c:if>
 
-<jsp:include page="footer.jsp"/>
+<jsp:include page="footer.jsp"/>

src/main/webapp/sendEmail.jsp

@@ -23,9 +23,15 @@
     pageEncoding="UTF-8"%>
 
 <%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
+<%@ taglib prefix="csrf" uri="http://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project/Owasp.CsrfGuard.tld" %>
 <%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>
 <%@ taglib prefix="ib" uri="I2pBoteTags" %>
  
+<c:if test="${pageContext.request.method ne 'POST'}">
+    <ib:message key="Form must be submitted using POST." var="errorMessage" scope="request"/>
+    <jsp:forward page="newEmail.jsp"/>
+</c:if>
+
 <ib:message key="New Email" var="title" scope="request"/>
 <jsp:include page="header.jsp"/>
 
@@ -56,16 +62,16 @@
     <ib:setEmailReplied messageId="${param.quoteMsgId}" folder="${ib:getMailFolder(param.quoteMsgFolder)}" replied="true"/>
     
     <br/><p/>
-    <form action="deleteEmail.jsp" method="post">
+    <csrf:form action="deleteEmail.jsp" method="POST">
         Delete original email?
         <input type="hidden" name="folder" value="${param.quoteMsgFolder}"/>
         <input type="hidden" name="messageID" value="${param.quoteMsgId}"/>
         <button type="submit" name="action" value="Delete">Delete</button>
-    </form>
+    </csrf:form>
 </c:if>
 </ib:requirePassword>
 
 <p/>
 <a href="."><ib:message key="Go to inbox"/></a>
 
-<jsp:include page="footer.jsp"/>
+<jsp:include page="footer.jsp"/>

src/main/webapp/setPassword.jsp

@@ -22,10 +22,17 @@
 <%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%>
 
 <%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
+<%@ taglib prefix="csrf" uri="http://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project/Owasp.CsrfGuard.tld" %>
 <%@ taglib prefix="ib" uri="I2pBoteTags" %>
 
+<c:set var="action" value="${param.action}" scope="request"/>
+<c:if test="${not empty action and pageContext.request.method ne 'POST'}">
+    <c:set var="action" value="" scope="request"/>
+    <ib:message key="Form must be submitted using POST." var="errorMessage" scope="request"/>
+</c:if>
+
 <ib:message key="Set Password" var="title" scope="request"/>
-<c:if test="${param.action eq 'wait'}">
+<c:if test="${action eq 'wait'}">
     <c:catch var="exception">
         <ib:waitForPasswordChange/>
     </c:catch>
@@ -37,7 +44,7 @@
         <c:set var="errorMessage" value="${exception.cause.localizedMessage}" scope="request"/>
     </c:if>
 </c:if>
-<c:if test="${param.action eq 'set'}">
+<c:if test="${action eq 'set'}">
     <c:set var="refreshUrl" value="setPassword.jsp?action=wait" scope="request"/>
     <c:set var="refreshInterval" value="0" scope="request"/>
     <ib:setPassword oldPassword="${param.nofilter_oldPassword}" newPassword="${param.nofilter_newPassword}" confirmNewPassword="${param.nofilter_confirm}"/>
@@ -45,13 +52,13 @@
 
 <jsp:include page="header.jsp"/>
 
-    <c:if test="${param.action eq 'set'}">
+    <c:if test="${action eq 'set'}">
         <h2><ib:message key="Please wait"/></h2>
         <p>
         <img src="${themeDir}/images/wait.gif"/> <ib:message key="Please wait while the password is being changed..."/>
         </p>
     </c:if>
-    <c:if test="${param.action ne 'set'}">
+    <c:if test="${action ne 'set'}">
         <h1><ib:message key="Set a new Password"/></h1>
         
         <p>
@@ -63,7 +70,7 @@
         </ib:message>
         </p><br/>
         
-        <form name="form" action="setPassword.jsp" method="POST">
+        <csrf:form name="form" action="setPassword.jsp" method="POST">
             <input type="hidden" name="action" value="set"/>
             
             <div class="password-label"><ib:message key="Old password:"/></div>
@@ -77,11 +84,11 @@
             
             <p/>
             <button type="submit"><ib:message key="OK"/></button>
-        </form>
+        </csrf:form>
     
         <script type="text/javascript" language="JavaScript">
             document.forms['form'].elements['nofilter_oldPassword'].focus();
         </script>
     </c:if>
 
-<jsp:include page="footer.jsp"/>
+<jsp:include page="footer.jsp"/>

src/main/webapp/settings.jsp

@@ -22,11 +22,19 @@
 <%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%>
 
 <%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
+<%@ taglib prefix="csrf" uri="http://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project/Owasp.CsrfGuard.tld" %>
 <%@ taglib prefix="ib" uri="I2pBoteTags" %>
 
 <jsp:useBean id="jspHelperBean" class="i2p.bote.web.JSPHelper"/>
 <c:set var="configuration" value="${jspHelperBean.configuration}"/>
-<c:if test="${param.action eq 'save'}">
+
+<c:set var="action" value="${param.action}" scope="request"/>
+<c:if test="${not empty action and pageContext.request.method ne 'POST'}">
+    <c:set var="action" value="" scope="request"/>
+    <ib:message key="Form must be submitted using POST." var="errorMessage" scope="request"/>
+</c:if>
+
+<c:if test="${action eq 'save'}">
     <jsp:setProperty name="configuration" property="autoMailCheckEnabled" value="${param.autoMailCheckEnabled eq 'on' ? 'true' : 'false'}"/>
     <jsp:setProperty name="configuration" property="mailCheckInterval" value="${param.mailCheckInterval}"/>
     <jsp:setProperty name="configuration" property="deliveryCheckEnabled" value="${param.deliveryCheckEnabled eq 'on' ? 'true' : 'false'}"/>
@@ -62,7 +70,7 @@
 
     <h1><ib:message key="Settings"/></h1>
 
-    <form action="settings.jsp" method="post">
+    <csrf:form action="settings.jsp" method="POST">
         <input type="hidden" name="action" value="save"/>
 
         <h3><ib:message key="General"/></h3>
@@ -163,7 +171,7 @@
 
         <p/>
         <button type="submit"><ib:message key="Save"/></button>
-    </form> 
+    </csrf:form> 
 
     <p><br/></p>
     <p><a href="setPassword.jsp"><ib:message key="Change Password"/></a></p>

src/main/webapp/showEmail.jsp

@@ -23,6 +23,7 @@
     pageEncoding="UTF-8"%>
 
 <%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
+<%@ taglib prefix="csrf" uri="http://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project/Owasp.CsrfGuard.tld" %>
 <%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>
 <%@ taglib prefix="ib" uri="I2pBoteTags" %>
 
@@ -117,7 +118,7 @@
     
     <br/>
     <div class="show-email-reply">
-    <form action="newEmail.jsp" method="post">
+    <csrf:form action="newEmail.jsp" method="POST">
         <c:set var="replyDisabled" value="${email.anonymous ? 'disabled=&quot;disabled&quot;' : ''}"/>
         <button type="submit"${replyDisabled}><ib:message key="Reply"/></button>
         <input type="hidden" name="nofilter_sender" value="${ib:escapeQuotes(ib:getOneLocalRecipient(email))}"/>
@@ -134,18 +135,18 @@
         
         <input type="hidden" name="quoteMsgFolder" value="${param.folder}"/>
         <input type="hidden" name="quoteMsgId" value="${param.messageID}"/>
-    </form>
+    </csrf:form>
     </div>
     <div class="show-email-delete">
-    <form action="deleteEmail.jsp" method="post">
+    <csrf:form action="deleteEmail.jsp" method="POST">
         <button type="submit"><ib:message key="Delete"/></button>
         <input type="hidden" name="folder" value="${param.folder}"/>
         <input type="hidden" name="messageID" value="${email.messageID}"/>
-    </form>
+    </csrf:form>
     </div>
 </article>
 
 </c:otherwise></c:choose>
 </ib:requirePassword>
 
-<jsp:include page="footer.jsp"/>
+<jsp:include page="footer.jsp"/>

src/main/webapp/showFullIdentity.jsp

@@ -22,6 +22,7 @@
 <%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%>
 
 <%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
+<%@ taglib prefix="csrf" uri="http://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project/Owasp.CsrfGuard.tld" %>
 <%@ taglib prefix="ib" uri="I2pBoteTags" %>
 
 <ib:message key="Full Identity" var="title" scope="request"/>
@@ -43,10 +44,10 @@
     <p/>
     <div class="warning"><b><ib:message key="Do not show the above information to anyone! It contains your private keys."/></b></div>
     <p/>
-    <form action="editIdentity.jsp">
+    <csrf:form action="editIdentity.jsp" method="POST">
         <input type="hidden" name="key" value="${key}"/>
         <button type="submit"><ib:message key="Return"/></button>
-    </form>
+    </csrf:form>
 </ib:requirePassword>
 
-<jsp:include page="footer.jsp"/>
+<jsp:include page="footer.jsp"/>

src/main/webapp/statusFrame.jsp

@@ -24,6 +24,7 @@
 <!DOCTYPE html>
 
 <%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
+<%@ taglib prefix="csrf" uri="http://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project/Owasp.CsrfGuard.tld" %>
 <%@ taglib prefix="ib" uri="I2pBoteTags" %>
 
 <jsp:useBean id="jspHelperBean" class="i2p.bote.web.JSPHelper"/>
@@ -33,7 +34,7 @@
 <html>
 <head>
     <meta charset="utf-8">
-    <link rel="stylesheet" href="themes/${jspHelperBean.configuration.theme}/i2pbote.css" />
+    <link rel="stylesheet" href="themes/${jspHelperBean.configuration.theme}/i2pbote.css?v=${jspHelperBean.appVersion}" />
     <c:if test="${connStatus ne CONNECTED and connStatus ne ERROR}">
         <meta http-equiv="refresh" content="20" />
     </c:if>
@@ -78,7 +79,7 @@
         <%-- Show the connect button --%>
         <div class="status-frame-connect">
             <%-- When the connect button is clicked, refresh the entire page so the buttons in buttonFrame.jsp are enabled --%>
-            <form action="connect.jsp" target="_top" method="GET">
+            <csrf:form action="connect.jsp" target="_top" method="POST">
                 <button type="submit">
                     <c:if test="${connStatus eq ERROR}">
                         <ib:message key="Retry Connecting"/>
@@ -87,11 +88,11 @@
                         <ib:message key="Connect Now"/>
                     </c:if>
                 </button>
-            </form>
+            </csrf:form>
         </div>
     </c:if>
 </a>
 </div>
 
 </body>
-</html>
+</html>

src/main/webapp/submitIdentity.jsp

@@ -31,6 +31,16 @@
     at generating keys, a "wait" page is displayed.
 --%>
 
+<c:if test="${pageContext.request.method ne 'POST'}">
+    <ib:message key="Form must be submitted using POST." var="errorMessage" scope="request"/>
+    <c:if test="${empty param.key}">
+        <jsp:forward page="editIdentity.jsp?createNew=true"/>
+    </c:if>
+    <c:if test="${not empty param.key}">
+        <jsp:forward page="editIdentity.jsp"/>
+    </c:if>
+</c:if>
+
 <c:if test="${param.action == 'cancel'}">
     <jsp:forward page="identities.jsp"/>
 </c:if>
@@ -138,4 +148,4 @@
     <c:when test="${empty param.counter or param.counter le keygenCounter}">
         <jsp:forward page="identities.jsp"/>
     </c:when>
-</c:choose>
+</c:choose>

src/main/webapp/themes/material/i2pbote.css

@@ -403,6 +403,12 @@ See also .menu-icon
     margin-left: 48px;
     text-transform: uppercase;
 }
+.errorMessage::before {
+    content: url("images/connect_error.png");
+    display: block;
+    float: left;
+    margin-right: 0.5em;
+}
 .stackTrace {
     white-space: pre;
 }