add 303 meeting logs and draft of encrypted leaseset blog post

i2p2www/blog/2021/09/07/Level-Up-Encrypted-Leasesets.draft.rst

@@ -0,0 +1,193 @@
+=============================================================
+{% trans -%}Level up your I2P Skills with Encrypted LeaseSets{%- endtrans %}
+=============================================================
+
+.. meta::
+   :author: idk
+   :date: 2021-09-07
+   :category: general
+   :excerpt: {% trans %}It has been said that I2P emphasizes Hidden Services, we examine one interpretation of this{% endtrans %}
+
+{% trans -%}
+Level up your I2P Skills with Encrypted LeaseSets
+{%- endtrans %}
+=================================================
+
+{% trans -%}
+It has been said in the past that I2P emphasizes support for Hidden Services,
+which is true in many ways. However, what this means to users, developers, and
+hidden service administrators isn't always the same. Encrypted LeaseSets and
+their use-cases provide a unique, practical window into how I2P makes hidden
+services more versatile, easier to administer, and how I2P extends on the
+Hidden Service concept to provide security benefits for potentially interesting
+use-cases.
+{%- endtrans %}
+
+{% trans -%}
+What is a LeaseSet?
+-------------------
+{%- endtrans %}
+
+{% trans -%}
+When you create a hidden service, you publish something called a "LeaseSet" to
+the I2P NetDB. The "LeaseSet" is, in the simplest terms, what other I2P users
+need to discover "where" your hidden service is on the I2P Network. It contains
+"Leases" which identify tunnels that can be used to reach your hidden service,
+and the public key of your destination, which clients will encrypt messages to.
+This type of hidden service is reachable by anyone who has the address, which
+is probably the most common use case for now.
+{%- endtrans %}
+
+{% trans -%}
+Sometimes, you might not want to allow your hidden services to be accessible by
+anyone, though. Some people use hidden services as a way of accessing an SSH
+server on a home PC, or to stitch together a network of IOT Devices. In these
+cases it's not necessary, and may be counter-productive, to make your hidden
+service accessible to everyone one the I2P Network. This is where "Encrypted
+LeaseSets" come into play.
+{%- endtrans %}
+
+{% trans -%}
+Encrypted LeaseSets: VERY Hidden Services
+------------------------------------------
+{%- endtrans %}
+
+{% trans -%}
+Encrypted LeaseSets are LeaseSets which are published to the NetDB in an
+encrypted form, where none of the Leases or public keys are visible unless
+the client has the keys required to decrypt the LeaseSet inside of it. Only
+clients you share keys with(For PSK Encrypted LeaseSets), or who share their
+keys with you(For DH Encrypted LeaseSets), will be able to see the destination
+and no one else.
+{%- endtrans %}
+
+{% trans -%}
+I2P Supports several strategies for Encrypted LeaseSets. The key characteristics
+of each strategy are important to understand when deciding which one to use. If
+an Encrypted LeaseSet uses a "Pre-Shared Key(PSK)" strategy, then the server
+will generate a key(or keys) which the server operator then shares with each
+client. Of course, this exchange must happen out-of-band, possibly via an
+exchange on IRC for example. This version of Encrypted LeaseSets is sort of
+like logging into Wi-Fi with a password. Except, what you're logging into is
+a Hidden Service.
+{%- endtrans %}
+
+{% trans -%}
+If an Encrypted LeaseSet uses a "Diffie-Hellman(DH)
+strategy, then they keys are generated on the client instead. When a
+Diffie-Hellman client connects to a destination with an Encrypted LeaseSet, they
+must first share their keys with the server operator. The server operator then
+decides whether to authorize the DH client. This version of Encrypted LeaseSets
+is sort of like SSH with an `authorized_keys` file. Except, what you're logging
+into is a Hidden Service.
+{%- endtrans %}
+
+{% trans -%}
+By Encrypting your LeaseSet, you not only make it impossible for unauthorized
+users to connect to your destination, you make it impossible for unauthorized
+visitors to even discover the real destination of the I2P Hidden Service. Some
+readers have probably already considered a use-case for their own Encrypted
+LeaseSet.
+{%- endtrans %}
+
+{% trans -%}
+Using Encrypted LeaseSets to Safely Access a Router Console
+-----------------------------------------------------------
+{%- endtrans %}
+
+{% trans -%}
+As a general rule, the more complex information a service has access to about
+your device, the more dangerous it is to expose that service to the Internet or
+indeed, to a Hidden Service network like I2P. If you want to expose such a
+service, you need to protect it with something like a password, or, in the case
+of I2P, a much more thorough and secure option could be an Encrypted LeaseSet.
+{%- endtrans %}
+
+{% trans -%}
+Before continuing, please read and understand that if you do the following
+procedure without an Encrypted LeaseSet, you will be defeating the security of
+your I2P router. Do not configure access to your router console over I2P without
+an Encrypted LeaseSet. Additionally, do not share your Encrypted LeaseSet PSK's
+with any devices you do not control. You have been warned.
+{%- endtrans %}
+
+{% trans -%}
+One such service which is useful to share over I2P, but ONLY with an Encrypted
+LeaseSet, is the I2P router console itself. Exposing the I2P router console on
+one machine to I2P with an Encrypted LeaseSet allows another machine with a
+browser to administer the remote I2P instance. I find this useful for remotely
+monitoring my regular I2P Services. It could also be used to monitor a server
+which is used to seed a torrent long-term as a way to access I2PSnark.
+{%- endtrans %}
+
+{% trans -%}
+For as long as it takes to explain them, setting up an Encrypted LeaseSet is
+straightforward to configure via the Hidden Services Manager UI. 
+{%- endtrans %}
+
+{% trans -%}
+On the "Server"
+---------------
+{%- endtrans %}
+
+.. compound::
+  .. image:: /_static/images/encryptls/newhs.png
+     :width: 100%
+
+{% trans -%}
+Start by opening the Hidden Services Manager at http://127.0.0.1:7657/i2ptunnelmgr
+and scroll to the bottom of the section that says "I2P Hidden Services." Create
+a new hidden service with the host "127.0.0.1" and the port "7657" with these
+"Tunnel Cryptography Options" and save the hidden service. 
+{%- endtrans %}
+
+.. compound::
+  .. image:: /_static/images/encryptls/demosettings.png
+     :width: 100%
+
+{% trans -%}
+Then, select your new tunnel from the Hidden Services Manager main page. The
+Tunnel Cryptography Options should now include your first Pre-Shared Key. Copy
+this down for the next step, along with the Encrypted Base32 Address of your
+tunnel.
+{%- endtrans %}
+
+.. compound::
+  .. image:: /_static/images/encryptls/demoresult.png
+     :width: 100%
+
+{% trans -%}
+On the "Client"
+---------------
+{%- endtrans %}
+
+{% trans -%}
+Now switch computers to the client which will connect to the hidden service,
+and visit the Keyring Configuration at http://127.0.0.1:7657/configkeyring to
+add the keys from earlier. Start by pasting the Base32 from the Server into
+the field labeled: "Full destination, name, Base32, or hash." Next, paste the
+Pre-Shared Key from the server into the "Encryption Key" field. Click save,
+and you're ready to securely visit the Hidden Service using an Encrypted
+LeaseSet.
+{%- endtrans %}
+
+.. compound::
+  .. image:: /_static/images/encryptls/client.png
+     :width: 100%
+
+{% trans -%}
+Now You're Ready to Remotely Administer I2P
+-------------------------------------------
+{%- endtrans %}
+
+{% trans -%}
+As you can see, I2P offers unique capabilities to Hidden Service Administrators
+which empower them to securely manage their I2P connections from anywhere in the
+world. Other Encrypted LeaseSets I keep on the same device for the same reason
+point to the SSH server, the Portainer instance I user to manage my service
+containers, and my personal NextCloud instance. With I2P, truly private, always
+reachable Self-Hosting is an achievable goal, in fact I think it's one of the
+things we're uniquely suited to, because of Encrypted LeaseSets. With them, I2P
+could become the key to securing self-hosted home automation or simply become
+the backbone of a new more private peer-to-peer web.
+{%- endtrans %}

i2p2www/meetings/logs/303.log

@@ -0,0 +1,115 @@
+(04:02:11 PM) eyedeekay: Hi everyone, sorry for the short notice, welcome to the September 7th meeting
+(04:02:11 PM) eyedeekay: 1) Hi
+(04:02:11 PM) eyedeekay: 2) Remaining 0.9.50/1.5.0 items
+(04:02:11 PM) eyedeekay: 3) Debian Repository Changes
+(04:02:11 PM) eyedeekay: 4) Jpackage Distributions
+(04:02:11 PM) eyedeekay: 5) 1.6.0 plans
+(04:03:12 PM) zlatinb: hi
+(04:03:21 PM) eyedeekay: Hi zlatinb
+(04:04:21 PM) eyedeekay: OK we can just get started, if anybody else joins us mid meeting please chime in and let us know you're here
+(04:04:49 PM) zzz: hi
+(04:04:54 PM) eyedeekay: Hi zzz
+(04:05:03 PM) eyedeekay: I'll take 2) remaining 0.9.50 items and 1.5.0 items
+(04:05:41 PM) serempa: hi
+(04:05:55 PM) eyedeekay: Hi serempa, welcome to the community meeting
+(04:06:19 PM) serempa: oh lucky me :)
+(04:06:20 PM) eyedeekay: It's the usual story, our Debian upstream package maintained by mhatta is not up to date, at this point we recommend that you use the project debian repository, newly under my administration at http(s)://deb.i2p2.de
+(04:06:54 PM) eyedeekay: First Tuesday of every month, 8PM UTC, tell your friends :)
+(04:07:19 PM) serempa: hmm actually I'm using i2pd 
+(04:07:28 PM) zzz: looks like our f-droid and official f-droid still todo eyedeekay ?
+(04:07:41 PM) eyedeekay: Yes I was just coming to that
+(04:09:26 PM) eyedeekay: I am still getting the F-Droid repository updated, I have no control over when official F-Droid gets updated so the recommendation will be similar, our F-Droid will be updated before the official F-Droid repository is
+(04:10:23 PM) eyedeekay: So for up-to-date packages our self-hosted F-Droid is likely required
+(04:10:48 PM) zzz: I don't see anything else that's missing
+(04:11:42 PM) eyedeekay: Those are the only two release products remaining
+(04:12:35 PM) serempa: sorry to ask but any arm packages maintained by someone?
+(04:13:16 PM) zzz: we work on any platform that has java
+(04:13:20 PM) serempa: in rpi repos its 0.9.38-3.1
+(04:13:47 PM) eyedeekay: That's raspbian without adding deb.i2p2.de to the sources.list?
+(04:14:01 PM) eyedeekay: Just to be clear serempa?
+(04:14:05 PM) zzz: you can follow the instructions on geti2p.net/debian to use our repo serempa
+(04:14:21 PM) serempa: ooh gotcha sorry
+(04:14:23 PM) eyedeekay: Yes it should have up-to-date pi packages
+(04:14:37 PM) eyedeekay: Which brings us to 3) Debian repository changes
+(04:14:37 PM) eyedeekay: We had a DNS issue with the old http://deb.i2p2.no repository
+(04:15:43 PM) eyedeekay: The server we used to use for it is no longer being used for anything, it's been retired. From now on, deb.i2p2.de and deb.i2p2.no are available using both HTTP and HTTPS
+(04:16:40 PM) eyedeekay: Please let us know if you run into any issues using the new setup, which should have fewer issues overall
+(04:17:22 PM) eyedeekay: Anything to add on 3)?
+(04:18:07 PM) eyedeekay: 4) Jpackage Distributions
+(04:19:29 PM) eyedeekay: Zab had a successful jpackage release so far, at least, some people are using it
+(04:20:29 PM) eyedeekay: We've got a better idea of how to adapt the news server now so that the jpackages can retrieve news and updates for their distributions
+(04:20:45 PM) eyedeekay: I'm delaying my release until I am able to release a new version of I2P In Private Browsing which includes a few bugfixes and which will set the home page a and search engine
+(04:21:31 PM) eyedeekay: That should be about another week
+(04:21:49 PM) eyedeekay: Anything else on 4) zlatinb? zzz?
+(04:22:06 PM) zlatinb: oops wait
+(04:22:06 PM) zlatinb: lag lag
+(04:22:37 PM) eyedeekay: Not a problem, go ahead zlatinb
+(04:22:39 PM) zlatinb: yes, the mac dmg is getting ~25 downloads/day on average
+(04:22:44 PM) eyedeekay: Nice!
+(04:23:10 PM) zlatinb: the /en/download/mac page gets good traffic too.  A lot of people visit it after trying to download the .jar
+(04:23:50 PM) zzz: back sorry, computer issues
+(04:24:12 PM) eyedeekay: (04:22:39 PM) zlatinb: yes, the mac dmg is getting ~25 downloads/day on average
+(04:24:12 PM) eyedeekay: (04:22:44 PM) eyedeekay: Nice!
+(04:24:12 PM) eyedeekay: (04:23:10 PM) zlatinb: the /en/download/mac page gets good traffic too.  A lot of people visit it after trying to download the .jar
+(04:24:24 PM) eyedeekay: In case you need it^
+(04:25:09 PM) zzz: have you three resolved the news server URL issues yet?
+(04:25:39 PM) zlatinb: which doesn't work at all on recent Mac OS versions because notarization
+(04:25:39 PM) zlatinb: eot
+(04:25:39 PM) zlatinb_ is now known as zlatinb
+(04:25:47 PM) zlatinb: bad lag, sorry
+(04:27:00 PM) eyedeekay: Not yet, zlatinb when would be a good time for us to meet and talk about the remaining news URL issues? I have one or two questions for you about requirements for that, if we could meet this week that would be enough
+(04:27:42 PM) zlatinb: yes, I'm happy to do the python changes once we agree on how to handle things
+(04:27:56 PM) zlatinb: the big question is do we want separate news feeds for the different products or just different metadata
+(04:28:05 PM) zlatinb: we need to decide on that
+(04:29:45 PM) eyedeekay: Then I'd like to do a quick voice meeting for that sometime this week, we can schedule later, I'm not sure which pros and cons I care about yet
+(04:30:01 PM) zlatinb: sure
+(04:30:08 PM) eyedeekay: Sounds good
+(04:30:21 PM) eyedeekay: Anything else for 4)?
+(04:30:30 PM) zzz: you'll need a different feed the first time you do an in-between update, e.g. for java
+(04:31:17 PM) zzz: be sure to include echelon as he may have his own issues
+(04:32:19 PM) eyedeekay: In-between like from non-jpackage to jpackage? On my side that's "disabled" the NSIS installer won't over-write an IzPack installer if it finds one
+(04:33:01 PM) zzz: couldn't think of the right word. I mean an intermediate release, between the upstream releases, e.g. 1.5.1
+(04:33:10 PM) eyedeekay: Oh I see
+(04:33:20 PM) eyedeekay: That makes sense, thanks for pointing that out
+(04:33:50 PM) eyedeekay: I'll send out a group email so we're all looped in
+(04:34:12 PM) eyedeekay: And we'll definitely need those because of OpenJDK releases
+(04:34:34 PM) eyedeekay: So we definitely care
+(04:35:13 PM) eyedeekay: OK anything else for 4)?
+(04:36:21 PM) eyedeekay: That brings us to 5) 1.6.0 plans
+(04:37:45 PM) eyedeekay: We should probably just take a moment to write out our plans down, timeout 3min
+(04:38:23 PM) zzz: I've updated the roadmap on the website for 1.5.0 and 1.6.0 - eyedeekay please review and fixup your items
+(04:38:45 PM) zlatinb: I'm going to see if there is a quick fix for the SSU slowness that I've observed in the testnet.  If it's something simple like a delayed ack taking too long I think we can put it in 1.6.0
+(04:39:04 PM) zlatinb: if it turns out to be more complicated then it's not really worth it as we're working on replacement
+(04:39:40 PM) zzz: I don't have a lot on my list for 1.6.0... at this point my main priority is SSU2, which is very early days, I don't expect it to be completed before mid next year
+(04:39:52 PM) eyedeekay: Ack, zzz, I will do this evening
+(04:39:52 PM) eyedeekay: I brought copypasta, this is the list taped to my bookshelf:
+(04:39:52 PM) eyedeekay: Code/Packaging:
+(04:39:52 PM) eyedeekay: 1) Eliminate the class of "Unmanaged" plugins, make Fork-and-Exec plugins manageable.
+(04:39:52 PM) eyedeekay: 2) Add support for Client-Side of X-I2P-Location to HTTP Proxy
+(04:39:52 PM) eyedeekay: 3) Debianize the I2P Browser Profile
+(04:39:52 PM) eyedeekay: 4) Pluginize the I2P Browser Profile
+(04:39:52 PM) eyedeekay: 5) Move goSam and sam3 to i2pgit.org instead of Github
+(04:39:52 PM) eyedeekay: 6) Clean up sam-forwarder UDP tunnels and move to go-i2p namespace
+(04:39:52 PM) eyedeekay: 7) Finally fix and merge go-i2p changes upstream
+(04:39:52 PM) eyedeekay: Web/Documentation:
+(04:39:52 PM) eyedeekay: 1) Document "How to Use" I2P for Android Browsing, Mail, Bittorrent
+(04:39:52 PM) eyedeekay: 2) Split download page into managable chunks, redirect to page by OS
+(04:39:52 PM) eyedeekay: 3) Document Jpackage install processes on Web Site
+(04:39:52 PM) eyedeekay: Misc:
+(04:39:52 PM) eyedeekay: 1) Migrate i2p.keyring.i2p to i2pgit.org
+(04:39:52 PM) eyedeekay: 2) Pluginize my other apps(BRB, Railroad, reseed-tools)
+(04:39:52 PM) eyedeekay: 3) Go rewrite of News Server(newsxml-tools)
+(04:39:52 PM) eyedeekay: 4) Generic Go SU3 Signing tool
+(04:40:33 PM) zzz: eyedeekay, I need misc #1 this week please
+(04:40:47 PM) eyedeekay: Absolutely
+(04:40:54 PM) zzz: super, thx
+(04:41:10 PM) eyedeekay: No problem
+(04:42:03 PM) eyedeekay: Anything else on 5)?
+(04:43:21 PM) eyedeekay: Anything else for the meeting? Timeout 2m in case of lag
+(04:43:53 PM) zlatinb: hmm yes has anyone noticed terrible lag today?  I'm also having to try up to 10 times to push something to git.idk.i2p
+(04:46:39 PM) eyedeekay: I have noticed some inconsistent difficulties pushing to git.idk.i2p in the past week
+(04:48:07 PM) eyedeekay: Usually gone in a few minutes but requiring multiple retries
+(04:49:37 PM) eyedeekay: I have it configured for 6 tunnels and 2 backup tunnels using one hop right now
+(04:54:59 PM) eyedeekay: It isn't multihomed but I could make it so
+(04:55:08 PM) eyedeekay: If there's anything else for the meeting? timeout 1m
+(04:57:26 PM) eyedeekay: All right thanks for coming everyone, same time next month, I'll post the meeting minutes to the site shortly

i2p2www/meetings/logs/303.rst

@@ -0,0 +1,11 @@
+I2P dev meeting, Sept 7, 2021 @ 20:00 UTC
+=========================================
+
+Quick recap
+-----------
+
+* **Present:**
+
+eyedeekay,
+zzz,
+zlatinb