21:15 < rransom> What security properties should APAF provide? What attacks (or classes of attacks) should APAF prevent or resist? This section describes the classes of attacks the APAF should prevent/resist.
present briefly the application and describe how the user shall interact with it The Anonymous Python Application Framework is built and delivered as a standalone application, and consists in a simple static file server.
Double clicking the executable, a new browser tab will show the configuration page, on which the user can select the destination folder and edit advanced options.
Entry Points: Hidden Service port selected in the configuration page, telnet login? Flowing Data: documents selected from the user
who is going to use the application?
the attack a malicious user may perform
- bruteforce over the login form;
- the .exe/.app contains, compressed, all the python standard library in pyc format. Replacing one of these bytecode libraries may lead to the control of the applciation.
- denial of service
Precautions for attacks As far as I know, -onion hostnames, by thir own, provide a secutipry mechanisms to avoid poisoning or man in the middle attacks.
The user shall be advised with very clear messages in the configuration page about the consequences of editing a certain box.