guerrerocarlos / cachep2p Goto Github PK

It'd help keep things consistent. As is, it's a little unruly.

Sha1 has known collisions. While it is not yet practical to attack a CacheP2P site by creating sha1 collisions.

CacheP2P should switch to sha256.

Yes, I know webtorrent only supports sha1, but this is still something to note.

A minimized version is good for performance (much lesser code to load) but harder for humans to read (+ understand consequently). Please consider providing a non-minimized version and maybe use some OpenSource tool to build the minimized version (it should be ignored in .gitignore then as everybody can build it on their own).

Does p2p network servers the JavaScript also ? And how does it Handel dynamic pages ?

Hi,
I am a member of cdnjs,
to add the library correctly,
I want to confirm that whether the url https://cachep2p.com presented in homepage and author/url in package.json is not working anymore?
Should it just be http://cachep2p.com which is not https?

thank you!

How to cache specific file instead of page?
For example a big gif image or a swf video.

You may need to update your forks of webtorrent and ut_metadata after a new version of WebTorrent is released upstream. Creating tagged releases and using them in your dependencies list is necessary to ensure developers are using the correct versions, and prevent developers from pulling unstable changes from your master branches.

I would like to use CacheP2P to cache mostly images.

My website is not a static websites, so most links on my pages point to a dynamic page.

However, those dynamic pages contain images which are static.

How can I use cachep2p to cache those static images?

I will generate a cachep2p.security.js that contains the checksum of all of my images.

Now, will cachep2p pre-fetch them?

I didn't look much at the codebase but that can probably work by replacing all links by functions that makes the request and replace image links by cached ones.

Now we would a way need to indicate CacheP2P what images to pre-fetch.

A patched version of WebTorrent is currently being used so that the torrent can be discovered using the hash of the URL instead of the hash of the contents of the resource. This allows peers to seed arbitrary content including stale copies of content and malicious payloads. Although the content is verified before being used, it doesn't seem necessary to track these torrents by URL hash and download invalid content.

Theoretically the only other piece of information the client needs to construct the standard info hash is the content length.

I have some concerns regarding privacy and tracking. As of now, CacheP2P "just works", without consent from the end-user. As this relies on P2P and torrent protocols, it's easy for anyone to track all IPs who accessed a page.
With some effort, an entity could reliably tell which pages a given IP has accessed, thus invalidating any possible privacy which could be had just by hitting a central server with https enabled. CacheP2P makes it easy for anyone to do this, so I believe it's important to discuss: is there anything CacheP2P can do to honor an user's request not to be part of the swarm?

It should be easy and not assume any technical knowledge from the user. That way, CacheP2P can be deployed on services which would benefit from the swarm availability, while allowing users who want to be private not to participate at all. This could work as an opt-in or opt-out, with opt-in preferred.

There is no check in the current code that verifies the security hash of a received file against the hash in document.security_sha1.

This allows anyone to serve a hijacked page for a given URL, and is a critical security problem.

I have attached 3 files to demonstrate the problem:
entry.txt
vulnerable.hijacked.txt
vulnerable.txt

Steps to reproduce:

1. Put those files in a directory with the current cachep2p.min.js and rename them from ".txt" to ".html" (github wouldn't let me attach htmls)
2. Edit the links and hashes in all 3 pages according to the hashes of entry.html and vulnerable.html (just as the documentation instructs you to)
3. Open two tabs in your browser (I did it with one tab in "normal" mode and the other in incognito mode)
4. In one of the tabs, navigate to the entry.html page. It will begin seeking for a peer with the vulnerable.html page
5. In your file system, rename vulnerable.html to something like vulnerable.original.html, then rename vulnerable.hijacked.html to vulnerable.html
6. In the other tab, open now the vulnerable.html page (which should be the hijacked version). It will serve this hijacked version of the page to the other tab
7. Check your console logs in the first tab (the one with entry.html). As soon as the page receives a cached version of vulnerable.html, click the link
8. Verify that it goes to the hijacked page. Also verify that the security_sha1 of this page is different from the hash you obtained when setting up the pages.

Trying to use the index.js or webpack yells at me if i use the mini version. When I use the index.js it says this.

ERROR in .//create-torrent/index.js
Module not found: Error: Cannot resolve module 'fs' in /home/charliebrown/internalDocs/node_modules/create-torrent
@ .//create-torrent/index.js 22:9-22

ERROR in .//parse-torrent/index.js
Module not found: Error: Cannot resolve module 'fs' in /home/charliebrown/internalDocs/node_modules/parse-torrent
@ .//parse-torrent/index.js 7:9-22

ERROR in .//webtorrent/lib/torrent.js
Module not found: Error: Cannot resolve module 'fs' in /home/charliebrown/internalDocs/node_modules/webtorrent/lib
@ .//webtorrent/lib/torrent.js 13:9-22

ERROR in .//is-file/index.js
Module not found: Error: Cannot resolve module 'fs' in /home/charliebrown/internalDocs/node_modules/is-file
@ .//is-file/index.js 3:9-22

ERROR in .//pump/index.js
Module not found: Error: Cannot resolve module 'fs' in /home/charliebrown/internalDocs/node_modules/pump
@ .//pump/index.js 3:9-22

Hello.

How to use CacheP2P on ExpressJS 4? It's possible?

Win7 Pro: Enterprise 64bit
Chrome: 53.0.2785.143 m

Just an observation at this point, as I haven't been able to replicate it yet, but the tab eventually crashed, indicated by loss of interaction with the page (no scrolling, no context menu, etc). Refreshing the page failed, and so I reopened the link in a new tab and loaded up just fine.

Curious if any long-running processes have been tested and logged as part of the Zuul test suite integration to catch issues like this?

hello,
i have a question.
would it be possible or even feasible to use this mechanism on different web pages by injecting the code with tampermonkey/greasemonkey as userscript.

anyone else using the same userscript would be able to fetch pages from cachep2p nodes?

It looks like there may be an issue with over-optimizing and over-caching.

I have a website that is sitting on DreamHost's DreamPress server, an optimized WordPress server that uses Varnish cache. The website receives about an average of 1,000 visitors a day. When I added this code by calling it through a script, it was not immediate, but over the course of the week, about 2-3 days in, the server began to overload. What is normally 20-40 queries soon became 2000 queries and what is normally under a 1 second page load became no less than 4 seconds to load pages.

No new plugins were installed and no new code, other than CacheP2P was added.

When I contacted DreamHost support, they said the Apache server was overloaded to capacity at 100% of resources being used. This shut down the website. It happened twice. It was as if the two cache systems - Varnish cache and CacheP2P were battling it out. Once the 3 lines calling the script were removed and processes ran their course, the site restored to normal functioning. The code has not been added back and the website is functioning like normal and has not gone down since.

On my Shared hosting, I have another website that receives less traffic, but a somewhat steady flow of traffic everyday of about 40-70 visitors. I had added the same 3 lines of code. I'm currently storing the CacheP2P scripts on a CDN. There has been absolutely no issues, but it is also not optimized for Varnish cache. There has been no overloading or anything like that. Improvements in performance? Possibly. But too soon to tell, but no issues as far as the site going down.

So I'm just putting it out there, it looks like this code will not always work with other caching systems.

Hi today i found this on webtorrent site and it was amazing to see this,but i cannot understand how to integrate this to my blog i possible please make a video how to integrate to a site!!
please i need it!!

How do you change the content on the page?
What if someone caches your URLs with malicious scripts before you have the opportunity to claim the magnet link?

Hello.

How to automatically create cachep2p.security.js?

I have a sitemap and on the basis of these data create cachep2p.security.js.

How can I do that?

Hi,

Congratulation for the project, it is an amazing idea and a brilliant execution. By reading the source code i noticed that the cache uses the links in a page, thus the html those link generates, as data transmitted between peers.

While this approach is effective for blogs, news sites and in general non single app applications, in the single web app application scenario it might not be so effective since a link does not lead to new assets/html but a change of the dom by the underlying javascript execution.

Instead in this scenario seems that being able to cache the assets as images, fonts, css and js would be an effective approach.

Is there any plan or thought toward this sceanario ?

Hi,
as the website is dead and forwarding to a scam site, while I still like this project, I have searched for the archived site and found it.
Here is the documentation:
https://web.archive.org/web/20170301165027/http://www.cachep2p.com/documentation.html

Issue

package-json-versionify is used as a babel plugin, but is not declared as an npm dependency.

This worked locally, because it is a dependency of webtorrent and npm sometimes flattens the dependency tree, but other versions of npm and other environments may not.

Solution

Run npm install --save-dev package-json-versionify to add the dependency to package.json.

This project looks pretty cool! Does it have tests? The package.json suggests that it does, but I don't see any test files...

When opening documentation page my latest Chrome on Windows 10 freezed, well at least the page freezed for some time, opened console, saw error, the page unfroze again.

cachep2p.min.js:4 Uncaught Error: Cannot add duplicate torrent 082a53207fbb79076a8b09aa5372d64fd9a5152a
cachep2p.min.js:11 [CacheP2P] this page's security hash: 0b4c91d69b162ca305bf3b48316b1e1389536fff (http://www.cachep2p.com/documentation.html)
cachep2p.min.js:11 found link that points to url http://www.cachep2p.com/api.html
cachep2p.min.js:11 found link that points to url http://www.cachep2p.com/api.html