How is security preserved?

[fzaninotto]

I understand that CacheP2P used a checksum system to validate that a page fetched from a peer is identical to the source page, but this checksum must be present in the source links first.

Wikipedia doesn't include these checksums (or do they ?), so how can you make sure that a page I fetch from a peer doesn't contain a malicious script ?

[deckar01]

As far as I can tell there is no mechanism in place for verifying the content of the torrent.

• The torrent's info hash is replaced with a hash of the URL which removes the verification provided by the torrent protocol. background.js#L273
• The page hash is included in the torrent content, which doesn't provide any authentication, since it can be supplied by the attacker. background.js#L270
• Completed torrents are stored without verifying the page hash or authenticating the page hash with a trusted source. background.js#L120
• Torrented page content is injected into the page without verifying the page hash or authenticating the page hash with a trusted source. end.js#L46

[eyedeekay]

I'm looking at the cacheP2P documentation and thinking about possible solutions and it seems to me that this part is a thing that would have to be solved by MediaWiki or a plugin to MediaWiki which generates the cacheP2P.security.js files when pages are edited, right?