<html><body><div style="color:#000; background-color:#fff; font-family:times new roman, new york, times, serif;font-size:12pt"><div><span>The opposite question is also relevant I think: what extra precautions does tahoe take to protect the user from losing their root cap? If I understand the design correctly, without the root cap (or access to some stored cap somewhere) the user won't be able to access any of their data (or the portion of their data for which they don't have caps).</span></div><div><span><br></span></div><div><span>Assuming I store everything in tahoe and never share my caps with anyone else and then my harddisk where my cap was stored dies is stolen etc., have I lost everything? Is there some other way to try to recover my data, maybe by scouring all nodes involved in storing it for caps that belong to me?</span></div><div><span><br></span></div><div><span>Are users encouraged to save a copy of their root cap somewhere other than their
harddrive? Is there any mechanism to help the user do something like that?</span></div><div><br></div><div><span>Joseph</span></div><div><br></div><div style="font-size: 12pt; font-family: 'times new roman', 'new york', times, serif; "><div style="font-size: 12pt; font-family: 'times new roman', 'new york', times, serif; "><font size="2" face="Arial"><hr size="1"><b><span style="font-weight:bold;">From:</span></b> Greg Troxel <gdt@ir.bbn.com><br><b><span style="font-weight: bold;">To:</span></b> Joseph Ming <josephming@ymail.com><br><b><span style="font-weight: bold;">Cc:</span></b> "tahoe-dev@tahoe-lafs.org" <tahoe-dev@tahoe-lafs.org><br><b><span style="font-weight: bold;">Sent:</span></b> Monday, August 1, 2011 5:20 PM<br><b><span style="font-weight: bold;">Subject:</span></b> Re: [tahoe-dev] protecting caps<br></font><br><br>Joseph Ming <<a ymailto="mailto:josephming@ymail.com"
href="mailto:josephming@ymail.com">josephming@ymail.com</a>> writes:<br><br>> This might be an amateur question but how does tahoe protect caps once<br>> used by clients?<br>><br>> By that I mean that it seems like if I wanted to attack a tahoe user,<br>> the easiest way in would be to try to capture someone's root<br>> read-write cap. That is stored locally on all that user's clients?<br>> What does tahoe do to protect that data? I looked at the android<br>> client and see that it gets stored as a resource. I believe resources<br>> are siloed away on that platform from other processes so it should be<br>> safe assuming the device hasn't been rooted or have apps that get in<br>> through a security hole in the platform, and that it doesn't fall into<br>> the wrong physical hands. Most mainstream OSes don't silo in the same<br>> way, so any process run by a user might be able to access that value<br>> if it is
stored in a file right? So maybe my attack vector would be to<br>> get a piece of malicious software installed alongside tahoe, to try to<br>> pick off that cap value and send it to me?<br>><br>> I've seen the criticism of using the web interface for the same reason<br>> <a href="http://www.lexort.com/blog/tahoe-lafs.html#sec-4_1" target="_blank">http://www.lexort.com/blog/tahoe-lafs.html#sec-4_1</a>. Is that valid? If<br>> so, that's an even bigger hole, but I'm not worried about that<br>> one. It's easy to avoid using the browser as an interface to tahoe.<br><br>It's a fair question that has not had extensive discussion.<br><br>The prevailing notion is that clients are trustworthy and storage<br>servers are untrusted. Of course, people realize that this might not<br>match everyone's threat models - but it seems to be the most-common<br>threat model.<br><br>It's hard to imagine a filesystem that could safely make files
available<br>on untrustworthy clients. (One could do something like use time-limited<br>tokens to make read/write only last some number of hours, but that<br>doesn't remove access during enabled times.)<br><br><br></div></div></div></body></html>