[tahoe-dev] XSRF attacks -- we need to do something about v0.5
zooko
zooko at zooko.com
Wed Aug 22 08:40:11 PDT 2007
By the way, it occurred to me that if the tahoe client didn't
automatically map for you from the string "private" to the uri of
your private vdrive's top-level directory, then this attack would not
be able to disclose your confidential data.
So, for example, we *could* patch v0.5 by removing that mapping!
I'm not actually suggesting that we do this. For one thing, it
wouldn't prevent this attack from deleting your public data. For
another thing, people really benefit from being able to use the word
"private" instead of a large random URI to refer to their private data.
Regards,
Zooko
More information about the tahoe-dev
mailing list