[tahoe-dev] Tahoe and the browser security model.

[Nathan]

I just reviewed the security wiki [1] and have three recommendations
(followed by explanations).

One, please mention that Tahoe's design is unique compared to most web
applications, and that carries a risk of a mismatch between browser
security models and Tahoe's security model.

Two, in the description of "potential exposure of a file" via
hyperlinks, there are more attacks through this vector (depending on
the threat model).

Three, because Tahoe explores this novel security situation (with
respect to browser usage), recommend that users who are deeply
concerned with privacy and access to their computer should either: a.
only view data uploaded to the grid by trusted parties, and/or b. only
use the commandline client for retrieving data.


Explanations:

First, there is a general mismatch between the common browser security
model and the Tahoe interface.  I believe there's a common idea that
the "same site origin" policy implies that a web server is responsible
for properly screening user-contributed data to protect users from
attacking eachother.

Tahoe does not have any such screening.  Because a user can view
content from any Tahoe gateway, and a malicious user can upload
content from any other Tahoe gateway (on the same grid), there is an
attack vector that is probably unexpected by browser developers.


Secondly, an example threat model which isn't addressed in the current
known issue for hyperlinks is a user who wants their history of file
access to be private.  An attacker can embed image links pointing to
their own webserver, which exposes viewers who load that page.


Finally, the recommendation for the security conscious may help
adoption, by letting potential security-minded users know that they
mustn't rely on the infamous web browser.


Nathan Wilcox

refs:
[1] http://allmydata.org/trac/tahoe/wiki/Security