[tahoe-dev] Tahoe and the browser security model.

Tue Feb 19 13:54:52 PST 2008

Nathan:

Thank you very much for reviewing our security page, but at the  
moment your recommendations seem either too general or too paranoid  
to adopt as-is.  To wit:

On Feb 19, 2008, at 2:02 PM, Nathan wrote:

> One, please mention that Tahoe's design is unique compared to most web
> applications, and that carries a risk of a mismatch between browser
> security models and Tahoe's security model.
...
> I believe there's a common idea that
> the "same site origin" policy implies that a web server is responsible
> for properly screening user-contributed data to protect users from
> attacking eachother.
>
> Tahoe does not have any such screening.  Because a user can view
> content from any Tahoe gateway, and a malicious user can upload
> content from any other Tahoe gateway (on the same grid), there is an
> attack vector that is probably unexpected by browser developers.

I think that you may be right, but that this is too much of a general  
technical issue to be useful to the users who are the intended  
audience of this wiki page:

http://allmydata.org/trac/tahoe/wiki/Security

I mean, can you express this idea in a way that is more concrete  
about attacks and provides more of a "What To Do About This" answer  
to users?  I think you can, but the result wouldn't fit onto the  
Security Page.  The result would be a white paper, and if you write  
it I will be very interested in reading it.

> Two, in the description of "potential exposure of a file" via
> hyperlinks, there are more attacks through this vector (depending on
> the threat model).
...
> an example threat model which isn't addressed in the current
> known issue for hyperlinks is a user who wants their history of file
> access to be private.  An attacker can embed image links pointing to
> their own webserver, which exposes viewers who load that page.

This is, of course, the same risk that you take with viewing HTML  
files in other contexts, but I think you are right that there is an  
added risk here, which is the risk that a user of Tahoe might think  
that the Tahoe context protects him from this.  Perhaps the Security  
page ought to list this in its list of Known Issues.

> Three, because Tahoe explores this novel security situation (with
> respect to browser usage), recommend that users who are deeply
> concerned with privacy and access to their computer should either: a.
> only view data uploaded to the grid by trusted parties, and/or b. only
> use the commandline client for retrieving data.
...
> Finally, the recommendation for the security conscious may help
> adoption, by letting potential security-minded users know that they
> mustn't rely on the infamous web browser.

Ugh -- it seems to me that this is unnecessary advice for the truly  
paranoid, who already know that, and bad advice for the average, who  
get more value out of using a web browser than they lose.  How could  
we phrase this on the Security Page in a way that was useful to people?

Regards,

Zooko