[tahoe-dev] Tahoe and the browser security model.
Nathan
nejucomo at gmail.com
Wed Feb 20 11:23:12 PST 2008
On Feb 19, 2008 1:54 PM, zooko <zooko at zooko.com> wrote:
> Nathan:
>
> Thank you very much for reviewing our security page, but at the
> moment your recommendations seem either too general or too paranoid
> to adopt as-is. To wit:
>
...
Yes, I agree. This is a general and subtle problem. It's general to
all embedded webserver desktop apps which allow users to share data.
It's subtle because people don't realize how browser developer
assumptions about security break down in this context.
I'm currently researching a specific attack vector which I'll publish
on this list. The vector is that Internet Explorer treats "localhost"
as an "intranet" security zone, which means javascript has higher
privelege than it does on typical websites. I'm still investigating
the implications.
Nathan
Reference:
http://msdn2.microsoft.com/en-us/library/ms537183.aspx
More information about the tahoe-dev
mailing list