[tahoe-dev] Chinese Tahoe-LAFS users found on the Internet

Zooko O'Whielacronx zooko at zooko.com
Thu Aug 5 05:02:53 UTC 2010


On Wed, Aug 4, 2010 at 8:21 PM, David-Sarah Hopwood
<david-sarah at jacaranda.org> wrote:
>
>> 4. They prefer to use distributed Tahoe-lafs http://pubgrid.tahoe-lafs.org.
>> Because it is secure, nobody know what your file content except you and the
>> people who share with you. It not only encrypt but also split the resources
>> into pieces and to different machines.
>
> Hmm, I hope that they realize that the transmission between their machines
> and pubgrid.tahoe-lafs.org is unencrypted?

Also, I hope that they realize that if they use
http://pubgrid.tahoe-lafs.org, then the server there has access to all
files and directories that they access through it. I am somewhat
alarmed at the idea that people might be relying on the security of
http://pubgrid.tahoe-lafs.org. That is a really bad idea.

A good way to think about this is to remember the "reliance topology diagram":

http://tahoe-lafs.org/source/tahoe-lafs/trunk/docs/about.html

In that diagram, the red components are components that get access to
your files and directories whenever you access those files and
directories. The red components are the client (e.g. a web browser or
the "tahoe" command-line tool or your SFTP client such as sshfs or
Nautilus or ncftp), and the gateway, and the link between the client
and the gateway (i.e. the unencrypted HTTP traffic). The gateway is
the Tahoe-LAFS process, which listens on a port for HTTP connections
and serves up a web site that looks like http://pubgrid.tahoe-lafs.org
.

The black components are the ones that do not get access to the
contents of your files and directories. The black components are the
storage servers and the links between the gateway and the storage
servers.

Now the important thing to understand is that if you want the property
that "nobody knows your file content is except you and the people who
share with you" then you *must not* use http://pubgrid.tahoe-lafs.org,
nor any other remote gateway. You must instead run the Tahoe-LAFS
gateway on your own local PC. If you use a remote Tahoe-LAFS gateway
such as http://pubgrid.tahoe-lafs.org , then what you get is "nobody
knows what your file content is except you and the people who share
with you and the people who can control the remote gateway".

If, for example, the users were Chinese democracy activists (I don't
know if our actual user are—this is hypothetical) and their adversary
were Chinese pro-government activists or Chinese government
operatives, and if the users used http://pubgrid.tahoe-lafs.org , then
all that the adversaries would need to do would be to take over the
server that runs http://pubgrid.tahoe-lafs.org .

That server's IP address is 67.23.235.47 . It is operated by David
"Soultcer" Triendl, a volunteer who contacted the Tahoe-LAFS open
source software project over the Internet and claimed to be a resident
of Switzerland and who offered to run some servers and let us use
them. Nobody that I know of has made any attempt to verify David's
identity or intentions.

Also, not to impugn David's system administration skills, but it
wouldn't be surprising if that server were occasionally vulnerable to
publicly known remote exploits. Most servers are from time to time.

It also wouldn't be surprising if some attackers had developed or
learned about remote exploits that were not publicly known and David's
server could be vulnerable to those as well.

I don't know what other services David runs on that server or what
other users have access or administrative privileges to it.

Of course David himself has administrative access to the server (as
well as possibly other people to whom he has given access). Where does
he keep his passwords or keys with which to gain access to the server?
What devices does he use to log into his server—a PC, laptop, a
smartphone? An attacker who compromised whatever device David uses to
log in or to store his keys would thereby gain the ability to control
the server.

Recently some attackers, allegedly associated with the government of
China, have sent "targeted" PDFs to their intended victims, meaning
that the PDFs were plausible documents, addressed to the intended
victim, made to look as though they originated from someone who might
plausibly send them such a document. The PDFs contained code to
exploit the PDF viewer software using holes in that software which
were not publicly known. When the victims opened the PDFs, their
computer was silently taken over such that the attackers then had
control over it. The attackers then used this control to gain access
to other computers that the victim was authorized to access. If
something like that were to happen to David, he would probably not
realize that it had happened.

David recently confided to me (on unencrypted IRC) that he is engaged
in an occupation which keeps him away from home for many days at a
time. If none of the above ideas were sufficient for an adversary to
gain access to the gateway, then they could probably hire someone to
visit David's house (or where-ever he keeps that server) and take
control of it.

Finally, if none of the above ideas suffice for the adversary to gain
control of David's server, then the adversary could always use
persuasion, deception, bribery, or coercion to get David himself (or
one of the people to whom he has given administrative access) to give
them access.

The bottom line is that you cannot be confident that relying on
http://pubgrid.tahoe-lafs.org will be safe against sophisticated
attackers.

Using an HTTPS connection instead of an HTTP connection from your
client to pubgrid.tahoe-lafs.org would reduce your vulnerability to
attackers who might spy on the network traffic between your computer
and pubgrid.tahoe-lafs.org, but would not reduce your vulnerability to
any of the threats listed above.

Now a *good* idea is to run the Tahoe-LAFS gateway software on your
own local PC or laptop. The instructions to do so are here:

http://tahoe-lafs.org/source/tahoe-lafs/trunk/docs/quickstart.html

Doing this means that all of the red components from "the reliance
topology diagram" are running on your own PC or laptop.

Regards,

Zooko


More information about the tahoe-dev mailing list