[tahoe-dev] same origin

Brian Warner warner at lothar.com
Fri Aug 6 05:58:09 UTC 2010 

On 7/29/10 12:50 AM, James A. Donald wrote:

> Some time ago, someone proposed a local service that would map all
> domains of the form *.tahoe-stuff to the same network address, thereby
> allowing every web page to have a separate origin, thus preventing
> common origin attacks, but this would create some other insecurity.
> 
> I did not understand why this would create some other insecurity, but
> failed to pipe up at the time.
> 
> But the more I think about it, the less I can see how it would create
> some other insecurity.


The insecurity comes from the implementation of the *.tahoe-stuff
mapping. Unless we could get each user to run their very own specialized
DNS server, the only way to map all the 1.tahoe.org and 2.tahoe.org and
3.tahoe.org names to the same 127.0.0.1 IP address is for some central
party to host a tahoe.org DNS server with a wildcard A record entry. But
then that central party could, after everybody gets comfortable, attack
by returning their own IP addresses instead of 127.0.0.1, and suddenly
everybody would be sending their filecaps to the attacker.

A local (trusted) DNS server could return *.something=127.0.0.1, but
that involves running another daemon on the local machine (as root, so
it can listen on port 53), and changing the local /etc/resolv.conf
equivalent to use it.

The best approach I can think of so far is to use 127.a.b.c and rely
upon the fact that most hosts will send/accept all of these on the
loopback interface, accomplishing something similar to *.tahoe-stuff
without relying upon DNS (but having only 2^24 unique origins rather
than a nearly infinite number). Or maybe there's a way to do something
similar with IPv6 to get even more domains. In either case, I'd use a
truncated storage-index to choose which IP address was used.

(actually, the fallback position I'm considering is just to have two
HTTP ports, one of which is for the WUI and never ever serves
user-generated content, the other of which is only for
viewing/downloading files. At least then it'd be file-vs-file and not
file-vs-every-directory-you-ever-look-at.)

cheers,
 -Brian

More information about the tahoe-dev mailing list