[tahoe-dev] [tahoe-lafs] #991: avoid caching plaintext in gateway to satisfy range requests

tahoe-lafs trac at allmydata.org
Thu Mar 11 14:40:00 PST 2010 

#991: avoid caching plaintext in gateway to satisfy range requests
-------------------------------------------------------+--------------------
 Reporter:  davidsarah                                 |           Owner:       
     Type:  defect                                     |          Status:  new  
 Priority:  major                                      |       Milestone:  1.7.0
Component:  code-frontend                              |         Version:  1.6.0
 Keywords:  security confidentiality webapi sftp ftpd  |   Launchpad_bug:       
-------------------------------------------------------+--------------------
 Jeremy Fitzhardinge wrote:
 > In poking around with http range requests, I noticed that the web
 gateway will (on occasion) locally cache files in unencrypted form.

 > Now in normal use that's perfectly OK because web gateways are trusted
 with our unencrypted data and so having the data present in that form
 should be OK.

 > But my mental model of a gateway machine is that it's just a stateless
 waypoint which doesn't store anything local.  If I have a setup where
 there's a gateway machine within my network serving several machines, I
 would expect it to not have any persistent memory of my data, and so when
 it comes time to replace the HD I don't need to worry about scrubbing the
 disk, at least for Tahoe's sake.  (Let's assume swap has been dealt with.)

 > Therefore, I think the gateway should keep the cache files encrypted and
 only decrypt them on the fly as they're being sent to its clients.  I'm
 not sure what the key should be, but it should be per-file and transient
 (derived from the cap/root hash/something else?) rather than some local
 state (which would defeat the purpose of encrypting in the first place).

 Yes, there are three options that would fix this:

  1. Use encrypted temporary files as suggested above
  2. Stop using temporary files
  3. Securely overwrite temporary files before closing them

 (2. may require too much memory. 3. may leave plaintext accessible if the
 gateway crashes.)

 Note that the SFTP and FTP frontends also use unencrypted temporary files
 to handle write requests (perhaps that should be split into a separate
 ticket, but this one will do for the time being).

-- 
Ticket URL: <http://allmydata.org/trac/tahoe/ticket/991>
tahoe-lafs <http://allmydata.org>
secure decentralized file storage grid

More information about the tahoe-dev mailing list