[tahoe-dev] [tahoe-lafs] #997: The webapi/WUI should have https enabled by default
tahoe-lafs
trac at allmydata.org
Mon Mar 15 12:19:16 PDT 2010
#997: The webapi/WUI should have https enabled by default
------------------------------------------------+---------------------------
Reporter: jsgf | Owner: nobody
Type: defect | Status: new
Priority: major | Milestone: undecided
Component: unknown | Version: 1.6.0
Keywords: confidentiality wui webapi capleak | Launchpad_bug:
------------------------------------------------+---------------------------
Comment(by warner):
I really want to encourage users to run their own gateway. I'm a little
bit nervous that turning on SSL by default will look like we're suggesting
people talk to somebody else's gateway, and would imply that eavesdroppers
on the wire between your browser and that gateway are more of a concern
than whether your gateway is acting in your own best interests. I
recognize that using SSL (even on localhost) is strictly equal-or-more-
secure than non-SSL, but I do wonder if it sends the wrong message to
users.
Asking users to install a new CA root feels wrong to me.. it teaches them
to "improve" their security by adding vulnerabilities into their browser.
The real question is what secrets (i.e. the filecaps) you're revealing to
which parties, and whether those are the parties you meant to reveal them
to. "http://127.0.0.1/" in the browser is harder to spoof than the
collection of (browser shows usual spoofable lock icon)+(address bar shows
meaningful DNS name)+(user remembers mapping from DNS name to which
gateway they meant to use)+(CA/PKI system is uncompromised and maps DNS
name / cert name to the expected cert)+(gateway isn't logging/revealing
your filecaps).
Maybe we should discuss the properties of a web gateway which *only*
accepted connections from localhost?
--
Ticket URL: <http://allmydata.org/trac/tahoe/ticket/997#comment:6>
tahoe-lafs <http://allmydata.org>
secure decentralized file storage grid
More information about the tahoe-dev
mailing list