[tahoe-dev] can the web browser be used securely to manage your data? Re: Tahoe-LAFS is widely misunderstood

Zooko O'Whielacronx zooko at zooko.com
Thu Feb 3 04:33:13 PST 2011


On Wed, Feb 2, 2011 at 5:41 PM, Chris Palmer <chris at noncombatant.org> wrote:
> Brian Warner writes:
>
>> My problem with FUSE as the primary entry point is that it loses the whole
>> least-authority model. The POSIX filesystem APIs don't expose things like
>> retrieving a dircap for the subdirectory that you want to share with a
>> friend, so the easiest thing to do is to share your whole rootcap with
>> somebody, the equivalent of sharing passwords from the bad-old-days. It
>> also doesn't let you write programs that are restricted to interacting
>> with just a subset of your filesystem, so all the usual Confused Deputy
>> vulnerabilities are still around.
>
> Well, a WUI is no way to solve the confused deputy problem. :)

It is a very interesting question: can the web browser be used to
securely manage your data?

And, if you manage your data with capabilities (authorization-based
access control) instead of with access control lists (identity-based
access control), does that make it better or worse?

This is one of those questions that I call "an empirical question"—a
question better answered by observing the world than by listening to
arguments. I've heard the arguments on both sides and I find both
sides to be persuasive. :-) So now I'm trying to learn from
observation.

Part of that is the "Hack Tahoe-LAFS!" contest, in which anyone who
finds an exploitable vulnerability in Tahoe-LAFS (when it is used in
the expected way, which includes the WUI) is awarded gratitude and a
custom t-shirt and an entry on The “Hack Tahoe-LAFS!” Hall Of Fame:

http://tahoe-lafs.org/hacktahoelafs/hall_of_fame.html

Of the three winners so far, only the first one, Nathan Wilcox,
exploited the WUI. If you read the story of his exploit —
http://tahoe-lafs.org/hacktahoelafs/nathan_wilcox.html — you'll see
that the lesson that we drew from the experience is that the WUI
should adhere all the *more* strictly to capability discipline.

Our fix for Nathan's exploit was to remove a convenience feature which
provided ambient authority in order to reduce the user's exposure to
visible capabilities. (That convenience feature was a URL path
"http://$HOST/vdrive/" which the gateway would map to your root
capability for you. This is exactly like the "tahoe:" alias that we
later added to the CLI, except for the WUI.)

Now, perhaps you, gentle reader, will draw a different lesson from the
same empirical evidence. If you draw your alternative lesson well
enough, you can win your own “I Hacked Tahoe-LAFS!” t-shirt. :-)

(I don't want to name names without first asking permission, but a few
people have tried and failed. If you've tried then by all means please
speak up on this list and describe your ideas about how to exploit
Tahoe-LAFS and why you haven't (yet) been able to make them work.)

Regards,

Zooko


More information about the tahoe-dev mailing list