[tahoe-dev] can the web browser be used securely to manage your data? Re: Tahoe-LAFS is widely misunderstood

Chris Palmer chris at noncombatant.org
Thu Feb 3 10:53:25 PST 2011


Zooko O'Whielacronx writes:

> It is a very interesting question: can the web browser be used to securely
> manage your data?

Browsers are operating systems. The browser security model is even less
documented and aserted than the Unix security model, so it is reasonable to
assume that browsers uphold their security model even less well than do Unix
implementations. Experience shows that neither browsers nor COTS Unix
implementations uphold their guarantees at all. (Think of NT as essentially
a more elaborate Unix for these purposes.)

(That said, the same origin policy is a better and more meaningful policy
than the UID policy. New operating systems like Android and Singularity seek
to clarify, document, and enforce SOP-like policies, and that is an
improvement over the status quo. Android is still crippled by Linux, of
course.)

So, no, browsers (and kernels) are not trustworthy beyond a certain minimal
threshold.

http://cansecwest.com/csw09/csw09-oberg-kettle.odp
http://en.wikipedia.org/wiki/Pwn2Own
http://jailbreakme.com/

If jailbreakme works, and it does, then nothing is true and everything is
permitted. Cats and dogs living together --- real Old Testament stuff. :)

> And, if you manage your data with capabilities (authorization-based access
> control) instead of with access control lists (identity-based access
> control), does that make it better or worse?

What little security clarity there is in browser and web app security land
is ID-based. We know the problems of ID-based security policies, but it is
better than nothing. "Nothing" is what you get when you try to force your
new idea onto a platform incapable of supporting it.

> This is one of those questions that I call "an empirical question"—a
> question better answered by observing the world than by listening to
> arguments. I've heard the arguments on both sides and I find both sides to
> be persuasive. :-) So now I'm trying to learn from observation.

Yes. In my experience, browsers and servers leak URLs like a sieve. It is
essentially not possible to keep URLs secret. Conversely, although extremely
difficult, it is possible to achieve some ID-based security in a web app,
modulo browser and server platform bugs.

> Of the three winners so far, only the first one, Nathan Wilcox,
> exploited the WUI.

That's only if you don't count the URL leaking bug.


-- 
http://noncombatant.org/



More information about the tahoe-dev mailing list