[tahoe-dev] can the web browser be used securely to manage your data? Re: Tahoe-LAFS is widely misunderstood

[David-Sarah Hopwood]

On 2011-02-03 15:20, Greg Troxel wrote:
> In many ways this is the only sane position, but there's a big
> difference between "this machine doesn't have a keylogger" and "my caps
> are on this machines backup tapes".
> 
> So, there probably should be some way to unlock caps protected with a
> passphrase, much like ssh-agent or gpg-agent.  Then, the way caps are
> used in browsers becomes obviously more problematic: in typical usage
> the browser remembers caps and stores them in .mozilla/firefox/blah/blah
> somepalce.

That's a good point.

> An interesting step would be to change the WUI to treat capabilities as
> passwords rather than form values.   My two worries are:
> 
>   firefox remember caps by default
> 
>   firefox is too big to be non-scary to handle secrets.  sometimes it's
>   too hard to resist, but tahoe doesn't feel architecturally like one of
>   those times.
> 
> So a valid attack would be:
> 
>   get control of a computer on which someone has used tahoe in the past
>   (accessing the WUI with a browser), and get at their files.

Note that this might be an argument in favour of accessing the WUI over
HTTPS. Browsers can be configured not to cache data retrieved over HTTPS,
including URIs.

At least, that was true before browsers started supporting session savers;
I'm not sure how they affect this argument. (I'm well aware that due to
session savers I have no protection against exposure of browsing history
to anyone who hacks my machine, and find them indispensible anyway.)

-- 
David-Sarah Hopwood  ⚥  http://davidsarah.livejournal.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 292 bytes
Desc: OpenPGP digital signature
URL: <http://tahoe-lafs.org/pipermail/tahoe-dev/attachments/20110204/769ccf20/attachment.pgp>