[tahoe-lafs-trac-stream] [tahoe-lafs] #127: Cap URLs leaked via HTTP Referer header
tahoe-lafs
trac at tahoe-lafs.org
Sun Oct 28 09:24:20 UTC 2012
#127: Cap URLs leaked via HTTP Referer header
-------------------------+-------------------------------------------------
Reporter: warner | Owner: davidsarah
Type: defect | Status: assigned
Priority: major | Milestone: 1.11.0
Component: code- | Version: 0.7.0
frontend-web | Keywords: confidentiality integrity
Resolution: | preservation capleak
Launchpad Bug: |
-------------------------+-------------------------------------------------
Old description:
> It occurred to me that, despite the show-all-files-by-URI change we made
> to protect the private-vdrive URI from referrer headers and active
> javascript attacks, that there is still one remaining: the URI of the
> HTML file itself.
>
> Let's say that you write a secret HTML document and upload it to the
> grid, attached to some directory in your private vdrive so nobody else
> can see it. In this document you include an HREF to mysuperevilsite.org,
> because it's really cool. When you use your tahoe node's web server to
> read that document, it will serve it to you as /uri/RANDOMURI, and when
> you follow that HREF to the super evil site, I (as the operator ot
> mysuperevilsite.org) will see a Referrer header with /uri/RANDOMURI in
> it. Then I fire up my own tahoe node and get to read your secret
> document.
>
> Alternatively, once you're viewing a page from the evil site, I can put
> javascript in that page which uses __your__ tahoe node to read
> /uri/RANDOMURI and do something clever to get the data back to me.
>
> I'm less concerned about this one than the previous attack (#98), but it
> would still be nice to find a way to fix it. I can't think of any clever
> solutions, though. Note that the javascript attack means that (like with
> all confused deputy attacks) somehow encrypting the URL wouldn't help
> (since ambient authority can still be exploited by the attacker).
New description:
It occurred to me that, despite the show-all-files-by-URI change we made
to protect the private-vdrive URI from referrer headers and active
javascript attacks, that there is still one remaining: the URI of the HTML
file itself.
Let's say that you write a secret HTML document and upload it to the grid,
attached to some directory in your private vdrive so nobody else can see
it. In this document you include an HREF to mysuperevilsite.org, because
it's really cool. When you use your tahoe node's web server to read that
document, it will serve it to you as /uri/RANDOMURI, and when you follow
that HREF to the super evil site, I (as the operator ot
mysuperevilsite.org) will see a Referrer header with /uri/RANDOMURI in it.
Then I fire up my own tahoe node and get to read your secret document.
Alternatively, once you're viewing a page from the evil site, I can put
javascript in that page which uses __your__ tahoe node to read
/uri/RANDOMURI and do something clever to get the data back to me.
I'm less concerned about this one than the previous attack (#98), but it
would still be nice to find a way to fix it. I can't think of any clever
solutions, though. Note that the javascript attack means that (like with
all confused deputy attacks) somehow encrypting the URL wouldn't help
(since ambient authority can still be exploited by the attacker).
--
Comment (by ChosenOne):
The noreferrer attribute on links could prevent leaking dircaps when
clicking the link to a potentially malicious html file on the WUI
http://www.whatwg.org/specs/web-apps/current-work/multipage/links.html
#link-type-noreferrer
--
Ticket URL: <https://tahoe-lafs.org/trac/tahoe-lafs/ticket/127#comment:32>
tahoe-lafs <https://tahoe-lafs.org>
secure decentralized storage
More information about the tahoe-lafs-trac-stream
mailing list