[tahoe-lafs-trac-stream] [tahoe-lafs] #2142: How to enhance WebUI default security against capability eavesdropping?
tahoe-lafs
trac at tahoe-lafs.org
Sat Dec 28 00:22:08 UTC 2013
#2142: How to enhance WebUI default security against capability eavesdropping?
-------------------------+-------------------------------------------------
Reporter: | Owner: amontero
amontero | Status: new
Type: | Milestone: undecided
enhancement | Version: 1.10.0
Priority: normal | Keywords: websec confidentiality privacy wui
Component: code- | webapi docs
frontend-web |
Resolution: |
Launchpad Bug: |
-------------------------+-------------------------------------------------
Comment (by zooko):
Replying to [comment:9 amontero]:
>
> Having to deal with openssl command and options can be troublesome for
some users. I want to avoid them that, if possible. Using the "node.pem"
cert would be a great way to achieve it.
Suppose that you could use the "node.pem" cert, or suppose that the Tahoe-
LAFS gateway would generate a self-signed key automatically (the
equivalent of the command-lines described in comment:8. Then the users
could connect to it, but they would get a certificate warning that they
would have to click through, which is kind of hard to click through on
modern Firefoxes. Also, if they do click through that warning, then an
attacker could hijack their connection and read the contents of the
session and forge contents.
So, maybe that's not worth doing?
--
Ticket URL: <https://tahoe-lafs.org/trac/tahoe-lafs/ticket/2142#comment:10>
tahoe-lafs <https://tahoe-lafs.org>
secure decentralized storage
More information about the tahoe-lafs-trac-stream
mailing list