[tahoe-lafs-trac-stream] [tahoe-lafs] #2142: How to enhance WebUI default security against capability eavesdropping?
tahoe-lafs
trac at tahoe-lafs.org
Tue Dec 31 18:14:49 UTC 2013
#2142: How to enhance WebUI default security against capability eavesdropping?
-------------------------+-------------------------------------------------
Reporter: | Owner: amontero
amontero | Status: new
Type: | Milestone: undecided
enhancement | Version: 1.10.0
Priority: normal | Keywords: websec confidentiality privacy wui
Component: code- | webapi docs
frontend-web |
Resolution: |
Launchpad Bug: |
-------------------------+-------------------------------------------------
Comment (by amontero):
Replying to [comment:16 daira]:
> As far as I understand, once you've added an exception you no longer get
any warnings at all about active attacks. Yes, I agree that's not how it
should work.
But AFAIK, you'll get a warning against any MITM that can not fake the
same exact cert you added as trusted from your browser. I tried simply
regenerating a new cert for a node and the cert warning pops up again.
That's nice to have. Also, I suspect that browsers match trusted certs by
looking at their fingerprints (difficult to fake, AFAIK).
And still, it would prevent passive snooping/sniffing of cleartext
traffic. Nice, too. Of course, it should be clearly documented which
attacks SSL would prevent and which not.
--
Ticket URL: <https://tahoe-lafs.org/trac/tahoe-lafs/ticket/2142#comment:17>
tahoe-lafs <https://tahoe-lafs.org>
secure decentralized storage
More information about the tahoe-lafs-trac-stream
mailing list