[tahoe-lafs-trac-stream] [tahoe-lafs] #995: It's way too easy to give away write directory caps

tahoe-lafs trac at tahoe-lafs.org
Sat Sep 14 17:39:57 UTC 2013 

#995: It's way too easy to give away write directory caps
-------------------------+-------------------------------------------------
     Reporter:  jsgf     |      Owner:  nobody
         Type:  defect   |     Status:  new
     Priority:  major    |  Milestone:  undecided
    Component:  code-    |    Version:  1.6.0
  frontend-web           |   Keywords:  wui jsui usability confidentiality
   Resolution:           |  capleak websec
Launchpad Bug:           |
-------------------------+-------------------------------------------------
Changes (by zooko):

 * keywords:  wui jsui usability confidentiality capleak => wui jsui
     usability confidentiality capleak websec


Old description:

> The WUI makes it too easy to accidentally give away the write directory
> caps for a directory.  The most obvious thing to do - cut'n'paste the URL
> - is the worst thing to do.  If you want to give a RO directory cap to
> someone else, you need to make a fairly explicit extra step to do so.
>
> I don't know how to address this, but here are some thoughts:
>
> 1. Add an obvious "share this directory" button which pops up a pre-
> selected cuttable RO URL, in order to try and make the right thing the
> most simple and obvious.
>
> 2. Use cookies to maintain some per-session state, and use that state to
> mangle the cap in the URL, to prevent it from being accepted by any other
> web gateway/WUI session.  Unfortunately without some strong crypto in the
> browser this will not prevent the URL from being accidentally shared
> unless the user notices it has been mangled before sending it.
>
> 3. Erm, something else?

New description:

 The WUI makes it too easy to accidentally give away the write directory
 caps for a directory.  The most obvious thing to do - cut'n'paste the URL
 - is the worst thing to do.  If you want to give a RO directory cap to
 someone else, you need to make a fairly explicit extra step to do so.

 I don't know how to address this, but here are some thoughts:

 1. Add an obvious "share this directory" button which pops up a pre-
 selected cuttable RO URL, in order to try and make the right thing the
 most simple and obvious.

 2. Use cookies to maintain some per-session state, and use that state to
 mangle the cap in the URL, to prevent it from being accepted by any other
 web gateway/WUI session.  Unfortunately without some strong crypto in the
 browser this will not prevent the URL from being accidentally shared
 unless the user notices it has been mangled before sending it.

 3. Erm, something else?

--

-- 
Ticket URL: <https://tahoe-lafs.org/trac/tahoe-lafs/ticket/995#comment:14>
tahoe-lafs <https://tahoe-lafs.org>
secure decentralized storage

More information about the tahoe-lafs-trac-stream mailing list