Opened at 2016-08-27T20:31:17Z
Closed at 2016-08-29T01:36:14Z
#2810 closed task (fixed)
disable Foolscap 'gifts' (third-party references)
| Reported by: | warner | Owned by: | warner |
|---|---|---|---|
| Priority: | normal | Milestone: | 1.12.0 |
| Component: | code-network | Version: | 1.11.0 |
| Keywords: | anonymity | Cc: | |
| Launchpad Bug: |
Description
Foolscap-0.9.0 (released 21-Sep-2015) added a Tub option to ignore "gifts", which is the feature that enables third-party references (also known as "introductions"). This allows Alice to include a reference to Bob as an argument in a message to Carol, where Bob is an object on a different Tub than either Alice or Carol. It works by sending a special reference type (named "their-reference") that contains the full FURL of the target. The recipient automatically establishes a connection to the new Tub before delivering the arguments to the method.
While this is an important primitive for generalized distributed systems, we don't actually use it in Tahoe. And in the context of Tor and anonymity, it is a threat: Carol might be running her node behind an onion address, so Alice does not know Carol's real IP address. Alice could create a third-party reference with a FURL that points to a host she controls, send it to Carol, then record what IP address the resulting connection came from.
The way we're using connection handlers in Tahoe will prevent this (Carol's tub will be configured to use Tor for all outbound connections, so Alice/Bob will observe a connection coming from a Tor exit node), but it'd be good to have defense in depth.
So the change is simple: in node.py, where we're building up the list of tub options to apply (currently things like logLocalFailures and disconnectTimeout), we should add tub.setOption("accept-gifts", False).
Change History (1)
comment:1 Changed at 2016-08-29T01:36:14Z by Brian Warner <warner@…>
- Resolution set to fixed
- Status changed from new to closed
In 2d358f2/trunk: