#861 closed defect (duplicate)

Any node interface available on a public exposes confidential grid info

Reported by: imhavoc Owned by: somebody
Priority: major Milestone: undecided
Component: code-frontend-web Version: 1.5.0
Keywords: privacy security Cc:
Launchpad Bug:


Any node that is available on an exposed IP address publishes the introducer furl and the helper furl (if attached) to the world.

This results in anyone discovering the address of an exposed node being able to attach to a grid and a helper. This could result in unlimited abuse.

If one wanted to store files on their grid, then publish specific files to the net, a public node is required. Once that node is published, finding the furls is trivial.

Example: Zooko's blog hosted on the TestGrid: http://testgrid.allmydata.org:3567/uri/URI:DIR2-RO:j74uhg25nwdpjpacl6rkat2yhm:kav7ijeft5h7r7rxdp5bgtlt3viv32yabqajkrdykozia5544jqa/wiki.html#2009-12-15

Going to the root of the node: http://testgrid.allmydata.org:3567/


Connected to introducer?: yes

This happens to be a wonderful feature for the TestGrid, but a easy point of attack for anyone with a "closed" or "limited" grid.

Change History (3)

comment:1 Changed at 2009-12-17T04:01:22Z by imhavoc

Moved to #860

comment:2 Changed at 2009-12-17T04:11:53Z by davidsarah

  • Resolution set to duplicate
  • Status changed from new to closed

comment:3 Changed at 2009-12-17T04:13:02Z by davidsarah

  • Component changed from operational to code-frontend-web
  • Keywords privacy added; confidentiality vulnerability removed
Note: See TracTickets for help on using tickets.