#997 new defect

The webapi/WUI should have https enabled by default

Reported by: jsgf Owned by: nobody
Priority: major Milestone: undecided
Component: code-frontend-web Version: 1.6.0
Keywords: confidentiality wui webapi capleak Cc:
Launchpad Bug:

Description (last modified by warner)

In the spirit of making the defaults secure, the web interface should have https enabled by default. Plain http is only secure if you assume users will always interact with the server over a secure network, but practice shows that people often connect to remote servers.

This implies that Tahoe should ship with some certificates. These can be any dummy self-signed certs, since we just need secure key negotiation.

Change History (7)

comment:1 follow-up: Changed at 2010-03-13T20:37:09Z by imhavoc

https will secure the contents of the file, but not the CAPS. The CAPs will still be available to every router/hub/switch along the way. Transmitting the CAP in the URL makes keeping secrets difficult.

comment:2 follow-up: Changed at 2010-03-13T20:53:37Z by chris

@jsgf: There is no secure key negotiation with anonymous peers. That is, self-signed certificates will not (by themselves) suffice to protect HTTPS communications across an insecure network (== any non-isolated network). SSH-style trust-on-first-use + continuity of identity might suffice, however. Unfortunately, no browser makes that easy/possible right now. This is a browser bug, but we have to live with it for now.

An alternative that sort-of-works with current browsers is to generate a new CA certificate as part of installing the WUI, and then instruct users to add that CA to their browsers' CA certificate stores.

However, browsers still provide no *easy* way for users to distinguish between an HTTPS server authenticated by their WUI's CA and by any random (potentially malicious/incompetent/compromised, yet trusted) CA.

@imhavoc: No, URLs are not exposed to routers/hubs/switches when using HTTPS. The entire HTTP conversation is encapsulated inside TLS; midpoints see only TLS setup and encrypted data messages.

comment:3 in reply to: ↑ 2 Changed at 2010-03-13T23:26:53Z by jsgf

Replying to chris:

@jsgf: There is no secure key negotiation with anonymous peers. That is, self-signed certificates will not (by themselves) suffice to protect HTTPS communications across an insecure network (== any non-isolated network). SSH-style trust-on-first-use + continuity of identity might suffice, however. Unfortunately, no browser makes that easy/possible right now. This is a browser bug, but we have to live with it for now.

Quite right, it doesn't help with MITM. But it is an improvement over plaintext.

An alternative that sort-of-works with current browsers is to generate a new CA certificate as part of installing the WUI, and then instruct users to add that CA to their browsers' CA certificate stores.

Yes. But installing CA certs is pretty tricky to do from browser to browser. But it should be managed somehow, because a self-signed cert will cause browsers to whine.

comment:4 in reply to: ↑ 1 Changed at 2010-03-14T02:23:55Z by davidsarah

Replying to imhavoc:

https will secure the contents of the file, but not the CAPS. The CAPs will still be available to every router/hub/switch along the way.

That's not correct; request URLs are encrypted by https.

Transmitting the CAP in the URL makes keeping secrets difficult.

It does, but for other reasons ([tickets tagged 'capleak').

comment:5 Changed at 2010-03-14T02:24:41Z by davidsarah

  • Keywords capleak added

comment:6 Changed at 2010-03-15T19:19:16Z by warner

I really want to encourage users to run their own gateway. I'm a little bit nervous that turning on SSL by default will look like we're suggesting people talk to somebody else's gateway, and would imply that eavesdroppers on the wire between your browser and that gateway are more of a concern than whether your gateway is acting in your own best interests. I recognize that using SSL (even on localhost) is strictly equal-or-more-secure than non-SSL, but I do wonder if it sends the wrong message to users.

Asking users to install a new CA root feels wrong to me.. it teaches them to "improve" their security by adding vulnerabilities into their browser.

The real question is what secrets (i.e. the filecaps) you're revealing to which parties, and whether those are the parties you meant to reveal them to. "http://127.0.0.1/" in the browser is harder to spoof than the collection of (browser shows usual spoofable lock icon)+(address bar shows meaningful DNS name)+(user remembers mapping from DNS name to which gateway they meant to use)+(CA/PKI system is uncompromised and maps DNS name / cert name to the expected cert)+(gateway isn't logging/revealing your filecaps).

Maybe we should discuss the properties of a web gateway which *only* accepted connections from localhost?

comment:7 Changed at 2014-09-11T22:20:19Z by warner

  • Component changed from unknown to code-frontend-web
  • Description modified (diff)
Note: See TracTickets for help on using tickets.