Security Considerations

This page exists so that there is one page to read to learn about the security guarantees that Tahoe is designed to provide, as well as about any current known issues that might have security consequences.

Current Known Security Issues in Tahoe

There is currently one known issue in Tahoe that could have security implications.

This issue is: if there is a file stored on a Tahoe storage grid, and that file gets downloaded and displayed in a web browser, and that file contains hyperlinks which get followed by the web browser, then the web server that those hyperlinks point to gets access to the file that the hyperlinks were in. Remember that IMG tags typically get followed automatically, so it is not a complete defense against this problem to make sure that nobody who is viewing the page clicks on the hyperlinks.

We are thinking about ways to close off this leakage of authority while preserving ease of use -- the ticket associated with this issue is ticket #127.

In the meantime, a good work-around is to remove all hyperlinks pointing to external servers from any HTML file that you upload to a Tahoe grid, if you want the contents of the file to remain private.

General Security Properties of Tahoe

The following is not complete.

However, you can view a complete technical explanation of which this page is eventually intended to be a summary.

The Distributed Filesystem

Access Control

The Tahoe distributed filesystem is composed of files and directories.

Files

read access

Each file has a unique and unguessable identifier, called a "CHK-URI", which is derived from the file contents. Possession of this identifier is necessary and sufficient to download, reconstruct, decrypt, and verify the integrity of the file. If a person is not given the CHK-URI, then they cannot see the contents of the file.

mutation

Files in the Tahoe grid are immutable. If you upload a file to the grid, and then change part of it and upload it again, then there are now two files in the grid -- the old one and the new one -- and each has a distinct, unique, CHK-URI.

Traffic Analysis

To be filled in. Traffic analysis is subtle and powerful. For the moment, assume that if someone wants to, they can learn everything about your every act, including when were, and which file, by its unique identifier and its length except that they can't learn the actual contents of the files, except that if the file happens to be a file whose contents they already know then they can. Make sense? I'll come back later.