Wade Simmons told me that he spent several hours trying to exploit Tahoe-LAFS in order to create and win the Fourth "I Hacked Tahoe-LAFS!" T-Shirt, but that he couldn't figure out how to do it.
I work with Wade at SimpleGeo and I have a high opinion of his engineering skill. He explored what seemed to be the most promising approach, ticket #615. The scenario is that you have access to read a confidential file, or you have access to write to a file which you don't want the attacker to be able to overwrite, and you are using this access through your web browser which is pointed at http://localhost:3456 to connect to your tahoe-lafs web gateway. Then you load an HTML+JavaScript file which was written by the attacker in another tab of the same browser, or even in the same tab in which your sensitive file was previously displayed. The attacker wins if he (the human who wrote the HTML+JavaScript page) can learn the contents of your confidential file or can cause the contents of your sensitive file to be overwritten. I had thought, based on what a few web security experts had told me, that it would be easy for the attacker to take advantage of this situation, but Wade reported that he was unable to do it. He was using Safari 5 for testing. Well! This is encouraging! Perhaps the browser's regrettable "Same Origin Policy" has not completely neutered Tahoe-LAFS's defenses against malicious JavaScript loaded from the same origin and running in a separate tab of the same browser. Wade reported that he was always stymied by the fact that the page he was trying to get access to had an unguessable URL. I told him that the web security experts had told me that it is possible for the malicious JavaScript to learn the URL of the other page, but he reported that he was unable to do so. Great! That means that *you* oh gentle reader, now have your chance to cause the Fourth Ever "I Hacked Tahoe-LAFS!" T-Shirt to come into existence and be yours! Regards, Zooko _______________________________________________ tahoe-dev mailing list tahoe-dev@tahoe-lafs.org http://tahoe-lafs.org/cgi-bin/mailman/listinfo/tahoe-dev