Dear people of tahoe-dev and cap-talk: Due to a query from Mark Miller about our experiences with CSRF and "webkey"-style capabilities-in-URLs, I updated the web page about CSRF on the http://hacktahoe.org site:
http://hacktahoe.org/csrf.html It begins like this: There is a general principle here which deserves to be more widely appreciated. A CSRF attack looks, under the hood, a lot like sharing. (The difference is that the sharer intends to harm the receiver.) Compare Figure 1 -- CSRF attack and Figure 2 -- sharing. bad guy victim site .------. message .-----. authority .-----. | >:-} | ----------> | :-| | ========> | ... | '------' '-----' '-----' Figure 1 -- CSRF attack: the bad guy presents a message (such as a form or a hyperlink or a page with Javascript on it) to the victim who sends a request -- an authority-wielding message -- to the site which has an effect. The victim already had the authority to do that thing, such as to delete her private files, but she didn't realize what the form or hyperlink was going to do when she clicked on it. friend friend site .------. message .-----. authority .-----. | :-) | ----------> | :-) | ========> | ... | '------' '-----' '-----' Figure 2 -- sharing: a friend sends a message (containing something such as a form or a hyperlink or Javascript) to another friend which does something on the site when she clicks on it. This insight leads us to propose the following aphorism: Solve CSRF attacks by making references unforgeable, not by making them unshareable. _______________________________________________ tahoe-dev mailing list [email protected] http://allmydata.org/cgi-bin/mailman/listinfo/tahoe-dev
