On 7/29/10 12:50 AM, James A. Donald wrote: > Some time ago, someone proposed a local service that would map all > domains of the form *.tahoe-stuff to the same network address, thereby > allowing every web page to have a separate origin, thus preventing > common origin attacks, but this would create some other insecurity. > > I did not understand why this would create some other insecurity, but > failed to pipe up at the time. > > But the more I think about it, the less I can see how it would create > some other insecurity.
The insecurity comes from the implementation of the *.tahoe-stuff mapping. Unless we could get each user to run their very own specialized DNS server, the only way to map all the 1.tahoe.org and 2.tahoe.org and 3.tahoe.org names to the same 127.0.0.1 IP address is for some central party to host a tahoe.org DNS server with a wildcard A record entry. But then that central party could, after everybody gets comfortable, attack by returning their own IP addresses instead of 127.0.0.1, and suddenly everybody would be sending their filecaps to the attacker. A local (trusted) DNS server could return *.something=127.0.0.1, but that involves running another daemon on the local machine (as root, so it can listen on port 53), and changing the local /etc/resolv.conf equivalent to use it. The best approach I can think of so far is to use 127.a.b.c and rely upon the fact that most hosts will send/accept all of these on the loopback interface, accomplishing something similar to *.tahoe-stuff without relying upon DNS (but having only 2^24 unique origins rather than a nearly infinite number). Or maybe there's a way to do something similar with IPv6 to get even more domains. In either case, I'd use a truncated storage-index to choose which IP address was used. (actually, the fallback position I'm considering is just to have two HTTP ports, one of which is for the WUI and never ever serves user-generated content, the other of which is only for viewing/downloading files. At least then it'd be file-vs-file and not file-vs-every-directory-you-ever-look-at.) cheers, -Brian _______________________________________________ tahoe-dev mailing list [email protected] http://tahoe-lafs.org/cgi-bin/mailman/listinfo/tahoe-dev
