[cap-talk] do caps-in-URLs work in practice? (was: Disabling clipboard access in Internet Explorer)
zooko at zooko.com
Mon Dec 1 16:21:52 CST 2008
[adding Cc: cap-talk -- if you reply to both lists then please
subscribe to both lists before hitting send]
Dear . .:
You make a good argument and you do it well (excepted below, after
the end of this message).
I agree that names are typically public. (This is one of the reasons
why the traditional notion of "Zooko's Triangle" as describing
possible properties of names is fundamentally flawed -- the idea of a
non-human-friendly name is a pretty useless idea. However, Tyler
Close's recasting of Zooko's Triangle as being about *identifiers*
instead of about *names* is pretty sensible.)
I'm not entirely sure that I agree that people think of URLs as being
like names in this regard. I think this is partly an empirical
question that hasn't been properly answered yet: How *do* people use
a system like Tahoe with secrets in the URLs?
Do they find it convenient or off-putting? Do they use it safely or
Of course, these questions need to be asked in comparison with
alternatives, not in an isolated "ideal world".
Do people use these caps better or worse than they use login-and-
So far, results about this empirical question have started trickling
in from the Tahoe project. Here's my (biased, uncertain, incomplete)
summary so far:
1. People are not as reluctant to use caps-in-URLs as we might have
feared. Many people, with various levels of technical
sophistication, seem to have no problem with the idea.
2. On the other hand allmydata.com wrapped Tahoe's caps-in-URLs
inside a name-and-password system and a "tiny URL"-style server, in
part because the current caps are too big.
3. The important lesson to draw from #2 is that building a
capability access control system doesn't prevent the people who build
atop your system from creating different access control schemes,
which is as it should be.
4. It isn't clear to me if people who use Tahoe with caps-in-URLs
are more or less at risk of accidental disclosure than people who use
other, more conventional mechanisms of sharing. I'd say the results
are not yet in, on this one.
5. We're pioneering the idea of caps-in-URLs here, and so we'll
probably make mistakes which could be exploited. Nathan Wilcox and
Collin Jackson have both claimed (on this mailing list or on our
issue tracker) that our current strategy is dangerous, because it
doesn't fit well with the modern web security paradigm. I wouldn't
be surprised if we are forced to move from caps-in-URLs to Tyler
Close's idea of caps-in-URL-fragments. I can't see the issues
clearly enough without concrete attacks, though, so I'm hoping that
Nathan and/or Collin and/or others will post attacks and win a "Hack
Tahoe!" t-shirt. ;-) (Or in Nathan's case, *another* "Tahoe Tahoe!"
On Nov 18, 2008, at 18:22 PM, . . wrote:
> I feel that, fundamentally, URLs are "names", and that part of the
> contract of a name is that it is public. People treat names as
> public accessors or handles in many aspects of daily life. Hoping
> that a name remains secret is to hope for an unlikely thing. For
> example, IE and Firefox print the URL of the page at the footer of
> the page when you print. Is that a bug? I'd say no; it's a
> reasonable feature that allows anyone in possession of the printout
> to find the original online.
> Therefore, as used by real humans, Tahoe will not be as secure as
> it could be. There are just too many ways for a URL to leak out,
> and even if you tell them carefully, people will not internalize
> the idea that Tahoe names are secrets. It's at odds with everyday
> expectations and behavior.
More information about the cap-talk