[cap-talk] w3c tag discuss ocaps, webkeys, ADsafe and Caja

[zooko]

I have an experience report that might be relevant.

In the Tahoe-LAFS project, we held an open contest to find security  
flaws.  One of the winners found a CSRF vulnerability in our system,  
which at that time offered a combination of webkey-like URLs and path  
URLs.  Our solution was to remove the path URLs and leave only the  
webkey-like URLs, which fixed the CSRF vulnerability.  One empirical  
observation is that no users have complained about the removal of the  
path URLs, so perhaps our original intuition that path-based were  
important for user convenience was wrong.

On the other hand we have had many user requests to allow sharing of  
resources without requiring the recipient to login to our service  
first, showing that our original intuition about the desirability of  
that behavior is right.

I have attempted to generalize the security and UI issues behind this  
story here:

http://hacktahoe.org/csrf.html # solve CSRF attacks by making  
references unforgeable, not by making them unshareable

The story of the contest and the CSRF attack is here:

http://hacktahoe.org/nathan_wilcox.html # Nathan Wilcox and CSRF attacks

By the way, the "Hack Tahoe!" contest is still running, so if you can  
find a security flaw in the current version of Tahoe, you too can  
have a customized t-shirt with your exploit printed on it.  :-)

Regards,

Zooko Wilcox-O'Hearn
---
Tahoe, the Least-Authority Filesystem -- http://allmydata.org
store your data: $10/month -- http://allmydata.com/?tracking=zsig