[cap-talk] CSRF problem in tahoe
zooko
zooko at zooko.com
Fri Mar 6 09:06:53 EST 2009
Folks:
Two weeks ago I was asked to describe the Cross-Site Request Forgery
problem that we had in Tahoe. Fortunately we've already written it
all up, including an attempt to generalize the principles and a
(somewhat light-hearted) claim:
CSRF does not stand for Cross-Site Request Forgery!
It stands for "Conveniently Shareable Reference Forgery"!
Solve CSRF by making references unforgeable, not by making them
unshareable!
http://hacktahoe.org/csrf.html
This write-up is part of the http://hacktahoe.org site, where two
other security problems have also been discovered in Tahoe and
written up. Each of the three may be of interest.
Regards,
Zooko
---
Tahoe, the Least-Authority Filesystem -- http://allmydata.org
store your data: $10/month -- http://allmydata.com/?tracking=zsig
More information about the cap-talk
mailing list