[cap-talk] CSRF problem in tahoe

zooko zooko at zooko.com
Fri Mar 6 09:06:53 EST 2009


Folks:

Two weeks ago I was asked to describe the Cross-Site Request Forgery  
problem that we had in Tahoe.  Fortunately we've already written it  
all up, including an attempt to generalize the principles and a  
(somewhat light-hearted) claim:

    CSRF does not stand for Cross-Site Request Forgery!

    It stands for "Conveniently Shareable Reference Forgery"!

    Solve CSRF by making references unforgeable, not by making them  
unshareable!


http://hacktahoe.org/csrf.html

This write-up is part of the http://hacktahoe.org site, where two  
other security problems have also been discovered in Tahoe and  
written up.  Each of the three may be of interest.

Regards,

Zooko
---
Tahoe, the Least-Authority Filesystem -- http://allmydata.org
store your data: $10/month -- http://allmydata.com/?tracking=zsig


More information about the cap-talk mailing list