[cap-talk] CSRF problem in tahoe

zooko zooko at zooko.com
Fri Mar 6 09:06:53 EST 2009


Two weeks ago I was asked to describe the Cross-Site Request Forgery  
problem that we had in Tahoe.  Fortunately we've already written it  
all up, including an attempt to generalize the principles and a  
(somewhat light-hearted) claim:

    CSRF does not stand for Cross-Site Request Forgery!

    It stands for "Conveniently Shareable Reference Forgery"!

    Solve CSRF by making references unforgeable, not by making them  


This write-up is part of the http://hacktahoe.org site, where two  
other security problems have also been discovered in Tahoe and  
written up.  Each of the three may be of interest.


Tahoe, the Least-Authority Filesystem -- http://allmydata.org
store your data: $10/month -- http://allmydata.com/?tracking=zsig

More information about the cap-talk mailing list