[tahoe-dev] do caps-in-URLs work in practice? (was: Disabling clipboard access in Internet Explorer)

[zooko]

[adding Cc: cap-talk -- if you reply to both lists then please  
subscribe to both lists before hitting send]

Dear . .:

You make a good argument and you do it well (excepted below, after  
the end of this message).

I agree that names are typically public.  (This is one of the reasons  
why the traditional notion of "Zooko's Triangle" as describing  
possible properties of names is fundamentally flawed -- the idea of a  
non-human-friendly name is a pretty useless idea.  However, Tyler  
Close's recasting of Zooko's Triangle as being about *identifiers*  
instead of about *names* is pretty sensible.)

I'm not entirely sure that I agree that people think of URLs as being  
like names in this regard.  I think this is partly an empirical  
question that hasn't been properly answered yet: How *do* people use  
a system like Tahoe with secrets in the URLs?

Do they find it convenient or off-putting?  Do they use it safely or  
dangerously?

Of course, these questions need to be asked in comparison with  
alternatives, not in an isolated "ideal world".

Do people use these caps better or worse than they use login-and- 
password systems?

So far, results about this empirical question have started trickling  
in from the Tahoe project.  Here's my (biased, uncertain, incomplete)  
summary so far:

1.  People are not as reluctant to use caps-in-URLs as we might have  
feared.  Many people, with various levels of technical  
sophistication, seem to have no problem with the idea.

2.  On the other hand allmydata.com wrapped Tahoe's caps-in-URLs  
inside a name-and-password system and a "tiny URL"-style server, in  
part because the current caps are too big.

3.  The important lesson to draw from #2 is that building a  
capability access control system doesn't prevent the people who build  
atop your system from creating different access control schemes,  
which is as it should be.

4.  It isn't clear to me if people who use Tahoe with caps-in-URLs  
are more or less at risk of accidental disclosure than people who use  
other, more conventional mechanisms of sharing.  I'd say the results  
are not yet in, on this one.

5.  We're pioneering the idea of caps-in-URLs here, and so we'll  
probably make mistakes which could be exploited.  Nathan Wilcox and  
Collin Jackson have both claimed (on this mailing list or on our  
issue tracker) that our current strategy is dangerous, because it  
doesn't fit well with the modern web security paradigm.  I wouldn't  
be surprised if we are forced to move from caps-in-URLs to Tyler  
Close's idea of caps-in-URL-fragments.  I can't see the issues  
clearly enough without concrete attacks, though, so I'm hoping that  
Nathan and/or Collin and/or others will post attacks and win a "Hack  
Tahoe!" t-shirt.  ;-)  (Or in Nathan's case, *another* "Tahoe Tahoe!"  
t-shirt.)

Regards,

Zooko

On Nov 18, 2008, at 18:22 PM, . . wrote:

> I feel that, fundamentally, URLs are "names", and that part of the  
> contract of a name is that it is public. People treat names as  
> public accessors or handles in many aspects of daily life. Hoping  
> that a name remains secret is to hope for an unlikely thing. For  
> example, IE and Firefox print the URL of the page at the footer of  
> the page when you print. Is that a bug? I'd say no; it's a  
> reasonable feature that allows anyone in possession of the printout  
> to find the original online.
>
> Therefore, as used by real humans, Tahoe will not be as secure as  
> it could be. There are just too many ways for a URL to leak out,  
> and even if you tell them carefully, people will not internalize  
> the idea that Tahoe names are secrets. It's at odds with everyday  
> expectations and behavior.