[tahoe-dev] do caps-in-URLs work in practice? (was: Disabling clipboard access in Internet Explorer)
Hyper Bumpkin
mr.monkey at gmail.com
Tue Dec 2 19:24:44 PST 2008
On Mon, Dec 1, 2008 at 2:21 PM, zooko <zooko at zooko.com> wrote:
> [adding Cc: cap-talk -- if you reply to both lists then please
> subscribe to both lists before hitting send]
Feel free to forward this to cap-talk if you like.
> I'm not entirely sure that I agree that people think of URLs as being
> like names in this regard.
I hear URLs spoken in advertisements on the radio. And not just
second-level domains, either -- sometimes it's "Visit
pumpkin.com/bumpkin for more scrumptious crumpet details!".
> I think this is partly an empirical
> question that hasn't been properly answered yet: How *do* people use
> a system like Tahoe with secrets in the URLs?
>
> Of course, these questions need to be asked in comparison with
> alternatives, not in an isolated "ideal world".
Yes. But, we do have alternatives to putting private keys in
identifiers/names. Maybe put the public key, or an (s)symmetric key
fingerprint, in the URL. If a weirdo manages to get a hold of the
identifier, well, they still don't have the key. That way it's hard to
guess identifiers, and it's not catastrophic if it happens.
As a counter example, consider "URL rewriting", which is what some web
app frameworks call it when you put the cookie value in the URL query
string. One time I got a credit report with something like this
printed at the footer of the page:
https://intranet.company.com/creditReport.jsp?jsessionid=DEADBEEF0BADCODE
That's basically equivalent to Tahoe's behavior: the identifier is
also an authenticator. Of course, if you've printed out a Tahoe file
and the bad guy gets the print-out, well, he already has the contents
as well as the key. :)
> 1. People are not as reluctant to use caps-in-URLs as we might have
> feared. Many people, with various levels of technical
> sophistication, seem to have no problem with the idea.
Non-technical people don't understand these issues (and shouldn't have
to). Technical people complexly don't understand them. Do Tahoe users
know that the identifier is supposed to be secret? Do they
accidentally paste their clipboard buffers (after all, who can type
out those caps by hand!) into chat windows? Do they realize that
compromises their confidentiality, and how do they/can they cope with
that?
More information about the tahoe-dev
mailing list