[tahoe-dev] regarding the unsuccessful assaults on the fortress
Frederik Braun
Frederik.Braun+tahoe at ruhr-uni-bochum.de
Tue Aug 10 18:52:17 UTC 2010
Chris Palmer wrote:
> Frederik Braun writes:
>
>> All URIs appear to be unguessable making commands on a user's files
>> impossible.
>
> XSS allows attackers to discover information in the DOM.
Yup, you might read my previous mail as "I have not found a website on a
gateway (I only had a look at the pubgrid) where you find read- or
write-capabilities in the DOM, starting from a file read-cap, i.e.
viewing a malicious HTML file"
If I'm mistaken and you do find caps in the DOM, we will have our leak :)
Also, from a JavaScript perspective it is still impossible to find URIs
that contain caps (e.g. history entries). Everything else would be a
browser bug that requires immediate fixing :)
Thus, an attacker's success will not differ from the success of
*guessing* URIs.
More information about the tahoe-dev
mailing list