[tahoe-dev] Tahoe WUI enhancement suggestion

Daira Hopwood (formerly David-Sarah) davidsarah at leastauthority.com
Tue Jun 18 17:38:13 UTC 2013


On 18/06/13 11:18, till wrote:
> So, 
> 
> excuse my lack of knowledge on XSS and Web Security in General: So it makes no difference
> if the WUI just has access to the alias names without their uri's and the tahoe process
> looks them up for you? I still dont understand why, i.e. typing an alias into the "open
> directory" field on the WUI instead of directly putting it's URI is different, security wise. 

It's not just the user that can put the alias into that field, it's any script in the
same origin. There is no way to distinguish between user-initiated and script-initiated
actions (and by itself that wouldn't help in any case, because a script in the same
origin could obtain the resulting URI after the user had entered the alias).

> From a usability point of view: Now i have to keep a list of URIs of my directories
> somewhere to copy&paste them if i want access to them. I can define them in the alias file
> and "cat aliases" whenever i want access them in the WUI, but then i am at the CLI already
> and could do my tahoe stuff from there. So in what way do you imagine the average user to
> have his/her URI's available, carrying around a usb drive with a list on it, which
> probably should be encrypted itself?

Security trumps usability, I'm afraid.

-- 
Daira Hopwood ⚥

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 555 bytes
Desc: OpenPGP digital signature
URL: <http://tahoe-lafs.org/pipermail/tahoe-dev/attachments/20130618/639e9a39/attachment.pgp>


More information about the tahoe-dev mailing list