warn users not to rely on PyCrypto

[zooko]

The PyCrypto AES implementation has no defenses against timing attacks, and also it seems like nobody has examined PyCrypto carefully for safety. (Although I audited the PyCrypto RNG and it was a mess but I didn't find any real holes.) People shouldn't rely on PyCrypto for their confidentiality. The way this affects Tahoe-LAFS is that people should run the Tahoe-LAFS gateway, which contains an SFTP server, locally to where they are running their SFTP client. Add a note to this effect to the appropriate documentation, presumably source:docs/frontends/FTP-and-SFTP.txt.

[francois]

I propose to add the following text as a second paragraph in Configuring SFTP Access of source:docs/frontends/FTP-and-SFTP.txt.

Beware that the SFTP server should only run locally because PyCrypto
cannot currently be relied on for confidentiality purpose. The PyCrypto
AES implementation has no defenses against timing attacks, and also it
seems like nobody has examined PyCrypto carefully for safety.

[francois]

This patch attachment:doc-patch-1192.dpatch​ contains another, more detailed, explanation written by Zooko.

[davidsarah]

If you can run the SFTP server (which is provided by the Tahoe-LAFS gateway) on the same host as your SFTP client then you would be safe from any problem with the SFTP connection security.

This depends on the server binding only to localhost. Change it to something like:

The SFTP server is provided by the Tahoe-LAFS gateway. If you can run it on the same host as your SFTP client, and configured to accept connections only from localhost (using ":interface=127.0.0.1" in the port option as in the examples below), then you would be safe from any problem with the SFTP connection security.

[david-sarah@…]

In 7d8e17c4434c5c86:

docs/frontends/FTP-and-SFTP.txt: warn users about connecting to the FTP and SFTP servers remotely. Fixes #1192