Opened at 2021-10-25T16:01:35Z
Closed at 2021-11-16T15:45:52Z
#3826 closed enhancement (fixed)
HTTP storage protocol design change: switch all secrets to http headers
Reported by: | itamarst | Owned by: | itamarst |
---|---|---|---|
Priority: | normal | Milestone: | HTTP Storage Protocol |
Component: | unknown | Version: | n/a |
Keywords: | Cc: | ||
Launchpad Bug: |
Description
Secrets include:
- The new upload secret (#3820).
- Write secrets for mutables.
- Lease renewal/cancellation.
- Arguably, storage index, although that's more open to discussion.
These secrets should not be leaked by accident.
The current system puts them in the body of requests, which mean request logging is more likely to leak them.
HTTP headers are the standard way of passing credentials, and logging them is less common than URLs or bodies. So perhaps we should switch to using them for all of the above.
Change History (3)
comment:1 Changed at 2021-10-25T17:33:23Z by itamarst
Version 0, edited at 2021-10-25T17:33:23Z
by itamarst
(next)
comment:2 Changed at 2021-11-11T16:33:41Z by itamarst
Jean-Paul suggests that storage index logging should be avoided, but is not fundamentally a problem:
- Storage indexes are already not particularly secret. The client will tell approximately ~every storage server it can find about your storage indexes.
- Knowing a storage index buys you very little. You can obtain some ciphertext that you cannot decrypt.
- A premise of Tahoe is that you only rely on storage servers to return your ciphertext to you later on. You are _not_ relying on them to not make your ciphertext public.
comment:3 Changed at 2021-11-16T15:45:52Z by GitHub <noreply@…>
- Resolution set to fixed
- Status changed from new to closed
In fe6a2f6f/trunk:
Note: See
TracTickets for help on using
tickets.
ccx points out that potentially one could separate the syntax for "here is the secret you should use" vs. "here is me authorizing myself with a secret".
This distinction is present for leases, and in #3820 it is present for immutable uploads. The mutable upload API does not have this distinction, it's one API call for creating and subsequent modifying.