#861 closed defect (duplicate)
Any node interface available on a public exposes confidential grid info
| Reported by: | imhavoc | Owned by: | somebody |
|---|---|---|---|
| Priority: | major | Milestone: | undecided |
| Component: | code-frontend-web | Version: | 1.5.0 |
| Keywords: | privacy security | Cc: | |
| Launchpad Bug: |
Description
Any node that is available on an exposed IP address publishes the introducer furl and the helper furl (if attached) to the world.
This results in anyone discovering the address of an exposed node being able to attach to a grid and a helper. This could result in unlimited abuse.
If one wanted to store files on their grid, then publish specific files to the net, a public node is required. Once that node is published, finding the furls is trivial.
Example: Zooko's blog hosted on the TestGrid: http://testgrid.allmydata.org:3567/uri/URI:DIR2-RO:j74uhg25nwdpjpacl6rkat2yhm:kav7ijeft5h7r7rxdp5bgtlt3viv32yabqajkrdykozia5544jqa/wiki.html#2009-12-15
Going to the root of the node: http://testgrid.allmydata.org:3567/
Introducer:
pb://todjw7qkb4dgq4fkeo7cqydcu5vneioh@tahoecs2.allmydata.com:52106/introducer Connected to introducer?: yes
This happens to be a wonderful feature for the TestGrid, but a easy point of attack for anyone with a "closed" or "limited" grid.
Change History (3)
comment:1 Changed at 2009-12-17T04:01:22Z by imhavoc
comment:2 Changed at 2009-12-17T04:11:53Z by davidsarah
- Resolution set to duplicate
- Status changed from new to closed
comment:3 Changed at 2009-12-17T04:13:02Z by davidsarah
- Component changed from operational to code-frontend-web
- Keywords privacy added; confidentiality vulnerability removed
Moved to #860