Any node interface available on a public exposes confidential grid info #861

Closed
opened 2009-12-16 17:32:13 +00:00 by imhavoc · 1 comment
imhavoc commented 2009-12-16 17:32:13 +00:00
Owner

Any node that is available on an exposed IP address publishes the introducer furl and the helper furl (if attached) to the world.

This results in anyone discovering the address of an exposed node being able to attach to a grid and a helper. This could result in unlimited abuse.

If one wanted to store files on their grid, then publish specific files to the net, a public node is required. Once that node is published, finding the furls is trivial.

Example: Zooko's blog hosted on the TestGrid:
http://testgrid.allmydata.org:3567/uri/URI:DIR2-RO:j74uhg25nwdpjpacl6rkat2yhm:kav7ijeft5h7r7rxdp5bgtlt3viv32yabqajkrdykozia5544jqa/wiki.html#2009-12-15

Going to the root of the node:
http://testgrid.allmydata.org:3567/

Introducer:

pb://todjw7qkb4dgq4fkeo7cqydcu5vneioh@tahoecs2.allmydata.com:52106/introducer
Connected to introducer?: yes

This happens to be a wonderful feature for the TestGrid, but a easy point of attack for anyone with a "closed" or "limited" grid.

Any node that is available on an exposed IP address publishes the introducer furl and the helper furl (if attached) to the world. This results in anyone discovering the address of an exposed node being able to attach to a grid and a helper. This could result in unlimited abuse. If one wanted to store files on their grid, then publish specific files to the net, a public node is required. Once that node is published, finding the furls is trivial. Example: Zooko's blog hosted on the TestGrid: <http://testgrid.allmydata.org:3567/uri/URI:DIR2-RO:j74uhg25nwdpjpacl6rkat2yhm:kav7ijeft5h7r7rxdp5bgtlt3viv32yabqajkrdykozia5544jqa/wiki.html#2009-12-15> Going to the root of the node: <http://testgrid.allmydata.org:3567/> Introducer: ``` pb://todjw7qkb4dgq4fkeo7cqydcu5vneioh@tahoecs2.allmydata.com:52106/introducer Connected to introducer?: yes ``` This happens to be a wonderful feature for the TestGrid, but a easy point of attack for anyone with a "closed" or "limited" grid.
tahoe-lafs added the
operational
major
defect
1.5.0
labels 2009-12-16 17:32:13 +00:00
tahoe-lafs added this to the undecided milestone 2009-12-16 17:32:13 +00:00
imhavoc commented 2009-12-17 04:01:22 +00:00
Author
Owner

Moved to #860

Moved to #860
tahoe-lafs added the
duplicate
label 2009-12-17 04:11:53 +00:00
davidsarah closed this issue 2009-12-17 04:11:53 +00:00
tahoe-lafs added
code-frontend-web
and removed
operational
labels 2009-12-17 04:13:02 +00:00
Sign in to join this conversation.
No Milestone
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Reference: tahoe-lafs/trac-2024-07-25#861
No description provided.