tahoe-lafs/docs/known_issues.txt

= known issues =

*  overview
*  issues in Tahoe-LAFS v1.8.0c1, released 2010-08-07
  -  potential unauthorized access by JavaScript in unrelated files
  -  potential disclosure of file through embedded hyperlinks or JavaScript in that file
  -  command-line arguments are leaked to other local users
  -  capabilities may be leaked to web browser phishing filter / "safe browsing" servers ===
  -  known issues in the FTP and SFTP frontends ===

== overview ==

Below is a list of known issues in recent releases of Tahoe-LAFS, and how to
manage them.  The current version of this file can be found at

http://tahoe-lafs.org/source/tahoe-lafs/trunk/docs/known_issues.txt

If you've been using Tahoe-LAFS since v1.1 (released 2008-06-11) or if you're
just curious about what sort of mistakes we've made in the past, then you might
want to read the "historical known issues" document:

http://tahoe-lafs.org/source/tahoe-lafs/trunk/docs/historical/historical_known_issues.txt

== issues in Tahoe-LAFS v1.7.0, released 2010-06-18 ==

=== potential unauthorized access by JavaScript in unrelated files ===

If you view a file stored in Tahoe-LAFS through a web user interface,
JavaScript embedded in that file might be able to access other files or
directories stored in Tahoe-LAFS which you view through the same web
user interface.  Such a script would be able to send the contents of
those other files or directories to the author of the script, and if you
have the ability to modify the contents of those files or directories,
then that script could modify or delete those files or directories.

==== how to manage it ====

For future versions of Tahoe-LAFS, we are considering ways to close off
this leakage of authority while preserving ease of use -- the discussion
of this issue is ticket #615.

For the present, either do not view files stored in Tahoe-LAFS through a
web user interface, or turn off JavaScript in your web browser before
doing so, or limit your viewing to files which you know don't contain
malicious JavaScript.


=== potential disclosure of file through embedded hyperlinks or JavaScript in that file ===

If there is a file stored on a Tahoe-LAFS storage grid, and that file
gets downloaded and displayed in a web browser, then JavaScript or
hyperlinks within that file can leak the capability to that file to a
third party, which means that third party gets access to the file.

If there is JavaScript in the file, then it could deliberately leak
the capability to the file out to some remote listener.

If there are hyperlinks in the file, and they get followed, then
whichever server they point to receives the capability to the
file. Note that IMG tags are typically followed automatically by web
browsers, so being careful which hyperlinks you click on is not
sufficient to prevent this from happening.

==== how to manage it ====

For future versions of Tahoe-LAFS, we are considering ways to close off
this leakage of authority while preserving ease of use -- the discussion
of this issue is ticket #127.

For the present, a good work-around is that if you want to store and
view a file on Tahoe-LAFS and you want that file to remain private, then
remove from that file any hyperlinks pointing to other people's servers
and remove any JavaScript unless you are sure that the JavaScript is not
written to maliciously leak access.


=== command-line arguments are leaked to other local users ===

Remember that command-line arguments are visible to other users (through
the 'ps' command, or the windows Process Explorer tool), so if you are
using a Tahoe-LAFS node on a shared host, other users on that host will
be able to see (and copy) any caps that you pass as command-line
arguments.  This includes directory caps that you set up with the "tahoe
add-alias" command.

==== how to manage it ====

As of Tahoe-LAFS v1.3.0 there is a "tahoe create-alias" command that does
the following technique for you.

Bypass add-alias and edit the NODEDIR/private/aliases file directly, by
adding a line like this:

fun: URI:DIR2:ovjy4yhylqlfoqg2vcze36dhde:4d4f47qko2xm5g7osgo2yyidi5m4muyo2vjjy53q4vjju2u55mfa

By entering the dircap through the editor, the command-line arguments
are bypassed, and other users will not be able to see them. Once you've
added the alias, if you use that alias instead of a cap itself on the
command-line, then no secrets are passed through the command line.  Then
other processes on the system can still see your filenames and other
arguments you type there, but not the caps that Tahoe-LAFS uses to permit
access to your files and directories.


=== capabilities may be leaked to web browser phishing filter / "safe browsing" servers ===

Firefox, Internet Explorer, and Chrome include a "phishing filter" or
"safe browing" component, which is turned on by default, and which sends
any URLs that it deems suspicious to a central server.

Microsoft gives a brief description of their filter's operation at
<http://blogs.msdn.com/ie/archive/2005/09/09/463204.aspx>. Firefox
and Chrome both use Google's "safe browsing API" which is documented
at <http://code.google.com/apis/safebrowsing/> and
<http://code.google.com/p/google-safe-browsing/wiki/Protocolv2Spec>.

This of course has implications for the privacy of general web browsing
(especially in the cases of Firefox and Chrome, which send your main
personally identifying Google cookie along with these requests without
your explicit consent, as described for Firefox in
<https://bugzilla.mozilla.org/show_bug.cgi?id=368255>).

The reason for documenting this issue here, though, is that when using the
Tahoe-LAFS web user interface, it could also affect confidentiality and integrity
by leaking capabilities to the filter server.

Since IE's filter sends URLs by SSL/TLS, the exposure of caps is limited to
the filter server operators (or anyone able to hack the filter server) rather
than to network eavesdroppers. The "safe browsing API" protocol used by
Firefox and Chrome, on the other hand, is *not* encrypted, although the
URL components are normally hashed.

Opera also has a similar facility that is disabled by default. A previous
version of this file stated that Firefox had abandoned their phishing
filter; this was incorrect.

==== how to manage it ====

If you use any phishing filter or "safe browsing" feature, consider either
disabling it, or not using the WUI via that browser. Phishing filters have
very limited effectiveness (see
<http://lorrie.cranor.org/pubs/ndss-phish-tools-final.pdf>), and phishing
or malware attackers have learnt how to bypass them.

To disable the filter in IE7 or IE8:
 - Click Internet Options from the Tools menu.
 - Click the Advanced tab.
 - If an "Enable SmartScreen Filter" option is present, uncheck it.
   If a "Use Phishing Filter" or "Phishing Filter" option is present,
   set it to Disable.
 - Confirm (click OK or Yes) out of all dialogs.

If you have a version of IE that splits the settings between security
zones, do this for all zones.

To disable the filter in Firefox:
 - Click Options from the Tools menu.
 - Click the Security tab.
 - Uncheck both the "Block reported attack sites" and "Block reported
   web forgeries" options.
 - Click OK.

To disable the filter in Chrome:
 - Click Options from the Tools menu.
 - Click the "Under the Hood" tab and find the "Privacy" section.
 - Uncheck the "Enable phishing and malware protection" option.
 - Click Close.


=== known issues in the FTP and SFTP frontends ===

These are documented in docs/frontends/FTP-and-SFTP.txt and at
<http://tahoe-lafs.org/trac/tahoe-lafs/wiki/SftpFrontend>.
docs: update known_issues.txt with more detail about web browser "safe-browsing" features and slightly tweaked formatting 2010-06-19 05:17:34 +00:00			`= known issues =`
docs: [source:docs/known_issues.txt] 2008-06-10 23:24:25 +00:00
docs: update known_issues.txt with more detail about web browser "safe-browsing" features and slightly tweaked formatting 2010-06-19 05:17:34 +00:00			`* overview`
NEWS, quickstart.html and known_issues.txt for 1.8.0c1 release. 2010-08-06 23:51:11 +00:00			`* issues in Tahoe-LAFS v1.8.0c1, released 2010-08-07`
docs: update known_issues.txt with more detail about web browser "safe-browsing" features and slightly tweaked formatting 2010-06-19 05:17:34 +00:00			`- potential unauthorized access by JavaScript in unrelated files`
			`- potential disclosure of file through embedded hyperlinks or JavaScript in that file`
			`- command-line arguments are leaked to other local users`
			`- capabilities may be leaked to web browser phishing filter / "safe browsing" servers ===`
			`- known issues in the FTP and SFTP frontends ===`
doc_reformat_known_issues.txt - Added heading format begining and ending by "==" - Added Index - Added Title Note: No change are made in paragraphs content 2010-04-24 11:41:18 +00:00
docs: update known_issues.txt with more detail about web browser "safe-browsing" features and slightly tweaked formatting 2010-06-19 05:17:34 +00:00			`== overview ==`
doc_reformat_known_issues.txt - Added heading format begining and ending by "==" - Added Index - Added Title Note: No change are made in paragraphs content 2010-04-24 11:41:18 +00:00
docs: split historical/historical_known_issues.txt out of known_issues.txt All issues which are relevant to users of v1.1, v1.2, or v1.3 go in known_issues.txt. All issues which are relevant to users of v1.0 go in historical/historical_known_issues.txt. 2008-12-30 07:52:26 +00:00			`Below is a list of known issues in recent releases of Tahoe-LAFS, and how to`
			`manage them. The current version of this file can be found at`
known_issues.txt: fix up the argv leakage issue -- it applies to Tahoe 1.2.0. Other editing corrections. 2008-07-22 01:02:49 +00:00
docs: update known_issues.txt with more detail about web browser "safe-browsing" features and slightly tweaked formatting 2010-06-19 05:17:34 +00:00			`http://tahoe-lafs.org/source/tahoe-lafs/trunk/docs/known_issues.txt`
known_issues.txt: fix up the argv leakage issue -- it applies to Tahoe 1.2.0. Other editing corrections. 2008-07-22 01:02:49 +00:00
docs: update relnotes.txt, relnotes-short.txt, and others documentation bits for v1.5.0 release! 2009-08-02 02:57:10 +00:00			`If you've been using Tahoe-LAFS since v1.1 (released 2008-06-11) or if you're`
docs: update NEWS, about.html, relnotes-short.txt, and known_issues.txt in preparation for v1.5.0 Especially note that strong claims of specialness that I've added, e.g. in about.html . 2009-07-21 23:43:11 +00:00			`just curious about what sort of mistakes we've made in the past, then you might`
			`want to read the "historical known issues" document:`
docs: split historical/historical_known_issues.txt out of known_issues.txt All issues which are relevant to users of v1.1, v1.2, or v1.3 go in known_issues.txt. All issues which are relevant to users of v1.0 go in historical/historical_known_issues.txt. 2008-12-30 07:52:26 +00:00
docs: update known_issues.txt with more detail about web browser "safe-browsing" features and slightly tweaked formatting 2010-06-19 05:17:34 +00:00			`http://tahoe-lafs.org/source/tahoe-lafs/trunk/docs/historical/historical_known_issues.txt`
known_issues.txt: fix up the argv leakage issue -- it applies to Tahoe 1.2.0. Other editing corrections. 2008-07-22 01:02:49 +00:00
docs: update known_issues.txt with more detail about web browser "safe-browsing" features and slightly tweaked formatting 2010-06-19 05:17:34 +00:00			`== issues in Tahoe-LAFS v1.7.0, released 2010-06-18 ==`
docs/known_issues: mention #615 javascript-vs-frames, for zooko to improve/rewrite 2009-02-11 21:14:53 +00:00
docs: update known_issues.txt with more detail about web browser "safe-browsing" features and slightly tweaked formatting 2010-06-19 05:17:34 +00:00			`=== potential unauthorized access by JavaScript in unrelated files ===`
docs/known_issues: mention #615 javascript-vs-frames, for zooko to improve/rewrite 2009-02-11 21:14:53 +00:00
docs: update relnotes.txt, relnotes-short.txt, and others documentation bits for v1.5.0 release! 2009-08-02 02:57:10 +00:00			`If you view a file stored in Tahoe-LAFS through a web user interface,`
docs: known_issues.txt: my version of #615, remove "issue numbers", edits, move tahoe-1.1.0 issues to historical 2009-02-13 05:16:21 +00:00			`JavaScript embedded in that file might be able to access other files or`
docs: update relnotes.txt, relnotes-short.txt, and others documentation bits for v1.5.0 release! 2009-08-02 02:57:10 +00:00			`directories stored in Tahoe-LAFS which you view through the same web`
			`user interface. Such a script would be able to send the contents of`
			`those other files or directories to the author of the script, and if you`
			`have the ability to modify the contents of those files or directories,`
			`then that script could modify or delete those files or directories.`
docs/known_issues: mention #615 javascript-vs-frames, for zooko to improve/rewrite 2009-02-11 21:14:53 +00:00
docs: update known_issues.txt with more detail about web browser "safe-browsing" features and slightly tweaked formatting 2010-06-19 05:17:34 +00:00			`==== how to manage it ====`
docs: known_issues.txt: my version of #615, remove "issue numbers", edits, move tahoe-1.1.0 issues to historical 2009-02-13 05:16:21 +00:00
docs: update relnotes.txt, relnotes-short.txt, and others documentation bits for v1.5.0 release! 2009-08-02 02:57:10 +00:00			`For future versions of Tahoe-LAFS, we are considering ways to close off`
			`this leakage of authority while preserving ease of use -- the discussion`
			`of this issue is ticket #615.`
docs/known_issues: mention #615 javascript-vs-frames, for zooko to improve/rewrite 2009-02-11 21:14:53 +00:00
docs: update relnotes.txt, relnotes-short.txt, and others documentation bits for v1.5.0 release! 2009-08-02 02:57:10 +00:00			`For the present, either do not view files stored in Tahoe-LAFS through a`
			`web user interface, or turn off JavaScript in your web browser before`
			`doing so, or limit your viewing to files which you know don't contain`
docs: known_issues.txt: my version of #615, remove "issue numbers", edits, move tahoe-1.1.0 issues to historical 2009-02-13 05:16:21 +00:00			`malicious JavaScript.`
known_issues.txt: fix up the argv leakage issue -- it applies to Tahoe 1.2.0. Other editing corrections. 2008-07-22 01:02:49 +00:00
docs: known_issues.txt: my version of #615, remove "issue numbers", edits, move tahoe-1.1.0 issues to historical 2009-02-13 05:16:21 +00:00
docs: update known_issues.txt with more detail about web browser "safe-browsing" features and slightly tweaked formatting 2010-06-19 05:17:34 +00:00			`=== potential disclosure of file through embedded hyperlinks or JavaScript in that file ===`
docs: editing changes and updated news in known_issues.txt 2008-12-30 08:01:16 +00:00
docs: update relnotes.txt, relnotes-short.txt, and others documentation bits for v1.5.0 release! 2009-08-02 02:57:10 +00:00			`If there is a file stored on a Tahoe-LAFS storage grid, and that file`
			`gets downloaded and displayed in a web browser, then JavaScript or`
docs: editing changes and updated news in known_issues.txt 2008-12-30 08:01:16 +00:00			`hyperlinks within that file can leak the capability to that file to a`
			`third party, which means that third party gets access to the file.`

			`If there is JavaScript in the file, then it could deliberately leak`
			`the capability to the file out to some remote listener.`

			`If there are hyperlinks in the file, and they get followed, then`
			`whichever server they point to receives the capability to the`
			`file. Note that IMG tags are typically followed automatically by web`
			`browsers, so being careful which hyperlinks you click on is not`
			`sufficient to prevent this from happening.`

docs: update known_issues.txt with more detail about web browser "safe-browsing" features and slightly tweaked formatting 2010-06-19 05:17:34 +00:00			`==== how to manage it ====`
docs: editing changes and updated news in known_issues.txt 2008-12-30 08:01:16 +00:00
docs: update relnotes.txt, relnotes-short.txt, and others documentation bits for v1.5.0 release! 2009-08-02 02:57:10 +00:00			`For future versions of Tahoe-LAFS, we are considering ways to close off`
			`this leakage of authority while preserving ease of use -- the discussion`
			`of this issue is ticket #127.`
docs: editing changes and updated news in known_issues.txt 2008-12-30 08:01:16 +00:00
			`For the present, a good work-around is that if you want to store and`
docs: update relnotes.txt, relnotes-short.txt, and others documentation bits for v1.5.0 release! 2009-08-02 02:57:10 +00:00			`view a file on Tahoe-LAFS and you want that file to remain private, then`
			`remove from that file any hyperlinks pointing to other people's servers`
			`and remove any JavaScript unless you are sure that the JavaScript is not`
			`written to maliciously leak access.`
docs: editing changes and updated news in known_issues.txt 2008-12-30 08:01:16 +00:00

docs: update known_issues.txt with more detail about web browser "safe-browsing" features and slightly tweaked formatting 2010-06-19 05:17:34 +00:00			`=== command-line arguments are leaked to other local users ===`
known_issues.txt: fix up the argv leakage issue -- it applies to Tahoe 1.2.0. Other editing corrections. 2008-07-22 01:02:49 +00:00
docs: update relnotes.txt, relnotes-short.txt, and others documentation bits for v1.5.0 release! 2009-08-02 02:57:10 +00:00			`Remember that command-line arguments are visible to other users (through`
			`the 'ps' command, or the windows Process Explorer tool), so if you are`
			`using a Tahoe-LAFS node on a shared host, other users on that host will`
			`be able to see (and copy) any caps that you pass as command-line`
			`arguments. This includes directory caps that you set up with the "tahoe`
docs: update known_issues.txt with more detail about web browser "safe-browsing" features and slightly tweaked formatting 2010-06-19 05:17:34 +00:00			`add-alias" command.`
known_issues.txt: fix up the argv leakage issue -- it applies to Tahoe 1.2.0. Other editing corrections. 2008-07-22 01:02:49 +00:00
docs: update known_issues.txt with more detail about web browser "safe-browsing" features and slightly tweaked formatting 2010-06-19 05:17:34 +00:00			`==== how to manage it ====`

			`As of Tahoe-LAFS v1.3.0 there is a "tahoe create-alias" command that does`
			`the following technique for you.`
known_issues.txt: fix up the argv leakage issue -- it applies to Tahoe 1.2.0. Other editing corrections. 2008-07-22 01:02:49 +00:00
docs: update relnotes.txt, relnotes-short.txt, and others documentation bits for v1.5.0 release! 2009-08-02 02:57:10 +00:00			`Bypass add-alias and edit the NODEDIR/private/aliases file directly, by`
			`adding a line like this:`
known_issues.txt: fix up the argv leakage issue -- it applies to Tahoe 1.2.0. Other editing corrections. 2008-07-22 01:02:49 +00:00
			`fun: URI:DIR2:ovjy4yhylqlfoqg2vcze36dhde:4d4f47qko2xm5g7osgo2yyidi5m4muyo2vjjy53q4vjju2u55mfa`

docs: update relnotes.txt, relnotes-short.txt, and others documentation bits for v1.5.0 release! 2009-08-02 02:57:10 +00:00			`By entering the dircap through the editor, the command-line arguments`
			`are bypassed, and other users will not be able to see them. Once you've`
			`added the alias, if you use that alias instead of a cap itself on the`
			`command-line, then no secrets are passed through the command line. Then`
			`other processes on the system can still see your filenames and other`
docs: update known_issues.txt with more detail about web browser "safe-browsing" features and slightly tweaked formatting 2010-06-19 05:17:34 +00:00			`arguments you type there, but not the caps that Tahoe-LAFS uses to permit`
			`access to your files and directories.`


			`=== capabilities may be leaked to web browser phishing filter / "safe browsing" servers ===`

			`Firefox, Internet Explorer, and Chrome include a "phishing filter" or`
			`"safe browing" component, which is turned on by default, and which sends`
			`any URLs that it deems suspicious to a central server.`

			`Microsoft gives a brief description of their filter's operation at`
			`<http://blogs.msdn.com/ie/archive/2005/09/09/463204.aspx>. Firefox`
			`and Chrome both use Google's "safe browsing API" which is documented`
			`at <http://code.google.com/apis/safebrowsing/> and`
			`<http://code.google.com/p/google-safe-browsing/wiki/Protocolv2Spec>.`

			`This of course has implications for the privacy of general web browsing`
			`(especially in the cases of Firefox and Chrome, which send your main`
			`personally identifying Google cookie along with these requests without`
			`your explicit consent, as described for Firefox in`
			`<https://bugzilla.mozilla.org/show_bug.cgi?id=368255>).`

			`The reason for documenting this issue here, though, is that when using the`
			`Tahoe-LAFS web user interface, it could also affect confidentiality and integrity`
			`by leaking capabilities to the filter server.`

			`Since IE's filter sends URLs by SSL/TLS, the exposure of caps is limited to`
			`the filter server operators (or anyone able to hack the filter server) rather`
			`than to network eavesdroppers. The "safe browsing API" protocol used by`
			`Firefox and Chrome, on the other hand, is not encrypted, although the`
			`URL components are normally hashed.`

			`Opera also has a similar facility that is disabled by default. A previous`
			`version of this file stated that Firefox had abandoned their phishing`
			`filter; this was incorrect.`

			`==== how to manage it ====`

			`If you use any phishing filter or "safe browsing" feature, consider either`
			`disabling it, or not using the WUI via that browser. Phishing filters have`
			`very limited effectiveness (see`
Document leakage of cap URLs via phishing filters in known_issues.txt 2010-02-02 01:52:38 +00:00			`<http://lorrie.cranor.org/pubs/ndss-phish-tools-final.pdf>), and phishing`
docs: update known_issues.txt with more detail about web browser "safe-browsing" features and slightly tweaked formatting 2010-06-19 05:17:34 +00:00			`or malware attackers have learnt how to bypass them.`
Document leakage of cap URLs via phishing filters in known_issues.txt 2010-02-02 01:52:38 +00:00
			`To disable the filter in IE7 or IE8:`
			`- Click Internet Options from the Tools menu.`
			`- Click the Advanced tab.`
			`- If an "Enable SmartScreen Filter" option is present, uncheck it.`
			`If a "Use Phishing Filter" or "Phishing Filter" option is present,`
			`set it to Disable.`
			`- Confirm (click OK or Yes) out of all dialogs.`

			`If you have a version of IE that splits the settings between security`
docs: update known_issues.txt with more detail about web browser "safe-browsing" features and slightly tweaked formatting 2010-06-19 05:17:34 +00:00			`zones, do this for all zones.`

			`To disable the filter in Firefox:`
			`- Click Options from the Tools menu.`
			`- Click the Security tab.`
			`- Uncheck both the "Block reported attack sites" and "Block reported`
			`web forgeries" options.`
			`- Click OK.`

			`To disable the filter in Chrome:`
			`- Click Options from the Tools menu.`
			`- Click the "Under the Hood" tab and find the "Privacy" section.`
			`- Uncheck the "Enable phishing and malware protection" option.`
			`- Click Close.`


			`=== known issues in the FTP and SFTP frontends ===`

			`These are documented in docs/frontends/FTP-and-SFTP.txt and at`
			`<http://tahoe-lafs.org/trac/tahoe-lafs/wiki/SftpFrontend>.`