Dear people of p2p-hackers, tahoe-dev, and liberationtech: I think I confused the issue when I said in [1] "some people in China might be relying on using the Tahoe-LAFS public demo over unencrypted HTTP and thinking that it provides security properties like they would get if they ran their own copy of Tahoe-LAFS locally". Encryption of the HTTP connection isn't very important, so it was confusing when I mentioned "over unencrypted HTTP". I should have just said "some people in China might be relying on using the Tahoe-LAFS public demo and thinking that it provides security properties like they would get if they ran their own copy of Tahoe-LAFS locally". Look at this diagram: http://tahoe-lafs.org/source/tahoe-lafs/trunk/docs/about.html Using an unencrypted connection (HTTP or FTP) between the Tahoe-LAFS client and the Tahoe-LAFS gateway means that the link between those two objects on the diagram is red, meaning that you are vulnerable to anyone who controls that link. If you instead used an encrypted connection (HTTPS or SFTP) between those two objects then that link would be black, meaning that you are not vulnerable to someone just because they control that link. But you are still vulnerable to whoever controls the Tahoe-LAFS gateway which the link goes to! The right way to do it is to run the Tahoe-LAFS gateway yourself on a computer that you control. The Tahoe-LAFS gateway object is red on that diagram, meaning that you rely on it for your security, which is why you should run it on a computer that you control. You could run it on the same laptop or desktop that you are running your web browser (which is acting as the Tahoe-LAFS client), in which case it doesn't matter whether you use HTTP or HTTPS because the connection is only running over the loopback interface anyway. Or you could run it on some other computer that you control, in which case you need to use HTTPS so that you aren't vulnerable to anyone who controls the link between your local computer running your web browser on and your remote computer running your Tahoe-LAFS gateway. So, how do we explain to these Chinese users (and everyone else) that if they want good security, they must run a Tahoe-LAFS gateway (which is a web server) on a computer they control? Perhaps it would help to draw one variant of this diagram showing a user using a gateway on a remote server and being vulnerable to the people who control that server (which may include more people than the server's legal owner thinks), and another picture showing a user using a gateway on his local machine and being safe against the threat of the server operator betraying him. Does anyone have design skills (and Chinese!) and could try to explain this? Here is the source code for the current version of the diagram: http://tahoe-lafs.org/source/tahoe-lafs/trunk/docs/network-and-reliance-topo... Regards, Zooko [1] http://lists.zooko.com/pipermail/p2p-hackers/2010-November/002551.html _______________________________________________ p2p-hackers mailing list p2p-hackers@lists.zooko.com http://lists.zooko.com/mailman/listinfo/p2p-hackers ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE