[tahoe-dev] What Tahoe-LAFS Reveal to an Attacker

Zooko O'Whielacronx zookog at gmail.com
Wed Feb 27 21:03:01 UTC 2013


On Tue, Feb 26, 2013 at 8:38 PM, Patrick R McDonald
<marlowe at antagonism.org> wrote:
>
> As a redundant array of clouds becomes more and more a reality, thanks to the efforts of Least Authority Enterprises and others, Simon's thread popped a thought in my head.  How do we protect ourselves against attacks from service providers who have full root access on one or more of our storage nodes?

It is helpful to phrase the question in such precise terms. Now that I
understand it, my answer is that you basically can't protect
information that you send to a remote host, from the owner of that
host. I like to mentally model it as talking to a remote guy and
telling him facts, words, numbers, and asking him to remember them and
tell them back to you later. You can't effectively enforce any
controls on what else that guy does with those facts, words, numbers.
You can't prevent him from thinking about them, and you can't prevent
him from telling them to other people.

Now, what we do in Tahoe-LAFS is, we never tell the guy the actual
words (cleartext) that make up our files! Encrypt everything, tell him
the ciphertext, and then don't worry about what he does with the
ciphertext.

Your other thread about "What authority does a storage server have?"
is the right way to think about it. I think Kevin Reid's post on that
thread was very informative.

Regards,

Zooko



More information about the tahoe-dev mailing list