tahoe-lafs/trac-2024-07-25
2
0
Issues 1.1k Wiki Activity

Web gateway should avoid caching plaintext of downloads #990

New issue
Closed
opened 2010-03-11 19:37:57 +00:00 by jsgf · 14 comments
jsgf commented 2010-03-11 19:37:57 +00:00
Owner
Copy link

The web gateway will (on occasion) locally cache files in unencrypted form, such as handling ranged GET requests.

Now in normal use that's perfectly OK because web gateways are trusted with our unencrypted data and so having the data present in that form should be OK.

But my mental model of a gateway machine is that it's just a stateless waypoint which doesn't store anything local. If I have a setup where there's a gateway machine within my network serving several machines, I would expect it to not have any persistent memory of my data, and so when it comes time to replace the HD I don't need to worry about scrubbing the disk, at least for Tahoe's sake. (Let's assume swap has been dealt with.)

Therefore, I think the gateway should keep the cache files encrypted and only decrypt them on the fly as they're being sent to its clients. I'm not sure what the key should be, but it should be per-file and transient (derived from the cap/root hash/something else?) rather than some local state (which would defeat the purpose of encrypting in the first place).

Could possibly be handled as part of the downloader rewrite of #798?

The web gateway will (on occasion) locally cache files in unencrypted form, such as handling ranged GET requests. Now in normal use that's perfectly OK because web gateways are trusted with our unencrypted data and so having the data present in that form should be OK. But my mental model of a gateway machine is that it's just a stateless waypoint which doesn't store anything local. If I have a setup where there's a gateway machine within my network serving several machines, I would expect it to not have any persistent memory of my data, and so when it comes time to replace the HD I don't need to worry about scrubbing the disk, at least for Tahoe's sake. (Let's assume swap has been dealt with.) Therefore, I think the gateway should keep the cache files encrypted and only decrypt them on the fly as they're being sent to its clients. I'm not sure what the key should be, but it should be per-file and transient (derived from the cap/root hash/something else?) rather than some local state (which would defeat the purpose of encrypting in the first place). Could possibly be handled as part of the downloader rewrite of #798?
tahoe-lafs added the
unknown
major
defect
1.6.0
 labels 2010-03-11 19:37:57 +00:00
tahoe-lafs added this to the undecided milestone 2010-03-11 19:37:57 +00:00
davidsarah commented 2010-03-11 22:45:16 +00:00
Author
Owner
Copy link

There are three options that would fix this:

  1. Use encrypted temporary files as suggested above
  2. Stop using temporary files
  3. Securely overwrite temporary files before closing them

However 2. may require too much memory, and 3. may leave plaintext accessible if the gateway crashes.

Note that the SFTP and FTP frontends also use unencrypted temporary files to handle write requests (perhaps that should be split into a separate ticket, but this one will do for the time being).

#991 was a duplicate.

There are three options that would fix this: 1. Use encrypted temporary files as suggested above 2. Stop using temporary files 3. Securely overwrite temporary files before closing them However 2. may require too much memory, and 3. may leave plaintext accessible if the gateway crashes. Note that the SFTP and FTP frontends also use unencrypted temporary files to handle write requests (perhaps that should be split into a separate ticket, but this one will do for the time being). #991 was a duplicate.
tahoe-lafs added
code-frontend
 and removed
unknown
 labels 2010-03-11 22:45:16 +00:00
tahoe-lafs modified the milestone from undecided to 1.7.0 2010-03-11 22:45:16 +00:00
tahoe-lafs changed title from Web gateway should keep its caches encrypted to Web gateway should avoid caching plaintext 2010-03-11 22:45:16 +00:00
davidsarah commented 2010-03-11 22:49:45 +00:00
Author
Owner
Copy link

Replying to davidsarah:

  1. Stop using temporary files
    ...
    However 2. may require too much memory, ...

More precisely, too much address space on 32-bit machines. How much virtual memory would be used by this option, would not be a problem per se if we had unlimited address space and an OS with a well-designed virtual memory subsystem (but we don't).

Replying to [davidsarah](/tahoe-lafs/trac-2024-07-25/issues/990#issuecomment-117847): > 2. Stop using temporary files ... > However 2. may require too much memory, ... More precisely, too much address space on 32-bit machines. How much virtual memory would be used by this option, would not be a problem *per se* if we had unlimited address space and an OS with a well-designed virtual memory subsystem (but we don't).
jsgf commented 2010-03-11 23:00:56 +00:00
Author
Owner
Copy link

I think the downloader's use of temp files is fairly unfortunate (downloading a 200MB file to satisfy a small range), so option 2 isn't out of the question. (There may be some value in caching for performance reasons, but that isn't why the downloader caches now.)

Secure deletion is pretty much impossible unless the filesystem and storage subsystem supports it. It certainly isn't sufficient to just overwrite the file and hope that hits all same blocks the original data hit. So I think 3 is out.

I think the downloader's use of temp files is fairly unfortunate (downloading a 200MB file to satisfy a small range), so option 2 isn't out of the question. (There may be some value in caching for performance reasons, but that isn't why the downloader caches now.) Secure deletion is pretty much impossible unless the filesystem and storage subsystem supports it. It certainly isn't sufficient to just overwrite the file and hope that hits all same blocks the original data hit. So I think 3 is out.
zooko commented 2010-03-11 23:04:13 +00:00
Author
Owner
Copy link

My favorite solution to this would be to implement #320 (add streaming (on-line) upload to HTTP interface) so that the gateway doesn't use the disk at all. #320 would offer great improvements, IMO, in performance and flexibility.

You have to give up on convergent encryption whenever you choose streaming upload (although I wonder if we could get some of it back by defining an encryption key from the secure hash of each segment in turn (including the added convergence secret) and using that key to encrypt the next segment..).

My favorite solution to this would be to implement #320 (add streaming (on-line) upload to HTTP interface) so that the gateway doesn't use the disk at all. #320 would offer great improvements, IMO, in performance and flexibility. You have to give up on convergent encryption whenever you choose streaming upload (although I wonder if we could get some of it back by defining an encryption key from the secure hash of each segment in turn (including the added convergence secret) and using that key to encrypt the next segment..).
jsgf commented 2010-03-11 23:07:03 +00:00
Author
Owner
Copy link

Replying to zooko:

My favorite solution to this would be to implement #320 (add streaming (on-line) upload to HTTP interface) so that the gateway doesn't use the disk at all. #320 would offer great improvements, IMO, in performance and flexibility.

However, in this case we're talking about cache files for downloading. When you do a byte-range GET request, you lose streaming downloads.

Replying to [zooko](/tahoe-lafs/trac-2024-07-25/issues/990#issuecomment-117854): > My favorite solution to this would be to implement #320 (add streaming (on-line) upload to HTTP interface) so that the gateway doesn't use the disk at all. #320 would offer great improvements, IMO, in performance and flexibility. However, in this case we're talking about cache files for *downloading*. When you do a byte-range GET request, you lose streaming downloads.
tahoe-lafs changed title from Web gateway should avoid caching plaintext to Web gateway should avoid caching plaintext of downloads 2010-03-11 23:08:10 +00:00
jack.lloyd commented 2010-03-11 23:20:52 +00:00
Author
Owner
Copy link

As a workaround of sorts, you could set the tempdir to point to an encrypted partition (or, on Linux, a tmpfs (an in-memory filesystem) backed by encrypted swap). And using encrypted swap is generally desirable for a host of other reasons; it's a shame nobody but OpenBSD (IIRC) actually does it by default.

Obviously this is impractical in many situations and undesirable in others, but I thought it would be good to point it out, for the subset of users for whom it might be useful.

I think option (3) is a non-starter - dealing with journaling filesystems, SSDs, etc make this nearly impossible in the general case. You can probably get it to work for, say, 9 in 10 users, but leaving 1 in 10 silently vulnerable is not good, and I'd think the effort doing this would be much better spent on eliminating temp files where possible or encrypting them if it's not feasible.

As a workaround of sorts, you could set the tempdir to point to an encrypted partition (or, on Linux, a tmpfs (an in-memory filesystem) backed by encrypted swap). And using encrypted swap is generally desirable for a host of other reasons; it's a shame nobody but OpenBSD (IIRC) actually does it by default. Obviously this is impractical in many situations and undesirable in others, but I thought it would be good to point it out, for the subset of users for whom it might be useful. I think option (3) is a non-starter - dealing with journaling filesystems, SSDs, etc make this nearly impossible in the general case. You can probably get it to work for, say, 9 in 10 users, but leaving 1 in 10 silently vulnerable is not good, and I'd think the effort doing this would be much better spent on eliminating temp files where possible or encrypting them if it's not feasible.
zooko commented 2010-03-12 00:15:29 +00:00
Author
Owner
Copy link

Replying to [jsgf]comment:6:

Replying to zooko:

My favorite solution to this would be to implement #320 (add streaming (on-line) upload to HTTP interface) so that the gateway doesn't use the disk at all. #320 would offer great improvements, IMO, in performance and flexibility.

However, in this case we're talking about cache files for downloading. When you do a byte-range GET request, you lose streaming downloads.

Oh, right, downloads when you are doing a range-request. My favorite solution to that is #798 (improve random-access download to retrieve/decrypt less data) so that the web gateway downloads only the segments needed to satisfy your range request and just keeps them in RAM until it has satsified you.

Replying to [jsgf]comment:6: > Replying to [zooko](/tahoe-lafs/trac-2024-07-25/issues/990#issuecomment-117854): > > My favorite solution to this would be to implement #320 (add streaming (on-line) upload to HTTP interface) so that the gateway doesn't use the disk at all. #320 would offer great improvements, IMO, in performance and flexibility. > > However, in this case we're talking about cache files for *downloading*. When you do a byte-range GET request, you lose streaming downloads. Oh, right, *downloads* when you are doing a range-request. My favorite solution to that is #798 (improve random-access download to retrieve/decrypt less data) so that the web gateway downloads only the segments needed to satisfy your range request and just keeps them in RAM until it has satsified you.
jsgf commented 2010-03-12 00:52:03 +00:00
Author
Owner
Copy link

Replying to [zooko]comment:9:

Oh, right, downloads when you are doing a range-request. My favorite solution to that is #798 (improve random-access download to retrieve/decrypt less data) so that the web gateway downloads only the segments needed to satisfy your range request and just keeps them in RAM until it has satsified you.

Yes, that's why I mentioned #798 in the report as possibly the best way of solving the problem ;)

Replying to [zooko]comment:9: > Oh, right, *downloads* when you are doing a range-request. My favorite solution to that is #798 (improve random-access download to retrieve/decrypt less data) so that the web gateway downloads only the segments needed to satisfy your range request and just keeps them in RAM until it has satsified you. Yes, that's why I mentioned #798 in the report as possibly the best way of solving the problem ;)
warner commented 2010-03-14 03:58:39 +00:00
Author
Owner
Copy link

yeah, the new downloader won't touch the disk at all. It fetches exactly the segment required to satisfy the first part of the range request, delivers the plaintext, then forgets about that segment and moves on to the next one.

yeah, the new downloader won't touch the disk at all. It fetches exactly the segment required to satisfy the first part of the range request, delivers the plaintext, then forgets about that segment and moves on to the next one.
davidsarah commented 2010-05-16 03:21:16 +00:00
Author
Owner
Copy link

The new SFTP implementation in #1037 uses an encrypted temp file for uploads. So that will be fixed as well in 1.7.

The new SFTP implementation in #1037 uses an encrypted temp file for uploads. So that will be fixed as well in 1.7.
davidsarah commented 2010-05-16 03:23:49 +00:00
Author
Owner
Copy link

Replying to davidsarah:

The new SFTP implementation in #1037 uses an encrypted temp file for uploads. So that will be fixed as well in 1.7.

Not "as well", because the new downloader has been deferred to 1.8.

Replying to [davidsarah](/tahoe-lafs/trac-2024-07-25/issues/990#issuecomment-117861): > The new SFTP implementation in #1037 uses an encrypted temp file for uploads. So that will be fixed as well in 1.7. Not "as well", because the new downloader has been deferred to 1.8.
tahoe-lafs modified the milestone from 1.7.0 to 1.8.0 2010-05-16 03:23:49 +00:00
warner commented 2010-08-14 18:08:38 +00:00
Author
Owner
Copy link

The #798 new immutable downloader has landed, and does not touch the disk.
(the mutable downloader doesn't touch the disk either). The webapi interface
to it uses the correct read(consumer,offset,length) interface. The
upload-side webapi server will still put large (>100kB) plaintext files on
disk (in an anonymous tempfile), and I don't know what the FTP/SFTP code
does.

Is this ticket narrowly-scoped enough that we can now close it?

The #798 new immutable downloader has landed, and does not touch the disk. (the mutable downloader doesn't touch the disk either). The webapi interface to it uses the correct `read(consumer,offset,length)` interface. The upload-side webapi server will still put large (>100kB) plaintext files on disk (in an anonymous tempfile), and I don't know what the FTP/SFTP code does. Is this ticket narrowly-scoped enough that we can now close it?
davidsarah commented 2010-08-14 20:47:03 +00:00
Author
Owner
Copy link

Replying to warner:

The #798 new immutable downloader has landed, and does not touch the disk.
(the mutable downloader doesn't touch the disk either). The webapi interface
to it uses the correct read(consumer,offset,length) interface. The
upload-side webapi server will still put large (>100kB) plaintext files on
disk (in an anonymous tempfile),

Perhaps it should be using [EncryptedTemporaryFile]source:src/allmydata/util/fileutil.py@4609#L118? That would be a new ticket, though.

and I don't know what the FTP/SFTP code does.

Both the FTP and SFTP code only do full downloads. They sometimes use EncryptedTemporaryFiles, but don't store plaintext on disk (see changeset:05022dca36780b3b).

Is this ticket narrowly-scoped enough that we can now close it?

Yes.

Replying to [warner](/tahoe-lafs/trac-2024-07-25/issues/990#issuecomment-117864): > The #798 new immutable downloader has landed, and does not touch the disk. > (the mutable downloader doesn't touch the disk either). The webapi interface > to it uses the correct `read(consumer,offset,length)` interface. The > upload-side webapi server will still put large (>100kB) plaintext files on > disk (in an anonymous tempfile), Perhaps it should be using [EncryptedTemporaryFile]source:src/allmydata/util/fileutil.py@4609#L118? That would be a new ticket, though. > and I don't know what the FTP/SFTP code does. Both the FTP and SFTP code only do full downloads. They sometimes use `EncryptedTemporaryFile`s, but don't store plaintext on disk (see changeset:05022dca36780b3b). > Is this ticket narrowly-scoped enough that we can now close it? Yes.
tahoe-lafs added the
fixed
 label 2010-08-14 20:47:03 +00:00
davidsarah closed this issue 2010-08-14 20:47:03 +00:00
davidsarah commented 2010-08-21 03:17:22 +00:00
Author
Owner
Copy link

Replying to [davidsarah]comment:17:

Replying to warner:

The upload-side webapi server will still put large (>100kB) plaintext files on
disk (in an anonymous tempfile),

Perhaps it should be using [EncryptedTemporaryFile]source:src/allmydata/util/fileutil.py@4609#L118? That would be a new ticket, though.

This is #1176.

Replying to [davidsarah]comment:17: > Replying to [warner](/tahoe-lafs/trac-2024-07-25/issues/990#issuecomment-117864): > > The upload-side webapi server will still put large (>100kB) plaintext files on > > disk (in an anonymous tempfile), > > Perhaps it should be using [EncryptedTemporaryFile]source:src/allmydata/util/fileutil.py@4609#L118? That would be a new ticket, though. This is #1176.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
No results found.
No results found.
Labels
Clear labels   
0.2.0

   
0.3.0

   
0.4.0

   
0.5.0

   
0.5.1

   
0.6.0

   
0.6.1

   
0.7.0

   
0.8.0

   
0.9.0

   
1.0.0

   
1.1.0

   
1.10.0

   
1.10.1

   
1.10.2

   
1.10a2

   
1.11.0

   
1.12.0

   
1.12.1

   
1.13.0

   
1.14.0

   
1.15.0

   
1.15.1

   
1.2.0

   
1.3.0

   
1.4.1

   
1.5.0

   
1.6.0

   
1.6.1

   
1.7.0

   
1.7.1

   
1.7β

   
1.8.0

   
1.8.1

   
1.8.2

   
1.8.3

   
1.8β

   
1.9.0

   
1.9.0-s3branch

   
1.9.0a1

   
1.9.0a2

   
1.9.0b1

   
1.9.1

   
1.9.2

   
1.9.2a1

   
LeastAuthority.com automation

   
blocker

   
cannot reproduce

   
cloud-branch

   
code

catch-all for anything that can be fixed by writing code but isn't classified better

  
code-dirnodes

anything involving tahoe directories

  
code-encoding

immutable-file encoding format/layout, cap format, encoding/decoding algorithms

  
code-frontend

general frontend things: new user-facing interfaces, FTP/SFTP servers, FUSE-like interfaces

  
code-frontend-cli

CLI tools

  
code-frontend-ftp-sftp

   
code-frontend-magic-folder

   
code-frontend-web

webapi interfaces, user-facing "WUI" interfaces

  
code-mutable

anything involving mutable files: encoding/decoding, share format

  
code-network

Introducer, locating storage servers, establishing/maintaining connections to them

  
code-nodeadmin

node startup/shutdown, tools to create nodes, logging tools, management/monitoring tools, manhole, disk-space-limiting tools

  
code-peerselection

server selection/sorting algorithm, rebalancing code, allocation policy, swarming-download

  
code-storage

storage-server implementation, share-storage directory layout, client-to-server share transfer protocol

  
contrib

problems with non-core things that live in the source:contrib/ directory

  
critical

   
defect

   
dev-infrastructure

things that help us build Tahoe: buildbot, automated speed/memory/code-coverage tests and results-displayers, IRC channels, mailing lists, this Trac instance

  
documentation

docs items. Also use 'docs' keyword on tickets in more specific components.

  
duplicate

   
enhancement

   
fixed

   
invalid

   
major

   
minor

   
n/a

   
normal

   
operational

things involved in running a tahoe grid, external tools to monitor/maintain a grid (like "nodeadmin" but larger-scale). Was also used for issues with the allmydata.com grid.

  
packaging

setup.py script, library dependencies, binary packages, licensing, installation instructions

  
somebody else's problem

   
supercritical

   
task

   
trivial

   
unknown

Uncategorized. All tickets default to this component until someone updates it.

  
was already fixed

   
website

things about the tahoe-lafs.org website (and sometimes this Trac instance, shared with 'dev-infrastructure')

  
wontfix

   
worksforme
No labels
0.2.0
0.3.0
0.4.0
0.5.0
0.5.1
0.6.0
0.6.1
0.7.0
0.8.0
0.9.0
1.0.0
1.1.0
1.10.0
1.10.1
1.10.2
1.10a2
1.11.0
1.12.0
1.12.1
1.13.0
1.14.0
1.15.0
1.15.1
1.2.0
1.3.0
1.4.1
1.5.0
1.6.0
1.6.1
1.7.0
1.7.1
1.7β
1.8.0
1.8.1
1.8.2
1.8.3
1.8β
1.9.0
1.9.0-s3branch
1.9.0a1
1.9.0a2
1.9.0b1
1.9.1
1.9.2
1.9.2a1
LeastAuthority.com automation
blocker
cannot reproduce
cloud-branch
code
code-dirnodes
code-encoding
code-frontend
code-frontend-cli
code-frontend-ftp-sftp
code-frontend-magic-folder
code-frontend-web
code-mutable
code-network
code-nodeadmin
code-peerselection
code-storage
contrib
critical
defect
dev-infrastructure
documentation
duplicate
enhancement
fixed
invalid
major
minor
n/a
normal
operational
packaging
somebody else's problem
supercritical
task
trivial
unknown
was already fixed
website
wontfix
worksforme
Milestone
Clear milestone
No items
No milestone
1.8.0
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: tahoe-lafs/trac-2024-07-25#990
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?