[Zope-dev] Re: Addressing client-side trojan problem

[Shane Hathaway]

Ken Manheimer wrote:

> Shane Hathaway <shane@zope.com> wrote:
>>This hasn't been fixed because it's not well understood.  Javascript can
>>POST an invisible form, AFAIK.  The problem occurs on the browsers of
>>users who are *already authenticated*.  It has nothing to do with Zope
>>or any server software, really.
>>
> 
> I recently saw a _very_ interesting description of how capability-based
> distributed computing (and the Principle of Least Authority) is used to
> address vulnerabilities to client side trojans, viruses, etc.  I think the
> approach may apply to the web situation.
> 
> "Capabilities" are a signficant, fairly established idea in the realm of
> distributed operating systems, but are not very familiar more generally.
> This description is by far the most approachable i've seen (and perhaps,
> the first i've understood:) - i highly recommend looking it over.  It's
> in a substantial overview of the very nifty looking scripting language, E,
> which is specifically designed to provide secure, reliable, manageable
> distributed computing scripting.  The relevant bits are at:
> 
>   http://www.skyhunter.com/marcs/ewalnut.html#SEC41


Very interesting.  Thanks for the link.  I read Marc's whole description 
of capability-based security:

http://www.skyhunter.com/marcs/capabilityIntro/

It makes a lot of sense.  In situations where it is possible, I am 
inclined to agree that capabilities are the most secure approach to 
writing software.

I don't know how to apply capability-based security to the trojan 
problem, but I'm thinking about how it could be integrated into Zope. 
Perhaps there could be objects that declare themselves to be 
"capabilities"; that is, any object that can reach them is allowed to 
call any method of them.

Shane