diff options
authorLars Wirzenius <>2022-08-14 08:58:24 +0000
committerLars Wirzenius <>2022-08-14 08:58:24 +0000
commit02d6e2e7d8c8b7854a2289f57a9039598b1430fa (patch)
parentf4062506d8467a5e7cebb6a532f3f42e9174b678 (diff)
parentb9d2479db85947c1369153283b9bcfea0df93e56 (diff)
Merge branch 'liw/api-threat-model' into 'main'
docs: add threat model for wide-open API See merge request obnam/obnam!236
1 files changed, 17 insertions, 0 deletions
diff --git a/ b/
index 6a60427..e1f3055 100644
--- a/
+++ b/
@@ -204,6 +204,23 @@ This is mitigated in two ways:
+## Attacker can read backups via chunk server HTTP API
+This threat arises from the fact that the chunk server HTTP API
+currently has no authentication. This allows an attacker who can
+access the API to copy the backups and break their encryption at
+The mitigation is to add access control for the API.
+A simple approach is to have the chunk server admin to create an
+**access token** that the client must provide with each API request.
+The token can be stored in the client configuration by `obnam init`.
+This would be the simplest possible access control approach. More
+nuanced approaches will be added later.
# Software architecture
## Effects of requirements