|author||Lars Wirzenius <firstname.lastname@example.org>||2022-08-14 08:58:24 +0000|
|committer||Lars Wirzenius <email@example.com>||2022-08-14 08:58:24 +0000|
Merge branch 'liw/api-threat-model' into 'main'
docs: add threat model for wide-open API See merge request obnam/obnam!236
1 files changed, 17 insertions, 0 deletions
@@ -204,6 +204,23 @@ This is mitigated in two ways:
+## Attacker can read backups via chunk server HTTP API
+This threat arises from the fact that the chunk server HTTP API
+currently has no authentication. This allows an attacker who can
+access the API to copy the backups and break their encryption at
+The mitigation is to add access control for the API.
+A simple approach is to have the chunk server admin to create an
+**access token** that the client must provide with each API request.
+The token can be stored in the client configuration by `obnam init`.
+This would be the simplest possible access control approach. More
+nuanced approaches will be added later.
# Software architecture
## Effects of requirements