diff options
author | Lars Wirzenius <liw@liw.fi> | 2022-08-14 11:53:32 +0300 |
---|---|---|
committer | Lars Wirzenius <liw@liw.fi> | 2022-08-14 11:53:32 +0300 |
commit | b9d2479db85947c1369153283b9bcfea0df93e56 (patch) | |
tree | ae996be341f111d0232766897922b3eb5a0aa94a | |
parent | f4062506d8467a5e7cebb6a532f3f42e9174b678 (diff) | |
download | obnam2-b9d2479db85947c1369153283b9bcfea0df93e56.tar.gz |
docs: add threat model for wide-open API
Sponsored-by: author
-rw-r--r-- | obnam.md | 17 |
1 files changed, 17 insertions, 0 deletions
@@ -204,6 +204,23 @@ This is mitigated in two ways: [CACHEDIR.TAG]: https://bford.info/cachedir/ +## Attacker can read backups via chunk server HTTP API + +This threat arises from the fact that the chunk server HTTP API +currently has no authentication. This allows an attacker who can +access the API to copy the backups and break their encryption at +leisure. + +The mitigation is to add access control for the API. + +A simple approach is to have the chunk server admin to create an +**access token** that the client must provide with each API request. +The token can be stored in the client configuration by `obnam init`. + +This would be the simplest possible access control approach. More +nuanced approaches will be added later. + + # Software architecture ## Effects of requirements |