summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLars Wirzenius <liw@liw.fi>2022-08-14 11:53:32 +0300
committerLars Wirzenius <liw@liw.fi>2022-08-14 11:53:32 +0300
commitb9d2479db85947c1369153283b9bcfea0df93e56 (patch)
treeae996be341f111d0232766897922b3eb5a0aa94a
parentf4062506d8467a5e7cebb6a532f3f42e9174b678 (diff)
downloadobnam2-b9d2479db85947c1369153283b9bcfea0df93e56.tar.gz
docs: add threat model for wide-open API
Sponsored-by: author
-rw-r--r--obnam.md17
1 files changed, 17 insertions, 0 deletions
diff --git a/obnam.md b/obnam.md
index 6a60427..e1f3055 100644
--- a/obnam.md
+++ b/obnam.md
@@ -204,6 +204,23 @@ This is mitigated in two ways:
[CACHEDIR.TAG]: https://bford.info/cachedir/
+## Attacker can read backups via chunk server HTTP API
+
+This threat arises from the fact that the chunk server HTTP API
+currently has no authentication. This allows an attacker who can
+access the API to copy the backups and break their encryption at
+leisure.
+
+The mitigation is to add access control for the API.
+
+A simple approach is to have the chunk server admin to create an
+**access token** that the client must provide with each API request.
+The token can be stored in the client configuration by `obnam init`.
+
+This would be the simplest possible access control approach. More
+nuanced approaches will be added later.
+
+
# Software architecture
## Effects of requirements