diff options
authorLars Wirzenius <>2022-08-14 11:53:32 +0300
committerLars Wirzenius <>2022-08-14 11:53:32 +0300
commitb9d2479db85947c1369153283b9bcfea0df93e56 (patch)
parentf4062506d8467a5e7cebb6a532f3f42e9174b678 (diff)
docs: add threat model for wide-open API
Sponsored-by: author
1 files changed, 17 insertions, 0 deletions
diff --git a/ b/
index 6a60427..e1f3055 100644
--- a/
+++ b/
@@ -204,6 +204,23 @@ This is mitigated in two ways:
+## Attacker can read backups via chunk server HTTP API
+This threat arises from the fact that the chunk server HTTP API
+currently has no authentication. This allows an attacker who can
+access the API to copy the backups and break their encryption at
+The mitigation is to add access control for the API.
+A simple approach is to have the chunk server admin to create an
+**access token** that the client must provide with each API request.
+The token can be stored in the client configuration by `obnam init`.
+This would be the simplest possible access control approach. More
+nuanced approaches will be added later.
# Software architecture
## Effects of requirements