From b9d2479db85947c1369153283b9bcfea0df93e56 Mon Sep 17 00:00:00 2001
From: Lars Wirzenius <liw@liw.fi>
Date: Sun, 14 Aug 2022 11:53:32 +0300
Subject: docs: add threat model for wide-open API

Sponsored-by: author
---
 obnam.md | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

(limited to 'obnam.md')

diff --git a/obnam.md b/obnam.md
index 6a60427..e1f3055 100644
--- a/obnam.md
+++ b/obnam.md
@@ -204,6 +204,23 @@ This is mitigated in two ways:
 
 [CACHEDIR.TAG]: https://bford.info/cachedir/
 
+## Attacker can read backups via chunk server HTTP API
+
+This threat arises from the fact that the chunk server HTTP API
+currently has no authentication. This allows an attacker who can
+access the API to copy the backups and break their encryption at
+leisure.
+
+The mitigation is to add access control for the API.
+
+A simple approach is to have the chunk server admin to create an
+**access token** that the client must provide with each API request.
+The token can be stored in the client configuration by `obnam init`.
+
+This would be the simplest possible access control approach. More
+nuanced approaches will be added later.
+
+
 # Software architecture
 
 ## Effects of requirements
-- 
cgit v1.2.1