honk/docs/security.txt

26 lines
1.0 KiB
Plaintext
Raw Normal View History

Some notes about security.
honk is not currently hardened against SSRF, server side request forgery. Be
mindful of what else may be reachable on localhost or the local network if
it's not generally accessible.
2019-04-14 20:17:50 +02:00
Key and signature verification is best effort, but some forgeries may sneak
past. In particular, tying together key name, key owner, actor, object, etc.
is incomplete.
How are user keys supposed to be rotated? Expired? Revoked?
The current answer is never, never, never.
If the key is only used for signing http requests, it can be be changed
basically at will. Change the key in the actor, give it a new name (to avoid
conflict with any cached keys), carry on.
2019-04-29 19:42:38 +02:00
Since keynames in practice don't change, honk will simply discard a key after
a signature failure and attempt to get a fresh key.
Using keys to sign json is more complicated. The current practice is to name
keys with URL fragments. example.com/user#key. If the keyname is changed to
#newkey, how does one fetch the old key to verify existing data?