Skip to content

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security implications of not having a passphrase? #385

Closed
kornelski opened this issue Feb 22, 2021 · 5 comments
Closed

Security implications of not having a passphrase? #385

kornelski opened this issue Feb 22, 2021 · 5 comments

Comments

@kornelski
Copy link
Member

For #384 it would be super convenient to create an implicit empty CrevID for new users, without a passphrse. What are the risks?

It wouldn't suggest backing up CrevID without a passphrase, and could require adding a passphrase at some point, e.g. before publishing anything. But how much are we worried about identity at rest on local disk?

@dpc
Copy link
Collaborator

dpc commented Feb 22, 2021

Backup protected by a passphrase that the user doesn't regularly use is a great way to make sure they can't restore from it when they have to.

Passphrase is most useful for export/backup protection.

But how much are we worried about identity at rest on local disk?

I guess it depends on the user. I always use LUKS full-disk encryption on all my drives, so the encrypt-at-rest of the ID is needless for me personally, I guess. And all in all it's not all that interesting attack.

I guess the biggest thread is some systemic attack, where a popular vulnerability is used to collected many unprotected IDs and then to introduce malicious dependency and hide it with fake reviews, etc.

I guess one way to approach this is to create some temporary weak-ID, without a passphrase, mark it somehow as such and allow user to locally add trust proofs, and maybe even reviews, but definitely not publish anything. When the user is ready, cargo-crev would create a completely new ID, with a proper passphrase and backup, and then rewrite all the proofs to it (the code that can do it is already there and was used to support https://github.com/crev-dev/cargo-crev/wiki/List-of-Proof-Repositories#pre-v06-repositories).

@dpc
Copy link
Collaborator

dpc commented Feb 22, 2021

BTW. We could have a passphrase agent to help with having to enter the passphrase too often. It would listen on some local socket, and if not started cargo-crev would start it from scratch. The agent would listen and sign stuff, and shut itself down after certain time of inactivity.

@kornelski
Copy link
Member Author

Currently the logic is this:

  • If you use functionality that needs an Id before creating any CrevID, it will create an implicit CrevID with no URL and no passphrase.

  • If you crate a CrevID, it will try to adopt previous implicit CrevID and add passphrase and URL to it.

  • If you make a CrevID with an empty passphrase, it will tell you it's a bad idea and you should set one.

  • When you set your repo URL without explicitly creating a CrevID, it will remind you to add a passphrase.

@kornelski
Copy link
Member Author

On macOS I could use Keychain to either store the passphrase, or store the whole CrevID.

@dpc
Copy link
Collaborator

dpc commented Feb 22, 2021

Yeah. On linuxes there are also some kind of keyrings (gnome, kde, possibly others).

@crev-dev crev-dev locked and limited conversation to collaborators Jan 15, 2022
@dpc dpc converted this issue into discussion #451 Jan 15, 2022

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants