-
Notifications
You must be signed in to change notification settings - Fork 87
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Increase connection-level security #1897
Comments
The hierarchy of certificates approach is incompatible with being able to add and remove multiple devices, since if someone uses one of their devices to add a second device, they can't use their second device to remove the first device without also removing the second device. This is an edge case but I think there are others too. I think the revocation problem with the psk is fine because once we have a system we like for group message encryption we can also use it to rotate the psk, provided there is some way for users to learn the new secret, such as some network or endpoint that does not require the psk to connect but does not have sensitive data on it. To me this seems like something we should tackle before releasing if we have a clear plan that we feel good about. If not, let's release and investigate further. |
Discussing more, it seems that using a cert chain for TLS mutual auth has complexities:
And perhaps, ultimately, we should handle this sort of authentication at a higher layer, e.g. allow anyone to connect, however authenticate transfer of data (like any regular web API does). We want to guard any data sent to connected peers, which currently means any data sent via gossip protocols and orbitDB (read permissions). For now, perhaps the best approach is using a PSK. With a PSK, it's likely that only users who are invited can connect to other users (since everyone needs the same PSK). It is possible to leak a PSK on the internet. The same could be said about an invitation, however invites can be further restricted to be single-use and I think they can be tied to the issuer of the invite so that it's possible to track who invited who. The PSK can help prevent against trivial bridging of communities (#1896) and we can include stronger authentication in the application layer. Perhaps the PSK could also be related to community-level group encryption which could help with the leaking data issue on revocation. |
Notes:
|
We can add the PSK to the invite link (there should be enough room in the link with 4 peers), and on joining a network, we can send the PSK to the backend and store it in LevelDB. The PSK can then be used in initializing the libp2p layer. According to Emi's research, we have 512 characters after 'https://tryquiet.org/?codes=' to include in an invite link while still allowing the link to be "linkified" by common messaging apps. Each peer address is 104 characters:
And we currently include 4 in the link... (4 * 104 = 416), leaving (512 - 416 = 96) characters left. The PSK is 256 bits/8 = 32 bytes which encodes to 44 characters base64:
So we should have plenty of room to add the PSK to the current invite link. Future considerations: how can we tell if a PSK is invalid? Is there a specific error? |
Is there any early indication of how well this works? |
There are two types of 'invalid psk' errors:
I validate invitation code data before psk reaches libp2p constructor so technically this should not happen (with regular application usage).
This option is a bit more complicated, maybe we could think of a solution as part of the next task.
|
Let's create a backlog issue for showing an error. #2014 |
I noticed that the target peer throws ERR_ENCRYPTION_FAILED a few times even if psk is correct, then approves connection. |
I found this issue: ipfs/js-ipfs#3702 This is thought to be fixed in a newer libp2p. How much of a delay does this cause in connecting? |
See: https://github.com/TryQuiet/quiet/blob/1fe325e798585c727c21766085d17b636871394d/packages/backend/src/libp2p/websocketOverTor/index.ts
Historically, we used TLS mutual auth on websocket connections between peers using the owner as the CA. So two peers could not connect unless they each had a cert signed by the owner. It also somewhat discourages a member pretending to be the owner and signing another member's cert, since if that happened, that other member would be unable to connect to most people (and so it would sort of be a community fork).
When invited you would first connect to the owner. If someone gave you an invalid invite link, you would get a cert signed by the wrong owner and then you wouldn't be able to connect to anyone.
We are no longer doing this, because we are not issuing username certificates until after they have joined (when the owner comes online next).
Can a PSK be used in place of TLS mutual auth?
One difference is a PSK is non revokable, whereas a cert is revokable. If someone shares the PSK with someone else, they can join the network. If someone shares their cert/key with someone else they can also join, but it's easier to trace who is leaking their credentials and revoke that certificate.
Can we use a chain of trust with TLS mutual auth?
Another alternative is a chain of trust, if an existing member of the community signs a user's cert and that member's cert was signed by the owner, then we can use that chain for TLS mutual auth. This way, nobody can connect unless they share a cert signed by a mutally trusted party.
How would this work with unique usernames?
There are a variety of options, including:
The text was updated successfully, but these errors were encountered: