-
Notifications
You must be signed in to change notification settings - Fork 86
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Thoughts That Sprung To Mind Around Security and Abuse #33
Comments
Hey @Grunet, thanks for raising this issue! Security and abuse are things I take seriously. To answer your issue points:
I touch on this a bit in #30. Right now the out-of-band validation is me, in that approval is a completely manual step, and I review both the person submitting, and the URLs they provide. Participation in the webring requires trust in me, but I view this as no different than trust in:
I also hope my reputation in the community can do some of the lifting here, as well as (hopefully) a groundswell of trust from having many participants who have non-malicious content.
This is something I took a lot of time researching to ensure the attack surface area was as minimal as possible. To that point, here are potential vectors and what I'm doing about them:
As for the content itself on other sites, that is out of my hands. We have run into similar situations with The A11Y Project, through both public and private reports, where resource content points to sites that have been compromised (usually for porn or crypto scams). For this situation, the link is updated or removed. If this situation were to happen with the webring, deleting the offending site from our Additionally, the webring updates on pull request merge thanks to Netlify. This means the moment the site is removed from GitHub, the redirect is removed from the live site. In this situation, the only chance of a compromised site being visited is someone directly clicking on a member entry link from a browser session that hasn't been refreshed—the Netlify functions for previous, random, and next sites in the webring will no longer point folks to the removed site. In summary:
I like this idea! I'm unsure how we could detect a change in content to something unsavory, but it would be good for at least catching 404s. Do you know of any resources I could investigate in this space? And two more questions for you, if you don't mind:
|
Cool beans, I had a feeling you'd already thought through this (given everything lol) I just couldn't find a discussion of it. Really really thorough analysis and setup! Very nice job
On that note, yeah if it's not too much trouble I think a security.md with some of this info would be great! Well for any strangers like myself at least lol. Not a huge deal though with this issue conversation now in existence. Supply chain security is the only thing that still comes to mind after reading through it. Like I think I follow that the netlify CLI in the package-lock.json is what's used to deploy the edge function (or something like that?) but I'm not exactly sure where that happens from (one risk being if it happens from an "unclean" place like someone's local computer that could be compromised, the deploy could get infected too. Something like this led to the recent CircleCI breach over the holidays as I understand). No need to automate it really, but always nice to do it from someplace "clean" (like a Github Codespace) if possible, especially if any sensitive environment variables (or similar) need to be used. EDIT: Actually never mind I think I understand now the Netlify-to-Github integration probably extends to the edge functions and the CLI is only for local testing (or something?) which obviates the above!
It definitely can't hurt from a security and privacy perspective to restrict to HTTPS I think, or I guess at least ask if there are any really hard blockers preventing someone from using it? I'm not super familiar with what Certificate Authorities do and don't work nicely with various platforms.
I'm not seeing anything around Netlify edge functions from some light googling (which I guess makes sense since any gateway would be fully managed by Netlify?). You're already emitting app-level logs with the redirects (nice!) but yeah idk if there's anything else to be done (for reference I was thinking of something like an AWS or GCP managed load balancer that records a log for every request that comes in and out of them, independent of the backend behind them. But even they might not capture header info by default now that I try to remember) As for 404s, I haven't seen yet how the Netlify edge function could return one (though I might have missed something?). In terms of detecting if the page being redirected to is 404-ing, I'm not sure if this is possible without directly requesting the page from the edge function before trying to redirect to it (or like doing this on a scheduled cadence or something). Maybe it is, though it seems like that would be odd. *Also disclaimer I don't even have a personal site to join with at the moment so take my initial thoughts and all of this with that huge grain of salt lol |
Will do!
HTTPS was notoriously difficult to set up before Let’s Encrypt, but it is pretty turnkey nowadays for most services. I can add that to the evaluation criteria.
I used Codespaces to develop this! And yep, the the CLI stuff is only for local development (proxied if a Codespace is used).
Check out #40! It's not ready to be merged yet, but it will identify anything outside the |
Your issue
Thoughts That Sprung To Mind Around Security and Abuse
Want to preface by emphasizing I think this is a super neat idea that could be super beneficial to the community, and to thank everyone involved for their work on it.
When I was trying to wrap my head around what it was, I had a few thoughts spring to mind around security and abuse scenarios. I wanted to share them just to get them out of my head and better understand if they're actually pointing to anything.
Malicious Actor Posing as Someone Else
If someone malicious submits a request to join, maybe posing as someone else in the community and using their website but with a tiny difference that's hard to spot (like 1 letter off in the domain name, or other standard email phishing sort of techniques) that looks exactly like that person's actual website, it seems like they might be able to sneak in and then phish users of the webring.
Rough Idea to Combat Malicious Actor Posing as Someone Else
Add a out-of-band validation step to make sure the person is who they say they are (e.g. reaching out on one of the socials they offer. Presumably that's harder to manufacture replicas of? Not sure)
Link Destinations Being Masked are Challenging
Similar to the email phishing analogy above, it seems like it'd be hard for a user to safely evaluate whether or not to follow a previous/next/random link since you can't easily tell where it's going to take you or if it might be a malicious site.
Even with no malicious sites in the webring, there's also the concern of the webring's backend getting compromised and a malicious actor taking control of the redirection (e.g. for phishing) without anyone noticing.
Rough Idea to Combat Link Destinations Being Masked are Challenging
If there's some kind of independent way from the backend resource to monitor the redirects that are occurring (e.g. via gateway access logs) presumably it'd be possible to detect if something is going awry with them
Code of conduct
The text was updated successfully, but these errors were encountered: