staltz / ssb-room-broker-auth-spec Goto Github PK
View Code? Open in Web Editor NEWDraft spec
Home Page: https://staltz.github.io/ssb-room-broker-auth-spec
License: Other
Draft spec
Home Page: https://staltz.github.io/ssb-room-broker-auth-spec
License: Other
Suppose the room server is malicious and once a remote peer tries to use a tokenized alias URL, the server just responds false
to the brokerAuth.request()
(pretending that the alias owner is offline) and then proceeds to abuse that token to introduce another evil buddy to consume that token and force the alias owner to follow the evil buddy. Boom.
We could try to sign or encrypt the token somehow, but in general, the room server MUST NOT know what the plaintext token is. On the other hand, how are we going to do that? The first step is the remote peer visiting the tokenized alias URL in a browser and the web browser replying with an SSB URI, which will then open the SSB app and make the muxrpc calls.
Allow the possibility that a token can be used by many remote peers.
Problem: avoid spam from attackers trying to use the room alias. If anyone with a new app can input my alias, then that could cause a popup on my app asking for approval. The popups can get too intrusive if it's about an attacker and I have to reject them every time.
Idea: When the new app sends brokerAuth.request()
it can also send a partial proof that it owns the same SSB ID, sort of like a "password". It could be the 1st word in the 24 words phrase. The "proofword".
This would create a lot more friction to brute force attacks because the room can detect that an attacker is calling too many brokerAuth.request()
s and ban the attacker based on SSB ID or IP. And even in the worst case where the attacker guesses the correct 1st word (out of 2048 words), the effect is not a breach, it's simply that the old app would show the popup asking for permission.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.