Forem: suiiii

Web <=2.0 Apps/Sites are Never Safe to Use

suiiii — Thu, 14 Apr 2022 17:48:46 +0000

A bit of a stretch title here, but just think about it:

Almost all of the webapps you are using today are not really safe to use. And I am not talking about that everything is somehow hackable like in the movies, but actual threats that sneak into your systems.

Is this Safe?

From a user perspective, he visits your app and gets a somehow valid ssl certificate (a green lock in the old days) and he matches the URL of you app just to be sure before he interacts with it. That is what many sites propagate to users for safety checks. But this doesn't cover anything basically and gives the user false trust in your app.

How does he know that he is actually communicating with your app? There could still be a man in the middle attack going on.
Can the user be sure that your app is not doing something fishy in the background? Can you be sure about that?

So from a user's perspective he just has to trust you as a developer that you are not scamming him. There is just no way for him to know with 100% certainty what is happening in your app.

Malicious code and behavior

Do you know what code you deliver towards your users? I don't mean what you intend to deliver but what you actually do?

Say you have a typical setup: you push your change into your git, your CI builds, tests, and deploys your app into your cloud kubernetes cluster. Your change is live within a couple of minutes, fully tested. And you are a paranoid type, so you sign your commits, only signed commits are build, and your container images are also signed and thus only signed containers are being deployed in your k8s. Sounds great!

But this is actually quite a long chain of stops for your app where things can go wrong:

Maybe one of your colleagues is about to get fired and commits some backdoor... do you peer review everything?
Do you actually trust you CI? Maybe you have a third party container based CI like GitHub Actions or Gitlab. How much do you know about that platform? Does your build image contain malicious code?
Maybe a dependency of yours changes without you realizing and now does some spooky thing is in the background? Did you 100% pin that thing? And now that weird change is in your signed container image...
Does your k8s cloud provider actually execute your app without changing it? And does Cloud Service XYZ not change or read your data?

Can you actually be sure that there is nothing fishy going on? Do you even check for that?

Verification is key

Instead of trusting your build pipeline you need a way to verify that it is producing valid artifacts. One way to do that is by using reproducible builds. This way you could do automatic checks with multiple independent pipelines or just sporadic manual checkups by comparing a local build with your CI artifacts. This gives you a tool to actually verify that your artifacts weren't tampered with.

What about your actual runtime? Well, this gets a bit more tricky. Having your app running in a public cloud, you never actually know what is going on. Self hosting your app might be an option, but how do you know that nobody infiltrated your company's network and changed your running app? You could build your app as physical hardware (like soldering circuits etc.) but that is just not an option.

Doing a 180, you could host your app publicly. Dynamically having your workloads run on different, independent hosters: various clouds, some server farm, on someones server at home. Services like Akash Network go in that direction and provide a decentralized cloud platform.

But from a users perspective only the code and the execution he can verify is safe. Meaning any closed source code that runs on some closed network is by definition not safe, because he cannot verify it. Thus systems like facebook, banks, government tax apps and pretty much everything is not safe to use and providing any (sensitive) data to them is kind of dangerous, because you do not know what happens with it.

Looking at your typical web3 app, that hosts is open source system on IPFS and some blockchain, the user is actually able to verify the code, the build artifacts and the execution. Thus, such system is safe(r) to use, if the user does his homework by actually verifying and if we ignore bugs and security issues in the code for this argument.

Conclusion

Today basically all major apps we use are closed source and run behind closed doors. Users and developers do not actually 100% know what is going on in there and the less information we have about an app the less we can trust that it is doing what it is supposed to do.

Openness is essential for users and developers to verify an app in its code and its execution.

With the public becoming more aware of software supply chain issues and security vulnerabilities developers need to take measures to increase trust in their applications. And trust is best created by verifying (at least in software).

Trust Issues

suiiii — Fri, 18 Mar 2022 16:29:49 +0000

This is just an abbreviated chain of thoughts to get you thinking.

Who do you trust and why?

Our world is based on trust. We trust our bank to safeguard our huge stacks of money, we trust our girlfriend or boyfriend and we trust this little lock in browser address bar.

But why do we trust them? How have they earned our trust so that we entrust them with our valuables and our secrets?

I hope your SO has proven worthy of your trust. But what about your bank? Why do you put your money in the bank? Because everybody does that and only criminals and paranoid weirdos keep their money in their mattresses? Well having money in the bank has some upsides like being able to do money transfers (and other stuff which are other issues) and if the bank gets robbed your money is hopefully insured. But is your money actually safe, does your bank actually have your money? Just think of the last financial crisis(es) and money runs...

And what about that SSL certificate on this website? It is trusted because it was issued by a CA that is trusted by the browser. But why is that CA trusted? Do you actually trust that company that you might have never heard of? How has it earned your trust? Is it just because your browser says that it's fine? And do you trust this site that is using this cert? Do they properly handle the private key or is this encryption just for nothing?

Verfification

To compensate these trust issues you could actually verify everything.

You could go to the bank every day and let them show you your stacks of money. (Which they won't show you, because they don't actually have it.)

You could follow your SO everywhere, check their email, phone, and social media so you are sure that they don't cheat on you. (This will probably kill your relationship, so let's skip this example)

And you could try to get verification that the SSL certificate was properly delivered and handled all the way from creation to deployment. But that are probably a lot of verification points you need to check. So this is kind of hard to do.

Let's be real

You cannot verify everything by yourself. You actually need to have trust in something that is worthy of your trust. But you have to define that what is trustworthy for yourself. Is the government trustworthy just because it is the government? Is that IMDB rating trustworthy because 100k user supposedly rated it? Is an equation like 1 + 1 = 2 worthy?

Math is probably a thing we all can agree on, because we can "easily" verify it. From here we quickly get to cryptography and cryptographic proofs that give us a very high probability that some fact holds true.

However those kind of systems still require some sort of trust in math and something else. Thinking of email encryption, you need to trust the encryption method and the public key of the message recipient. Meaning you have to trust that the key does actually belong to the person you want to communicate with and that he or she is still in control of that private key.

I'd argue that something like wikipedia in its concept is more or less trustworthy but that trust requires your attention. The ideal wikipedia article is crowd sourced by multiple "experts" and proofed with multiple factual sources. So you need to fact check that information you read in an article. But who actually does that? There are people who do that and change the article in case of issues. So most people trust that this system works out somehow. But there is no guarantee for that and there is actually no real incentive for people to add correct information other than their pride maybe.

But let's imagine for a second: What if wikipedia would pay you if you contribute useful and correct information. And if it turns out, your information was BS you would actually have to pay wikipedia. In general this would incentivise people to make wikipedia better and thus more trustworthy for everyone.

These kind of systems do actually exist, for example in some crypto systems. Are they fault proof? No! But I would argue that open and publicly verifiable systems are more trustworthy than closed ones. There is a reason why all "good" encryption methods are public and why your bank's systems are closed off.

But having one trustworthy system is not enough. Imagine you can actually trust that green lock in the browser bar. Does that actually mean that the site you visit is safe? Does this prevent the web dev from injecting malware in your browser? We do actually need a complete chain of trustworthy systems...

Bitcoin energy consumption is bad but this is not the question

suiiii — Sun, 26 Sep 2021 22:35:48 +0000

Just a heads up: This post will NOT provide a definitive answer, but will show you another perspective to think about.

Right now, like at least every other week, I read something about bitcoin or crypto in general being bad for the environment. But I think that this is not the correct view in this topic. The question is actually:

Is Bitcoin worth it?

Energy consumption is bad

Yes, consuming a lot of energy is always bad. And of course, if the bitcoin network would use a lot less energy, that would be great. But why does it have to use so much power?

Why all that power?

Without going into the technical details, the power is used in the mining process to figure out a cryptographic challenge which is being brute forced. And for that you need a lot of computing power.

But why is it designed in this way? Bitcoin is a Proof or Work blockchain. Meaning that providing a solution for that challenge was a piece of work which is rewarded with the ability to create a new block and get some BTC. And because getting BTC is lucrative, many network participants compete in finding the solution and at the same time monitor each other to find bad actors.

This mechanism makes the bitcoin blockchain secure and with more people competing by mining, the network gets even more secure.

Is Bitcoin worth the energy? And what is worth something?

Let's not get into the philosophical question whether BTC has value like gold or the USD does. For simplicity, let's assume BTC does have some sort of value like fiat money, maybe even more value as it will eventually not be subject to inflation and it does have some other properties.

Imagine some typical bank with a vault. This vault stores valuable items just like the bitcoin blockchain stores BTC. Is it worth it to build thick concrete walls and heavy metal doors to keep the vault safe from criminals?

Is it worth the gas if you drive in your giant SUV to the next McDonald's to get a milk shake and drive back home?

Is digging for gold and other precious metals worth destroying the environment?

Is eating lots of meat still an option when it is clearly linked to climate change?

Is wasting lots of energy worth having the tv on 24/7 and having lots of other devices in standby mode?

I guess most of us will definitely say that these few examples are not worth it and that something should be done here. But in the end, people (including myself) are wasting energy and resources all over the place.

But on the other hand, I pay for what I waste. I pay for the energy if I run my computer 24/7 without actually using it. If I pay for a whole chicken, only eat one leg, and throw the rest in the trash (this is actually super super horrible, DON'T fu*king do that!) is that not my business?

Well, yes and no. Yes you can do that, but we all know, you shouldn't. Just for the simple fact, that you are WASTING your money and resources and could get something productive or nice instead.

But again it is all up to your and other people's perspective. If you think, something is worth something, it is worth something to you and you are willing to pay for it in one way or another.

The value of crypto is not visible (yet)

I guess in the minds of most people, crypto is still just a synonym for scammy internet money that is used by criminals and degens. I would argue that if the crypto ecosystem can get rid of this bad reputation, people would focus less on the mass energy consumption or even accept it as a necessity for the value it brings.

If you think back a couple of years, people were concerned about data centers using large amounts of energy. However, today you barely read anything about that. Maybe because Google and friends try to build more efficient machines? Maybe because the cloud is so much "better"? And/Or maybe because consumers value the services these data centers seem to provide?

I think it is combination of all of that which showed data centers in a better light to the general public.

Crypto, on the other hand, still hasn't shown it's "real world" applications to ordinary people. There are of course real use cases, but only the minority of people did ever interact with dapps or blockchains (at least knowingly). Furthermore, the media keeps pressing hard on those climate and energy arguments.

There are plenty of revolutionary projects within the crypto ecosystem that could literally change the world for many of us. I think it is only a matter of time before one these breaks out of it's "niche" and finds broad adoption while changing the light on crypto.

Data privacy: "We value your privacy" - No you don't

suiiii — Mon, 13 Sep 2021 13:14:36 +0000

Once again, I was reading some news site and the usual cookie message showed up blocking the whole content and wanting me to allow them to do whatever with whatever. I mean, who does actually reads the stuff besides lawyers who want to sue everyone?

But this time I actually read the heading: "We value your privacy". And this just triggered me. Do they actually care about my privacy? Do they really value and protect my data?

What do they actually value?

Do they value my privacy? Well, they DO value my data. And they value not getting sued because they do not comply with GDPR (or whatever law that applies).

I guess everybody knows why they value our data. A tldr: it's basically for advertising and other marketing and thus to spam you with stuff to buy (or at least part of it).

Is complying with GDPR actually valuing our data? Well, for some companies that is probably true, but for the vast majority?... at least it does not seem so.

But before we get into that, let's quickly say something about GDPR...

GDPR and other laws

GDPR and such laws among others calls for data scarcity. This means companies have to minimize the data they collect from you in order to do their business.

For example, an online shop is probably allowed to collect and store your name, address, birthday, IP, credit card after you consented to this and obviously somehow provided that information. Name and address are needed because they need to send you the stuff you bought. Maybe they need to verify you are an adult (what did you buy o.O ?). They store your IP because you might be DOS'ing their systems and your credit card is obviously needed to pay. So that shop has good reasons to store that data and you acknowledge that when you click on that cookie thing (and their terms of service). Well, that cookie thing actually allows them most of the time to store identifying cookies in your browser to track your activity and share that information with their "partners" (all depending on what they actually do, but let's keep it simple)

But if they want to collect your color of your eyes, the shop could probably not properly argue that they actually need that info. So they are legally not allowed to store it. But just because they are not allowed to, there is nothing that does actually prevent them from doing so anyway...

And one other important thing: The shop is responsible for your data now. They are legally bound to protect it from leaking. So they have to have some appropriate security measures is place. (whatever those actually are)

Handling (personal) data is pain

I am working on a small marketing website and GDPR or data privacy related topics are my daily business.
Our customer wants the users to fill out a form with their private info before they can download some very useful whitepaper. Where do you store that? How do you handle that data? Who is allowed to access it? These are just some questions that need to be answered. And especially in a large enterprise these questions are hard to answer because many people and divisions are involved and you have to follow more and more rules.

The more sensitive the data is, the more restrictive everything becomes, just a couple examples:

You use a database? - You have to encrypt that database, even if all data is public (in general this makes sense, but sometimes it just doesn't)
Are you processing customer data? - You have to host in Germany
Are you processing employee data? - You have to host on-prem

This list becomes ever more annoying and it is fairly easy to get into one of the higher security classifications.

I am all for the appropriate security measures if you handle sensitive data, but as a developer it becomes pure pain to work in super restrictive environments as it slows everything down and there are the same endless discussions.

And in the end it is all for a small feature of your otherwise public app.

Furthermore, security is just a best effort. No system will ever be 100% secure. One weak spot can lead to massive incidents and even teams with hundreds of people just for security will eventually miss something. Just a thing to keep in mind.

They don't value our privacy

Advertising

Thinking of anything that is advertising related, they couldn't care less about your privacy, because "you are the product". The more they know about you the better they can sell you stuff. Whether that is in your interest or not, is up to you. I mean, this can actually be helpful if ads are really well targeted and point you to stuff that is great and you actually like. But most of the time their targets are way off, at least in my case.

This was talked about so much, so let's cut it short here.

They do not actually need your data

Think of the last supermarket you went to. Did they ask for your name and address? Your phone number for contacting you? That would be weird, right? Did you leave your credit card with them, so checkout is faster next time? I guess nobody would actually do that IRL, but why do we leave that data with almost any online shop or service? You wouldn't trust your supermarket with your card, why do you trust some weird online shop?

Getting a newsletter with your real name in it or faster checkout are some "neat" features, but are those essential? Do you actually want them? Especially if they leak your credit card info and you need to order a new one?

Those features are everywhere because someone once thought they were cool and today they are burnt into our brains as some must-haves. Such thinking is actually irresponsible. So they might actually think they value your privacy by securely storing your information, but collecting it in the first place is in most cases just unnecessary.

Does Facebook need your real name and email to post something on their site?
Does your bank actually need your data to give you 0% interest? They just want your money, you are actually just an annoyance
Do Visa and Mastercard need your data? They just want you to buy stuff with that card and to pay your bill late. Your data is not needed for actually paying something, but for breaking your legs and taking your house they obviously need your name and address.
Even Signal, which is supposed to be secure, why do they need your phone number? In many countries your phone number is tied to your ID.

Yes, some of these need to collect that data by law, but that is another topic.

Be better

GDPR wants us as developers to practice data scarcity and as I told you, having other people's data is a pain and a responsibility. (Insert spider-man quote here) And I for one don't want to have either.

So for your next app, actually think about what data is really really required while also checking what pains you have to endure in return.
In general, having nothing is the best and less is more. Not having data is one less thing haunting your soul.

Just some suggestions

Just two quick suggestions that might point you in the right direction. These are however kind of "niche" technologies today.

Webauthn/Fido

If you have to create some sort account and authentication system, why not use a public/private key mechanism? The public key could be your primary identifier (like a username or email) and is at the same time the password. Webauthn is a rather new standard that provides such a authentication mechanism. It is actually supported by larger tech sites/apps like Google, Github and even Windows.

Sure you need some sort of hardware key, but the more apps are supporting and even pushing it the more adaption it will find.

Just an example: If you do your taxes in Germany you are probably using such a public key mechanism. However, it is implemented in an annoying way because your private key is generated for you and you need to download and store the file. Using a yubikey would be much more comfortable.

While using an email address as your login also allows you to send your users "important" information, your users might actually not care about that. Again imagine some random online shop you used years ago and you are still receiving emails because they have hot deals or changed they terms of use, but you are too lazy to do anything about it.

How about instead of pushing this information to your users you have them pull them? Publish your important info on twitter or maybe have an old school RSS feed that your users can consume if they wish. Again this might be weird for your users, but by inverting the flow of information you don't have to store their personal data.

You could also just ask for a username and password while making an email optional in case your user wants to be able to recover that password. There are probably many other ways to do this...

Crypto Wallet

You could also use a crypto wallet as your login like most Dapps already do. But I actually want to point to something else:

Instead of using Paypal or even worse storing your user's credit card information you could have your users pseudonymously pay with crypto into some wallet you own. As soon as the crypto arrives, payment if fulfilled and you can send the product or unlock the service. This way you just monitor that wallet and do not care where the money comes from (also because you do not know). And as you do not have any information besides the fact that you received money, you do not have hide or secure any data especially since the transaction is also public on chain.

Again inverting and decoupling helps you not to have data that you otherwise have to secure. Sounds a little bit like inversion of control if you ask me.

TLDR

In most cases you do not actually need or want your user's data as you are legally bound to secure it which is a whole other super complex topic. Instead, having just the minimal amount of user data, which in many cases is practically nothing, is the most painless and secure way to go for you and your users.

Does signing your container images improve security?

suiiii — Thu, 02 Sep 2021 12:24:07 +0000

Disclaimer: These are just some quick thoughts without diving too deep into it.

Recently my company's security department announced that all container images must be signed and that this signature has to be verified. But does that actually improve security?

Signing an image in general is not a bad thing. I would even argue that you should do it so you can verify that it actually originated from your CI or whatever your build process is. So yes, it probably improves the security of your app or operation. End of discussion... ?

But this is to some degree an insufficient dream of security. Signing an image like the base nodejs image on Docker Hub does give you more confidence that you can actually trust it. However, what if that CI is compromised and someone is able to create rogue images that are actually signed? In case of nodejs that would be pretty bad but I would figure that such manipulation would be identified rather quickly just because such images are widely used and thus monitored by a lot of parties.

That is probably not true for your own images. If your CI is compromised and replaces your-app:1.1.0 with a new signed image you would probably not realize that until it is way too late. You could disallow replacing image tags but that does not stop them from creating new bad tags. The only way at this point to sufficiently ensure that you have the correct image is by using its digest. This is rather annoying to handle depending on your setup but it gives you the confidence that you are deploying exactly what you intended even without signing the image. (Of course, this only works as long as the underlying hash function is secure enough)

This sounds easy but at this point it is a chicken-egg problem. Where do you get the digest if you can only partially trust your CI? From building your image with your local docker? Sadly, no. The reason for that is the fact that docker build does timestamp your images/layers. If you docker build your app locally multiple times in a row it just gives you the illusion that your build is reproducible because of caching. If your colleague or your CI creates the image they will get another digest. (The last time I checked this was a couple of months ago. If that is not true anymore please correct me)

In order to create the correct digest locally and everywhere you need to make your build actually reproducible which is not an easy task depending on your tooling. For the container image creation part: Buildah is powerful alternative to docker build which is able to strip the timestamps. But I am sure there are plenty of other tools out there.

Skipping a few other details, your Git repo now truly became your single source of truth (and build [and vulnerability]). So what if some bad actor commits to your Git? (here the circle comes to completion) Then you should probably only work with signed commits and code reviews. But the fact that you can actually review changes, check the signatures of your teammates, and talk to them makes this much easier to work with. And also the decentralization of Git helps to find manipulation.

There are obviously a lot of other attack vectors that you need to think of and address. But this is just a never ending story.

Another last thought: having just a single central CI is of course vulnerable and you just trust that whatever falls out of it on the other end is correct and good? Maybe it is time for a decentralized network of CIs that build and check your artifacts independently?