Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: treat the handle as private info #638

Draft
wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

feat: treat the handle as private info #638

wants to merge 3 commits into from

Conversation

GeopJr
Copy link
Owner

@GeopJr GeopJr commented Nov 11, 2023
edited

⚠️ This is a secrets version bump - you'll be asked to re-login. You can safely move back to the main branch and your old logins will work just fine. If anything happens, go to Passwords and Keys and remove all Tuba entries. ⚠️

Mostly an RFC. This PR will treat the instance account handle as private info.

The good

UUIDs will be used instead to distinguish your account outside of Tuba. That includes both the secrets and gsettings.

Benefits

  • Per account settings (when done), will be under /dev/geopjr/Tuba/.../e1cb8003-044e-4353-aa72-34aa7f9714fb/ instead of /dev/geopjr/Tuba/.../mastodon_at_mastodon_dot_social/
  • The last active account will also become e1cb8003-044e-4353-aa72-34aa7f9714fb instead of [at]mastodon[at]mastodon.social
  • Same for the wallet login attribute
  • With feat: network cleanup #616, individual caches will be possible and anonymous .cache/Tuba/e1cb8003-044e-4353-aa72-34aa7f9714fb/images/

Why

An example scenario for this threat model would be: A device belonging to an activist gets compromised, either physically (if the device is unencrypted) or remotely. The attacker can easily associate them with their online accounts from Tuba using gsettings or .cache.

Obviously there will be other ways for that info to be found but since we can prevent Tuba's impact we might as well do it.

The bad

While I've set it up in a way to generate the UUID's on existing logins without having to re-auth, it might be needed if we want to use UUIDs even on secret attributes. I need to take a deeper look into it.{1}

The change is basically this:
image

There's an additional downside of not recognizing the keys right away.
Changing the attributes will require a re-auth.

edit: {1}

It is recommended that attribute names are human readable, and kept simple for the sake of simplicity.
...
Services implementing this API will probably store attributes in an unencrypted manner in order to support simple and effecient lookups.
https://specifications.freedesktop.org/secret-service/latest/ch05.html

🤔

edit 2: from my understanding, gnome-keyring actually hashes the attributes which is great! This PR is probably no longer needed then

@GeopJr GeopJr mentioned this pull request Dec 2, 2023
Merged
@GeopJr GeopJr mentioned this pull request Dec 12, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@GeopJr