Comments (7)
The problem can be solved by adding another specific key, which is generated at every page request. This key should grant permissions to the client:
- 'use this key only at this page';
- 'use this key only within security time range'.
The first one is easy to break, as intruder can emulate page environment in notification request by setting required HTTP headers or other request parameters.
One possible solution for 2. is a time-synchronized one-time password technique (http://en.wikipedia.org/wiki/One-time_password#Time-synchronized ). It involves a Symmetric-key algorithm (http://en.wikipedia.org/wiki/Symmetric-key_algorithm ):
- a secret cryptographic key is shared between web server (which serves the page with Airbrake notifier.js) and Airbrake.io API server;
- at each page request current time (T) is encrypted with secret key T -> Ts;
- notification message includes encrypted time Ts and API key;
- server decrypts Ts with secret key attached to received API key. If decrypted time is in security time range, notification is confirmed, else it's rejected.
The point is that time Ts key only could be used within security time range. If user doesn't reload the page for a time longer than that, Ts becomes invalid and can't be used to send notifications.
Every page visitor has access to time key Ts, but it is valid only for limited period of time. This solution makes malicious API key usage harder, but still possible: the intruder can receive fresh time keys by parsing the page retrieved from original web server.
from airbrake-js.
Has this been an issue for anyone? @benarent Have you seen abuse of this type happening?
I'm not sure how the back-end side works, but we could issue multiple api keys per project which could be revoked. My feelings is that a complicated system like the one described would lead to more problems than it solves.
from airbrake-js.
@duncanbeevers I think it's less of an issue as it's just a write only key, and if someone steals it and sends bad data the key can be easily revoked.
Marking as closed.
from airbrake-js.
Hi @benarent
Referring to your comment on 26 Nov 2013,
"I think it's less of an issue as it's just a write only key, and if someone steals it and sends bad data the key can be easily revoked."
In your mentioned solution, what if there is a group of persistent hackers targeting the site, so how many times does one have to repeat the process of revocation and re-deploy the site with the new API key?
Isn't there a way like how Firebase firebase.google.com does it?
They allow users to expose their API key in client-side javascript because they have a good security rules that check for privileges before one could read or write to database, storage, and etc.
from airbrake-js.
@choopage the worst case scenario here is that a malicious party could send errors or deploys to your project. It's a write-only key. This would easily be resolved by rotating your api-key, and we've not yet had any reported case of this happening.
what if there is a group of persistent hackers targeting the site, so how many times does one have to repeat the process of revocation and re-deploy the site with the new API key?
This would be inconvenient, but it is the worst that a group of persistent hackers can achieve with your key.
from airbrake-js.
Any chance this could be added to the readme or a FAQ section? I think it would be good to acknowledge this upfront so people are aware of any risks, however minimal.
from airbrake-js.
Reopening this, but I think we should provide some way to improve security rather than adding a warning without possible workarounds.
from airbrake-js.
Related Issues (20)
- Reduce package size HOT 6
- Params not passed on notify method with React ErrorBoundary HOT 1
- This dependency was not found: * async_hooks in ./node_modules/@airbrake/node/esm/scope.js
- Object Not Found Matching Id:3
- Github security alerts
- Cross-Fetch dep is trying to use XHR in service-worker context. HOT 2
- [Documentation] Version 1 to Version 2 Migration Guide
- Unable to post sourcemaps to /v4/projects/:projectId/sourcemaps HOT 2
- Too aggressive error grouping
- No backtrace on error HOT 3
- Uncaught ReferenceError: Notifier is not defined airbrake angularjs HOT 1
- security update: cross-fetch HOT 7
- Airbrake not globally available when using webpacker
- Using blocklist with "name" filters out notifier name HOT 2
- error-stack-parser versions < 2.1.4 causes stack parsing to fail with `ErrorStackParser.parse is not a function` error HOT 2
- Simplify "notify" for error reporting
- Test suite shouldn't make network calls
- AbortError: The user aborted a request.
- Use of instrumentation.fetch for Performance Statistics HOT 1
- Rejected error with Cybersource Flex Microform JS HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from airbrake-js.