From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from srv1.stroeder.com (srv1.stroeder.com [213.240.180.113]) by mail.toke.dk (Postfix) with ESMTPS id ADCE47D56B3 for ; Thu, 28 Jan 2021 14:11:40 +0100 (CET) Authentication-Results: mail.toke.dk; dkim=pass (1536-bit key) header.d=stroeder.com header.i=@stroeder.com header.b=pYGyTOAe DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=stroeder.com; s=stroeder-com-20201114; t=1611839498; bh=cFa49aUmm8Vckdtqj4xJkmttUtbMpNfYzUu0POK6ZOE=; h=Subject:To:References:From:Date:In-Reply-To:From; b=pYGyTOAegAd27pY+eA8psQN3QRx2dHFEEZFDoEMRelfFP95IAKhLkcU2aSj3LGh71 cd2yB053MgNjSjfem4iGaMK6HAaDAj118xGekP39KAm7h60g7YsPfG4QD7aitV5mgv ojZg0B5eWAw4Uu3JA5LGcT5Os0vE8ahmv32z6Xtdn+Nfrl9vXlgvYdL8t9dJi+YZ/f OWxFj5ujwLkwrb5CJL11PF2jJmf/cAiox8LHrZGQQywTuXEDGh+h6+gP3q3 To: galene@lists.galene.org References: <2fdb1db7-27f7-c23d-f2ca-11b9c59db125@stroeder.com> <87pn1q9mc9.wl-jch@irif.fr> <87o8ha9m7g.wl-jch@irif.fr> <87k0ry9l86.wl-jch@irif.fr> <61231ca5-474e-d180-391e-8f0b0ddb77d0@stroeder.com> <87ft2m9hve.wl-jch@irif.fr> From: =?UTF-8?Q?Michael_Str=c3=b6der?= Message-ID: <43b9a09b-da17-9efc-fa69-71b1fe616c56@stroeder.com> Date: Thu, 28 Jan 2021 14:11:37 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.6.1 MIME-Version: 1.0 In-Reply-To: <87ft2m9hve.wl-jch@irif.fr> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Message-ID-Hash: CUJECKQ263U6NPQGXMNU2LRSFPGQ5WYB X-Message-ID-Hash: CUJECKQ263U6NPQGXMNU2LRSFPGQ5WYB X-MailFrom: michael@stroeder.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.3.2 Precedence: list Subject: [Galene] Re: "This operation is insecure" List-Id: =?utf-8?q?Gal=C3=A8ne_videoconferencing_server_discussion_list?= Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: On 1/27/21 10:42 PM, Juliusz Chroboczek wrote: > Perhaps you could explain why you are munging the headers in the frontend. > Is there an actual attack that you're concerned about? I remember various pen-testing talks about attacking even via rogue frames, CSS files and fonts, depending on browser versions. So it's IMHO good practice to disable everything not really needed (least-privilege). Same spirit why I'm using systemd's sand-boxing options [1] and an AppArmor profile [2]. What you could do to prevent some of the attacks is to use Subresource Integrity Hashes in HTML source [3]. Yes, it requires you to commit the correct hashes in galene.html when changing any CSS, JS, font files included from there. > If so, then we should think together about avoiding the attack, > rather than having each user use their own idiosyncratic set of > security-related headers. Agreed. Avoiding attacks is a primary goal for you as a developer of a network service. And I appreciate that you take care. But you cannot influence the client side or fix issues yet unknown. E.g. the AppArmor profile is IMHO definitely a good mitigation against recent sudo attack vector or similar. Yes, I've already updated sudo on my systems. But we all learned about this only two days ago. The AppArmor profile was in place before. I'm super-concerned of this whole video conferencing stuff. Bad people can do really weird stuff with this great tool. We had some cases here in Germany were *very* inappropriate content was sent to pupils of an elementary school during an online lesson. :-( So better safe, than sorry. Ciao, Michael. P.S.: Yes, of course one of the Safari users asked me: "Why don't you use Zoom?" (sigh...). [1] https://build.opensuse.org/package/view_file/home:stroeder:network/galene/galene.service?expand=1 [2] https://build.opensuse.org/package/view_file/home:stroeder:network/galene/apparmor-usr.sbin.galene?expand=1 [3] https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity