Rocksolid Light

Welcome to novaBBS

register   nodelist   faq  

Your account also provides newsreader access to all groups at news.i2pn2.org port 119 or 563 (TLS)


rocksolid / Security / Re: bug in boxs

SubjectAuthor
* bug in boxsanonymous
`- Re: bug in boxsAnonUser

1
Subject: bug in boxs
From: anonym...@def2.anon (anonymous)
Newsgroups: rocksolid.shared.security
Organization: def2org
Date: Sat, 28 Sep 2019 21:45 UTC
Path: i2pn2.org!rocksolid2!def2!.POSTED.localhost!not-for-mail
From: anonym...@def2.anon (anonymous)
Newsgroups: rocksolid.shared.security
Subject: bug in boxs
Date: Sat, 28 Sep 2019 21:45:29 -0000 (UTC)
Organization: def2org
Message-ID: <6959c51586703f6efd09cfaaeb3c3632$1@def2.i2p>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Date: Sat, 28 Sep 2019 21:45:29 -0000 (UTC)
Injection-Info: def2.org; posting-host="localhost:127.0.0.1";
logging-data="6641"; mail-complaints-to="usenet@def2.org"
View all headers
overview:

due to a bug in boxs (boxs.i2p), private boxes could be accessed without the keys once they had been unlocked with the right key, for ca. 10 min.
this enabled attackers to have full access to the boxes if they managed to send a request at roughly the same time as the rightful owner. sending requests every five minutes would have achieved this as well.

the service was taken offline after the bug had been detected, and the bug has been fixed. no attacks of this kind have been recognized (still could have happened, of course).

technical background:

the function check_keys validated the key given by the user in the querystring by decrypting a test file, using this key as the password to the private key. if the right key was given, the test file could be decrypted and the box was opened. if not, there was an error message.
the problem was that gpg kept the access to the private key open for a certain amount of time after the first successful access to it. as a consequence, every access after the first was possible without supplying a key at all.
this behaviour of gpg was unexpected for me, but a known issue that created some threads on serverfault et al. it would appear that this feature of gpg can be turned off, but the method seems to be complex and not very reliable.
so, a different approach was used to remedy the situation, which was to do an additional check against a hashed salt of the key.

unfortunately, the access to private boxes created before the code update is not possible anymore. they can still be deleted.

sorry for any trouble this may cause, but i felt it is better to cut the service in this case than to offer an unsafe service.


my own new private box is this:
http://boxs.i2p/?Z7IqE


cheers

trw

Posted on def2




Subject: Re: bug in boxs
From: AnonU...@rslight.i2p (AnonUser)
Newsgroups: rocksolid.shared.security
Organization: Rocksolid Light
Date: Sat, 28 Sep 2019 22:34 UTC
Path: i2pn2.org!rocksolid2!.POSTED.localhost!not-for-mail
From: AnonU...@rslight.i2p (AnonUser)
Newsgroups: rocksolid.shared.security
Subject: Re: bug in boxs
Date: Sat, 28 Sep 2019 22:34:11 -0000 (UTC)
Organization: Rocksolid Light
Message-ID: <5ee042bda71ced82b361d024a730a579$1@news.novabbs.com>
References: <6959c51586703f6efd09cfaaeb3c3632$1@def2.i2p>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Date: Sat, 28 Sep 2019 22:34:11 -0000 (UTC)
Injection-Info: novabbs.com; posting-account="retrobbs1"; posting-host="localhost:127.0.0.1";
logging-data="25464"; mail-complaints-to="usenet@novabbs.com"
User-Agent: rslight (http://news.novabbs.com)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on novabbs.com
X-Rslight-Site: $2y$10$w859iftiEGFIXYN7HrzwquyMbzAOrEAKFAVDRbaaay5juiu0GbwP2
View all headers
anonymous wrote:

the service was taken offline after the bug had been detected, and the bug has been fixed. no attacks of this kind have been recognized (still could have happened, of course).

Great that you addressed this as quickly as you could. Thanks for keeping security as a top priority!

sorry for any trouble this may cause, but i felt it is better to cut the service in this case than to offer an unsafe service.

It's a good service and you've proven you take security seriously.

--
Posted on Rocksolid Light



1
rocksolid light 0.6.6
clearnet i2p tor