Ferdi: Make impossible to disable password lock without entering password
Is your feature request related to a problem? Please describe.
I installed Ferdi at work, to have quick access to my personal communication channels if necessary. I set up a password protection, with the intention to prevent colleagues including sysadmins to get access to my personal channels. With #694 colleagues can't see anymore the password I entered, but they could still access my personal accounts by disabling the password lock in the settings file. De facto, password lock provides false security.
Describe the solution you'd like
Somehow, without being able to say how to technically, prevent disabling password lock without having to provide that same password.
Additional context
This security gap came in handy for #543, but is actually rather dangerous (as the possibility that others can easily access one's accounts still is not advertised in the settings). Until this is fixed, in the settings a warning should be added "This is not a security feature" (as is done by Microsoft for its Office tracked changes lock), or something more explicit.
keunes
All 7 comments
Thanks for reporting this. We will take a look and update. @kytwb @vantezzen what do you suggest is the best way to handle this? This surely seems like a security issue.
mahadevans87
on 10 May 2020
We'll have to see as I don't really know how we could secure this. We'd have to somehow store it in a place that users can't edit (the server? But if you use Ferdi without an Account you can still edit the database locally and the server owner could theoretically also disable it) or we'll have to add some kind of "integrity check" that allows you to make sure the settings haven't been tampered with.
vantezzen
on 10 May 2020
I am curious what is the threat model here. If someone has access to the settings file, wouldn't they also have access to (say) ~/.config/Ferdi/Partitions/*/Cookies from where sessions cookies can be easily extracted? Or are those actually encrypted (possibly by the locking password)?
kris7t
on 12 May 2020
Yes, someone can also directly access your sessions - those are not encrypted - but using those will be more complicated. We'll probably not be able to make the Lock fully secure but we can try to make it as complicated as possible to bypass (e.g. simply opening and changing a text file is just very easy and fast to do).
vantezzen
on 12 May 2020
@vantezzen @kytwb How about encrypting the settings file with a key and store the key inside a native module? That way one cannot fetch the key, unless they try really hard -
- Encryption of settings file could be done using CryptoJS I believe
- Create a simple C++ native module and store the encryption key in there - https://www.electronjs.org/docs/tutorial/using-native-node-modules
What do you think?
mahadevans87
on 23 May 2020
I don't know about encrypting the whole settings file as there are cases where you might need to edit that (e.g. because a setting causes Ferdi to crash), but encrypting the setting to enable locking and auto-locking when the value is invalid sounds like a good idea.
vantezzen
on 23 May 2020
This issue has been automatically marked as stale because it has not had recent activity. Please check if this issue is still relevant and please close it if it's not. This will make sure that our open issues are actually of use and reduce the list of obsolete issues. Thank you for your contributions.
![stale[bot] picture](https://avatars3.githubusercontent.com/in/1724?v=4&s=40)
stale[bot]
on 22 Jul 2020
Related issues
sbienkow
路
3Comments
webworker01
路
3Comments
dzg
路
3Comments
maciesse
路
3Comments
adithshenoy
路
3Comments
Most helpful comment
Yes, someone can also directly access your sessions - those are not encrypted - but using those will be more complicated. We'll probably not be able to make the Lock fully secure but we can try to make it as complicated as possible to bypass (e.g. simply opening and changing a text file is just very easy and fast to do).