Lisk-sdk: Plain-text delegate passphrase in config.json
It may sound obvious, but maybe instead of plain text passphrase it would be possible to specify e.g. delegate public key? Perhaps this could reduce the interest of getting direct access to the node and increase overall security.
densmirnov
All 10 comments
Well this is a difficult one, since the node needs the passphrase to sign the forged block... either passphrase or private key is needed somehow.
I am not sure there is a solution. It is possible to make it difficult but as soon as somebody gained access to the server, as the user or as root, it will be as difficult as chmod 600 config.json
fix
on 7 May 2016
Actually there is a mitigation for that: register a second passphrase!
If the the attacker get your passphrase, the only thing he can do is to forge for you, but to do anything else (vote, move lisk etc...), he needs your second passphrase.
I think this is a powerful feature to sign and verify forged block with passphrase only, even if second passphrase is registered when i think about it. I would leave it like that!
fix
on 7 May 2016
Brought this issue up in chat a while back. Personally I like how NEM solved the issue. User tharude mentioned you could modify or completely delete the config.json after Lisk is running.
qtipwax
on 7 May 2016
Another possibility is to starting forging remotely through the API or the web interface. That way, your passphrase is never exposed in the config.json or anywhere in your node.
viper-tkd
on 8 May 2016
What about when you start lisk.sh a special way (maybe bash lisk.sh start forging) there is a prompt to enter your passphrase? That way it's not stored in any file (that you need to worry about editing or deleting after start up).
The downside to this is if you have a script to rebuilt/restore/restart the lisk service, it will not start forging back up automatically for you (this same issue applies to the other solutions though)
mrv777
on 10 May 2016
copy-pasting passphrase around IS a security issue
fix
on 11 May 2016
Forging with a public key or using a forging "only" private key tied to the user accounts public key would be nice. Could this work?
qtipwax
on 18 May 2016
no, you need to sign the forged block so you need a private key.
You could have a forging only private key, but then it is the same as using master and second passphrase.
fix
on 21 May 2016
@karmacoma i would close it as won't fix, what do you think @karmacoma ?
fix
on 30 Aug 2016
@fix I agree, closing this issue as won't fix for now.
karmacoma
on 10 Sep 2016
Related issues
diego-G
路
3Comments
toschdev
路
3Comments
karmacoma
路
3Comments
ManuGowda
路
3Comments
willclarktech
路
4Comments
Most helpful comment
Actually there is a mitigation for that: register a second passphrase!
If the the attacker get your passphrase, the only thing he can do is to forge for you, but to do anything else (vote, move lisk etc...), he needs your second passphrase.
I think this is a powerful feature to sign and verify forged block with passphrase only, even if second passphrase is registered when i think about it. I would leave it like that!