Page MenuHomePhabricator
Create Task
Maniphest T4721

Improve user-facing documentation for Passphrase
Open, NormalPublic
Actions

Assigned To
None
Authored By
epriestley
Apr 2 2014, 3:36 PM
Tags
Referenced Files
None
Subscribers
allixsenos
amckinley
asherkin
bajb
bbrdaric
daniel.arraes
davedash
View All 28 Subscribers
Tokens
"Like" token, awarded by cguenther."Like" token, awarded by arpagon."Love" token, awarded by saggid."Like" token, awarded by nateguchi2."Mountain of Wealth" token, awarded by adamscybot.

Description

  • Passphrase needs general user-facing documentation.
  • The documentation should explain Passphrase's primary role as credential management (for other applications), and secondary role as a shared credential store (for external passwords).
  • The UI and documentation should more clearly explain what the "View" (you can see the existence of the credential and use it, but not see the secret) and "Edit" permissions imply. Particularly, it's confusing that "View" doesn't let you see the secret.
  • Since users appear to be adopting Passphrase as a generic credential store, we should implement an "encrypted" credential type, which stores an encrypted secret that can not be accessed without a password. We should make the storage format of usable vs stored credentials more clear.

Related Objects
Search...

Event Timeline

epriestley created this task.Apr 2 2014, 3:36 PM
epriestley raised the priority of this task from to Normal.
epriestley updated the task description. (Show Details)
epriestley added a project: Passphrase.
epriestley added a subscriber: epriestley.
jadz0r added a subscriber: jadz0r.Apr 2 2014, 3:37 PM
epriestley added a comment.Apr 2 2014, 3:46 PM

While I remember it, we should also document that a malicious user who has view access to passwords (but not "show secret") can access the password like this:

  • Create a repository using the credential, with remote URI http://evil.com/.
  • Wait for Phabricator to perform a pull request.
  • Their evil server can capture the credential.

One way to prevent this might be to let you lock credentials to certain use cases, although this is a little bit fluff right now since the two use cases are Harbormaster and Diffusion, which both allow arbitrary third-party URIs. In the case of Nuance, we might have credentials used for trusted URIs, so maybe this "use case lock" can really be "Only send this credential to trusted services."

epriestley added a comment.Apr 2 2014, 3:49 PM

And we should possibly consider splitting the permissions more granularly:

  • View
  • Show Secret
  • Edit

...based on further feedback and how hard it is to make this distinction clear in the UI without splitting things. I think the material effect here of actually separating these permissions probably isn't hugely important, but properly separating them in the UI (not just with explanatory text) might be clearer than mere documentation.

epriestley added a comment.Apr 2 2014, 4:10 PM

Some ideas for encrypting everything:

  • We can put an encryption key on the filesystem. This offers little protection in most cases since compromising the filesystem and database usually happens at the same time, but would protect backups, at least. It adds some management complexity with multiple web frontends.
  • We can provide some echo secret | bin/passphrase load-key command, which makes a local HTTP request and loads the key into APC. Installs would include this in their restart script, and source the secret from some ephemeral location (in theory, manual entry at the CLI). This would also need to be passed to the daemons. But, roughly, we get an ephemeral key into process memory at restart time and that should raise the barrier at least slightly (although attackers with write access to the filesystem can read data out of APC fairly easily by editing the Phabricator code). This sounds nice at first, but the more I think about it the less I like it.
  • Beyond these cases, we could handle decryption over Conduit (since it rarely needs to be performed) and have a single server capable of performing decryption. However, compromising any other server allows you to change all the metadata on the object (so anyone can see it) and then always make a decryption call.

Broadly, any scheme we select where Phabricator has a persistent copy of the decryption key does not present a huge barrier to most online attacks. Putting an optional key on the filesystem is probably simplest to deter offline attacks (e.g., against backups) and limited-access attacks (e.g., an SQL hole which lets you select arbitrary data).

epriestley added a comment.Apr 2 2014, 4:22 PM

Ideally, we should do all the crypto work for the "encrypted" credential type on the client. This requires figuring out some kind of reasonable, appropriately licensed JS library we can use.

epriestley added a subscriber: asherkin.Apr 2 2014, 4:26 PM

@asherkin suggests this:

https://github.com/bitwiseshiftleft/sjcl/tree/version-0.8

Firehed added a subscriber: Firehed.Jun 17 2014, 6:03 AM
epriestley added a subscriber: igorgatis.Jul 1 2014, 12:00 PM

◀ Merged tasks: T5513.

daniel.arraes added a subscriber: daniel.arraes.Jul 2 2014, 6:52 PM
davedash added a subscriber: davedash.Jul 10 2014, 10:59 PM
epriestley added a comment.Jul 10 2014, 11:07 PM

davedash: epriestley: nice yeah, the subtasks I really want from that are generate SSH key and show public key, so I can automatically connect phab to Github

epriestley added subscribers: rfergu, maroux.Aug 6 2014, 7:58 PM

◀ Merged tasks: T5734.

epriestley mentioned this in T6116: Internal Storage Security.Sep 18 2014, 12:25 AM
epriestley merged a task: T6116: Internal Storage Security.
epriestley added subscribers: bajb, hach-que.
nateguchi2 awarded a token.Jan 12 2015, 1:11 PM
nateguchi2 added a subscriber: nateguchi2.
johnny-bit added a subscriber: johnny-bit.Feb 28 2015, 7:12 PM
epriestley merged a task: T7495: Documentation for Passphrase.Mar 7 2015, 9:17 AM
epriestley added a subscriber: joshuaspence.
epriestley mentioned this in Starmap.Apr 15 2015, 11:28 AM
bbrdaric added a subscriber: bbrdaric.Apr 23 2015, 8:55 AM
eMxyzptlk added a subscriber: eMxyzptlk.Apr 29 2015, 7:23 AM
fanis added a subscriber: fanis.Jun 16 2015, 12:59 PM
Mayeu added a subscriber: Mayeu.Sep 1 2015, 8:38 AM
epriestley merged a task: T9575: Make Passphrase policies clearer.Oct 15 2015, 10:26 AM
joshuaspence added a project: Documentation.Oct 15 2015, 12:04 PM
joshuaspence added a comment.Oct 15 2015, 7:39 PM
In T4721#53743, @epriestley wrote:

And we should possibly consider splitting the permissions more granularly:

  • View
  • Show Secret
  • Edit

+1

reed mentioned this in D10176: Add server-side-encryption support to S3StorageEngine.Nov 27 2015, 7:57 AM
mrjoops added a subscriber: mrjoops.May 12 2016, 10:24 AM
Herald added a subscriber: eadler. · View Herald TranscriptMay 12 2016, 10:24 AM
kebe added a subscriber: kebe.May 24 2016, 2:22 PM
epriestley mentioned this in T11140: Support at-rest encryption in Files.Jun 14 2016, 12:50 PM
epriestley mentioned this in T11272: Passphrases requires Editable By status for Read access.Jul 5 2016, 12:36 PM
epriestley merged a task: T11272: Passphrases requires Editable By status for Read access.
epriestley added a subscriber: vpetersson.
vpetersson added a comment.Jul 5 2016, 2:31 PM
In T4721#140545, @joshuaspence wrote:
In T4721#53743, @epriestley wrote:

And we should possibly consider splitting the permissions more granularly:

  • View
  • Show Secret
  • Edit

+1

+1
This makes sense to me.

lewellyn mentioned this in Z1336: General Chat.Oct 3 2016, 7:43 PM
chad merged a task: T12055: Passphrase uses "edit" permission to decide who can see the secret, not the "visible" permission.Jan 2 2017, 5:38 PM
chad added a subscriber: allixsenos.
chad merged a task: T12265: Allow viewing passwords to password members in Passphrase.Feb 15 2017, 6:56 AM
chad added a subscriber: saggid.
hskiba added a subscriber: hskiba.Feb 21 2017, 1:04 PM
saggid awarded a token.Mar 20 2017, 1:40 PM
arpagon awarded a token.Mar 28 2017, 5:07 PM
epriestley mentioned this in T12506: hackerone: possible issue with secrets sharing.Apr 5 2017, 1:16 PM
epriestley mentioned this in T12945: "Mismatched origin" error on pulls may show credentials when origins have HTTP credentials.Jul 31 2017, 2:07 PM
cguenther awarded a token.Aug 30 2017, 6:43 AM
tjgould added a subscriber: tjgould.Mar 23 2018, 7:29 AM
epriestley mentioned this in T13230: Native Applications.Dec 28 2018, 10:44 PM
tiguchi added a subscriber: tiguchi.Apr 10 2020, 4:16 PM
Herald added a subscriber: amckinley. · View Herald TranscriptApr 10 2020, 4:16 PM
Phabricator · Built by Phacility