|
| 1 | +###### Problem |
| 2 | +Synchronizing a user session between stacker.news and a user-owned custom domain, means giving up the whole JWT, which can be stolen and replayed. |
| 3 | + |
| 4 | +For example, in a scenario like DNS hijacking, the malicious user that owns the custom domain can point their DNS record to a server of their own, **log** the incoming requests, **collect** the JWTs and **replay** them. |
| 5 | + |
| 6 | +Usually, mitigations are used for this kind of problem: |
| 7 | +- fingerprinting |
| 8 | +- dns polling |
| 9 | +- short-lived sessions, with refresh tokens |
| 10 | +- aggressive checks on custom domains |
| 11 | + |
| 12 | +I think that some mitigations are correct, such as **dns polling** to take measures against the malicious owner; others might be too much. |
| 13 | + |
| 14 | +##### Per-device keys |
| 15 | +**The case for per-device ECDH Key Pairs** |
| 16 | +As a form of authentication, we can use ECDH shared secrets to either |
| 17 | +- sign requests for the GraphQL endpoint |
| 18 | +- encrypt JWT payloads |
| 19 | +To accomplish this, each device will have its own ECDH key pair, generated and stored in IndexedDB on first visit. |
| 20 | +It can also be used in the future for encrypted messaging |
| 21 | + |
| 22 | +An example flow can be: |
| 23 | +``` |
| 24 | +
|
| 25 | +1. Device generates key pair |
| 26 | +2. On login, server creates an ECDH key pair |
| 27 | +3. Client and server exchanges public keys |
| 28 | +4. Server and device derives the same shared secret with each other |
| 29 | +-- Stores: |
| 30 | + user, server_priv_key, client_pub_key, shared_secret_hash |
| 31 | +5. Server issues an encrypted JWT using the shared secret |
| 32 | +6. Device decrypts JWT with the same shared secret |
| 33 | +``` |
| 34 | + |
| 35 | +Shared secret rotation is part of best practices in this context. |
| 36 | + |
| 37 | +**The case for ECDSA** |
| 38 | +ECDSA, much like the ECDH route above, can be used to generate a key pair on the first visit and share its public key with the server, to bind it to the user we're importing from `stacker.news`. |
| 39 | + |
| 40 | +ECDSA can be used to sign every request or JWTs, the server will then verify the signature and accept the request if the signature is valid. |
| 41 | + |
| 42 | +An example flow can be: |
| 43 | +``` |
| 44 | +1. Device generates key pair |
| 45 | +2. Public key is sent to server and bound to a user |
| 46 | +3. Server issues a JWT that includes the public key fingerprint |
| 47 | +4. On each requests, client signs a message with private key |
| 48 | +5. Server verifies the JWT and the signature, proving possession |
| 49 | +``` |
| 50 | + |
| 51 | +If the JWT gets stolen, it's useless without the device private key. |
| 52 | + |
| 53 | +###### Bonus |
| 54 | +A bonus point of using key pairs, is the capability of tracking devices connected to an account, enabling session revocation. |
0 commit comments