You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: cornucopia.owasp.org/data/website/pages/copi/en/index.md
+13-12Lines changed: 13 additions & 12 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -208,19 +208,21 @@ We have not implemented Authentication when using Copi, instead we use a secure
208
208
209
209
An attacker could use various tools for capturing logs or http requests which may lead to information disclosure if your participants' network has been comporised: [https://capec.mitre.org/data/definitions/569.html](https://capec.mitre.org/data/definitions/569.html).
210
210
211
-
#### What can you do about it?
211
+
#### What are we going to do about it?
212
212
213
+
We are not working towards implementing authentication in Copi. Instead we are utilizing magic links. Arguable this is not authentication, but it's worth noting that your threat model is not stored on copi.owasp.org, just your game and the cards you voted on. For a threat actor to be able to piece together this information and use it against you, given that he get hold of the magic link, you would have to use your full name and, add the url to your project in the game name field when creating the game. We are working towards informing users that they should under no circumstances do this kind of thing, but even in the case that you still did. The cards themselves are two generic and doesn't contain the sensitive discussions that you had during your game.
213
214
As a security measure, you can choose to run copi on a private cluster
214
215
You should avoid using your own name or the name of a company or project when creating players and games at copi.owasp.org. And remind others not to do so as well. Instead use a pseudonyme and a fake threat model name.
215
216
216
217
### Data is not encrypted at rest by default
217
218
218
219
#### What can go wrong?
219
220
220
-
When hosting Copi yourself, be aware that the data at REST might not be encrypted. Even if you tell your threat modeling participants not to use their own name or use information about your company or project when creating the game, they may end up doing it by accident or because of a temporary lapse in memory.
221
+
When hosting Copi yourself, be aware that the data at REST might not be encrypted. Even if you tell your threat modeling participants not to use their own name or use information about your company or project when creating the game, they may end up doing it by accident or because of a temporary lapse in memory. The data on copi.owasp.org is encrypted at rest, but if you host the game engine yourself, you need to make sure that the data is encrypted at rest as well. If you don't, an attacker that get hold of the database may be able to see the names of the players and games, which may contain sensitive information. Currently we do not use application-side encryption. Even if the data is encrypted at rest, an attacker that get hold of the database may be able to see the names of the players and games as well.
221
222
222
-
#### What can you do about it?
223
+
#### What are we going to do about it?
223
224
225
+
The data at REST on copi.owasp.org is encrypted by default, but we are not using client side encryption. This means that I have the possibility to access the database and see what you entered in your name fields, but I will rather quite my job then be caught snooping on your data. It would be the end of my career if I got caught doing so and the end of Copi if someone else did. When all that is said, we will implement client side encryption on Copi since I wouldn't want anyone to have the possibility to even suspect me of doing such a foolish thing (see: https://github.com/OWASP/cornucopia/issues/2232).
224
226
Ensure that your service provider ensures that the data is encrypted at REST.
225
227
OWASP host the data on Fly.io. Databases built on Fly.io uses volumes, which provide persistent storage. These drives are block-level encrypted with AES-XTS. Fly.io manages the encryption keys, ensuring they are accessible only to privileged processes running your application instances. New volumes (and thus new Postgres apps) are encrypted by default.
226
228
@@ -230,7 +232,7 @@ OWASP host the data on Fly.io. Databases built on Fly.io uses volumes, which pro
230
232
231
233
Erlang clustering does not happen over TLS by default. This may allow an attacker to launch a MTM attack and do RCE against your cluster. It may also allow an attacker to take over your database connection and both disclose sensitive information and compromise the integrity of the data sent between your database and Copi.
232
234
233
-
#### What can you do about it?
235
+
#### What are we going to do about it?
234
236
235
237
if you deploy Copi yourself, make sure you configure TLS appropriatly according to your needs.
236
238
OWASP host Copi on Fly.io that uses a built-in, WireGuard-encrypted 6PN (IPv6 Private Networking) mesh to automatically connect all your app instances, providing zero-config, secure, private communication with internal DNS (e.g., app-name.internal), allowing services to talk as if they're on the same network, even across regions, for simple and secure microservices communication. This mesh handles complex routing, making it easy to build distributed apps securely without manual VPN setup.
@@ -241,22 +243,21 @@ OWASP host Copi on Fly.io that uses a built-in, WireGuard-encrypted 6PN (IPv6 Pr
241
243
242
244
An attacker can continue to create an unlimited amount of games and players until the application stops responding.
243
245
244
-
#### What can you do about it?
246
+
#### What are we going to do about it?
245
247
246
248
We are working on minimizing the probability of functionality misue by implementing rate limiting on the creating of games and players (see: [issues/1877](https://github.com/OWASP/cornucopia/issues/1877)). Once that is taken care of, you should be able to configure these limits to prevent DoS attacks when hosting Copi yourself. It's vital that you limit the number of sockets the application accept concurrently. On fly.io that is done in the following way: [fly.toml](https://github.com/OWASP/cornucopia/blob/fb9aae62531dde8db154729d0df4aa28a3400063/copi.owasp.org/fly.toml#L27) A 30 socket limit for Copi should allow you to handle 20.000 requests per min if you have 2 single cpu nodes.
247
249
248
-
### Did we do a good job?
249
-
250
-
We welcome any input or improvments you might be willing to share with us regarding our current threat model.
251
-
Arguably, we created the system before the threat modeling, and several improvements need to be made to properly balance the inherrant risks of compromise against the current security controls. For anyone choosing to host the game engine, please take this into account.
252
-
253
250
### Grant can utilize the application to deny service to some or all of its users
254
251
255
252
#### What can go wrong?
256
253
257
254
Given that a threat actor can execute a distributed denial of service attack against the application, he could deny access to some or all of copi.owasp.org users.
258
255
256
+
#### What are we going to do about it?
259
257
260
-
#### What can you do about it?
258
+
We are not working towards implementing any specific controls to prevent DoS attacks against copi.owasp.org, but we are working on implementing rate limiting on the creating of games and players (see: [issues/1877](https://github.com/OWASP/cornucopia/issues/1877)). Most probably, it would be impossible to stop a distributed denial of service attack if executed properly. When we did load testing against copi.owasp.org, we found that the application could handle 20.000 request per min. If we went higher then that, Cloudflare, that host the DNS, would identify us as a DoS actor and return HTTP status 520. Still, conceptually, you could execute a DoS from one million machines and deny access to the application for other users. Even though this is a risk, we accept it. If you are worried about distributed DoS, please host the application on a private network or IP whitelist access to the application.
261
259
262
-
Most probably, it would be impossible to stop a distributed denial of service attack if executed properly. When we did load testing against copi.owasp.org, we found that the application could handle 20.000 request per min. If we went higher then that, Cloudflare, that host the DNS, would identify us as a DoS actor and return 520. Still, conceptually, you could execute a DoS from one million machines and deny access to the application for other users. Even though this is a risk, we accept it. If you are worried about distributed DoS, please host the application on a private network or IP whitelist access to the application.
260
+
### Did we do a good job?
261
+
262
+
We welcome any input or improvments you might be willing to share with us regarding our current threat model.
263
+
Arguably, we created the system before we were able to identify all these threats, and several improvements need to be made to properly balance the inherrant risks of compromise against the current security controls. For anyone choosing to host the game engine, please take this into account.
0 commit comments