← Back to team overview

libravatar-fans team mailing list archive

Re: Discussion: API keys - follow up from IRC

 

Hi!

OK. I forgot to add the reference:

    https://bugs.launchpad.net/libravatar/+bug/1248456

I hope that clears things up! :-)

Basically, if all sites with security in mind would use keys to retrieve
the images, that would lead to the situation, where you cannot simply hash
an e-mail/openid and search for it on google in order to find out where the
users profile picture eventually pops up and may therefore leak information
about what services a specific user uses.

Oliver


On Tue, Mar 12, 2019 at 1:59 PM clime <clime7@xxxxxxxxx> wrote:

> On Tue, 12 Mar 2019 at 12:29, Oliver Falk <oliver@xxxxxxxxxxxxxxx> wrote:
>
>> Hi!
>>
>> So, the basic idea, that I already implemented as PoC, is. You request
>> API keys and get a public and a secret key. You use the secret key to
>> 'encrypt' the user hash. Eg.:
>>
>> ConfirmedEmail.objects.first().encrypted_digest(secret_key=APIKey.objects.first())
>> would return something like this:
>>
>>
>> b'736300027316f304ae86f4a3ea2f7dc6c1ac43a3165a27bc68d96d23e5f109354c1a98b7d00d404bd62bec30caf60ed98e8653385528b23ef27ac110db79ed0dddfcc7c241d98937dc89606e0cce7ca8fed9aa3b1b103fdfc8d61f4bd94b6990400df154'
>>
>> In order to to this manually, you'd have to create the hash from the mail
>> address, encrypt it with the secret key (I'm currently using simplecrypt
>> for this) and hexlify it.
>>
>> Since you don't know the secret key, you have no chance to say what hash
>> is behind that and absolutely no chance to guess the mail address from it.
>> You'd then request from libravatar something like this:
>>
>>
>> /avatar/736300027316f304ae86f4a3ea2f7dc6c1ac43a3165a27bc68d96d23e5f109354c1a98b7d00d404bd62bec30caf60ed98e8653385528b23ef27ac110db79ed0dddfcc7c241d98937dc89606e0cce7ca8fed9aa3b1b103fdfc8d61f4bd94b6990400df154&key=bgixjymiejsglc5j3aghw3b78qtp7wac
>>
>> And even if you now see the public key and the encrypted hash, you still
>> don't know anything :-)
>>
>> On Libravatar side, we find the corresponding secret key with the public
>> key 'bgixjymiejsglc5j3aghw3b78qtp7wac' and decrypt it. I leave the rest to
>> your imagination.
>>
>> So, now to the bad performance thing. I made some tests and this is the
>> result:
>>
>> Encrypt digest:        1.9489854159983224
>> Encrypt digest_sha256: 1.8158956080005737
>> Decrypt digest:        1.6850569540038123
>> Decrypt digest_sha256: 1.7364481180047733
>>
>> You see, it almost takes 2 seconds to encrypt or decrypt - that's
>> definitely not going to work on large scale.
>> I've tried to reduce the key length (currently 32) to only 10 or only 4
>> chars, but that's not changing a lot.
>>
>> That means, that I have to probably find a better/faster encryption
>> mechanism, but even if I find some, it will still hurt the performance and
>> shouldn't be used everywhere, but only on security sensitive sites.
>>
>> The next bad thing that comes to my mind is: What about sites that run
>> their own libravatar service? They wouldn't be able to handle this. And one
>> cannot get public/secret key on each of these services => This would be a
>> feature only available on our main instance.
>> The alternative would be, that those sites with some higher security
>> considerations, would encrypt the plain mail address and ask libravatar to
>> decrypt and libravatar would then proxy it back...
>>
>> I don't know... Brain dump end (my excuse if the mail might be
>> confusing...).
>>
>
> I am missing the point encrypting the hash. I could understand it for md5,
> which is crackable nowdays but not quite for sha256. That hash should be
> non-reversible in practical terms and then we can always just jump to
> sha512 in a few years when hardware is stronger
>
> clime
>
>
>>
>> Oliver
>>
>>
>>
>>
>> On Tue, Mar 12, 2019 at 8:00 AM clime <clime7@xxxxxxxxx> wrote:
>>
>>> On Mon, 11 Mar 2019 at 19:02, Oliver Falk <oliver@xxxxxxxxxxxxxxx>
>>> wrote:
>>>
>>>> Hi!
>>>>
>>>> Since I got no reaction on IRC, I'm posting this here as well and would
>>>> love to gather feedback:
>>>>
>>>> <ofalk> quick poll. fr the people who are eventually are around. if we
>>>> implement something like api-keys (public/private key), that will be used
>>>> for encryption and therefore no longer reveal the mail address hash, this
>>>> will cost more cpu power and I'd therefore not open this feature to _all_
>>>> users. how shall we give this feature to ppl? currently it's implemented as
>>>> group/permission that you can assign to some specific user, but what should
>>>> be the process of
>>>> <ofalk> requesting it and how do we decide if we give this feature to
>>>> someone?
>>>>
>>>
>>> It sounds interesting but I, personally, would need a little bit more
>>> information how it would be used and for what use-case.
>>>
>>>
>>>>
>>>> Share you mind, public or private, as you wish :-)
>>>>
>>>> Thanks a lot,
>>>>  Oliver
>>>> _______________________________________________
>>>> Mailing list: https://launchpad.net/~libravatar-fans
>>>> Post to     : libravatar-fans@xxxxxxxxxxxxxxxxxxx
>>>> Unsubscribe : https://launchpad.net/~libravatar-fans
>>>> More help   : https://help.launchpad.net/ListHelp
>>>>
>>>

References