buskill.in BusKill Canary #6 - BusKill
This post contains the cryptographically-signed BusKill warrant canary #006 for June 2023 to January 2024.
Posts
7
Comments
15
Joined
2 yr. ago
That's bad.
OAuth supports several types of flows. If I'm not mistaken (I've learned a bit more about OAuth since yesterday) you're describing the Authorization Code Flow -- as documented in RFC 6749 (The OAuth 2.0 Authorization Framework), Section 4.1 (Authorization Code Grant):
That RFC defines many other types of flows that do not require sharing the access keys with a third party, such as the Client Credentials Flow, as documented in RFC 6749 Section 4.4 (Client Credentials Grant):
The only reason you'd want to use the Authorization Code Flow is if the third party needs your access token for some reason, or if you want to hide the access key from the user agent.
The problem here is that Stripe is using the wrong flow (the third party doesn't need the access token, as they claim they never save it anyway). And if keyCloak only supports that one flow, that's would be a problem too (in this case).
Upon further reading of RFC 6749, it appears that OAuth does require this -- sometimes.
It depends on the OAuth Flow. In this case, Stripe uses the “Authorization Code” Grant.
This is documented in Stripe’s OAuth reference documentation here:
undefined
curl https://connect.stripe.com/oauth/token \ -u sk_test_MgvkTWK1jRG3olSRx9B7Mmxo: \ -d “code”=”ac_123456789” \ -d “grant_type”=”authorization_code”
Authorization Code Grants are defined in RFC 6749 (The OAuth 2.0 Authorization Framework), Section 4.1 (Authorization Code Grant):
To better understand why the OAuth Authorization Code Grant requires sharing the access token with a thrid party server, I found this article (Common OAuth Vulnerabilities) by Doyensec very elucidating:
It says that the Authorization Code Flow is supposed to be used when you don’t want to share the tokens with the user agent.
The Authorization Code Flow is one of the most widely used OAuth flows in web applications. Unlike the Implicit Flow, which requests the Access Token directly to the Authorization Server, the Authorization Code Flow introduces an intermediary step. In this process, the User Agent first retrieves an Authorization Code, which the application then exchanges, along with the Client Credentials, for an Access Token. This additional step ensures that only the Client Application has access to the Access Token, preventing the User Agent from ever seeing it.
But this doesn't make sense for this use-case. It appears Stripe is needlessly putting us at risk by choosing the Authorization Code Grant.
Stripe Connect does not support Client Credentials flow.
Can you please tell me what is the name of the "flow" that Stripe Connect is using here?
I figured out the root technical cause. It's because Stripe doesn't allow the redirect during the OAuth flow to be dynamic. It must be a predefined value that's hard-coded into the app.
For security purposes, Stripe redirects a user only to a predefined URI.
That's why Stripe forces you to expose your access tokens to the developer's servers.
I'd still appreciate if someone with more experience with OAuth than me knows if this is common. Seems like a very bad design decision to require users to transmit their bearer tokens through the developer's servers.
It’s called the Client Credentials flow (RFC 6749, Section 4.4).
Finally someone directs me to the actual RFC. Except that section is titled "Client Credentials Grant"
Why do I see this sometimes called a "Grant" and sometimes called a "Flow"?
What's the definition and difference of each?
Thanks, but I don't think this is the case here. The Authentication provider is Stripe (or, at least, it's a stripe.com domain name). The 3rd party is the app developer's server.
Stripe's infra is already PCI compliant.
I'm not sure how a hardware security token would be relevant here. The end result must be something-you-know access token. Initial setup is done with 2FA, sure. But I don't think the server can store (or emulate) a passkey. The issue here isn't how I authenticate with Stripe. It's after that -- when Stripe gives the tokens to the third party (the dev's server) and then the third party gives the token to my server. I don't understand why Stripe doesn't just let the devs implement it so Stripe gives the tokens directly to my server.
Why OAuth MUST share access token with 3rd party?!?
Why does Stripe require OAuth tokens to pass through a third party server?
Can someone who understands OAuth better than me explain to me why Stripe REQUIRES that their OAuth Access Keys get shared with a third party?
I've tried RTFM, but my biggest hangup is that the OAuth docs appear describe a very different situation than mine. They usually describe a user agent (web browser) as the client. And they talk about "your users" as if I have a bunch of users that I'm going to be fetching access keys for.
Nah, this is server <--> server. I have a server. Stripe has a server. I am one user. All I need is ONE API key for ONE account. But I'm forced to use OAuth. It doesn't seem appropriate, and it's especially concerning that the "flow" requires the (non-expiring!) Access Token to be shared with a third party server. Why?!?
I recently learned that Stripe has been pushing OAuth (branded as "Stripe Connect") to its integration apps as the "more secure" solution, compared to Restricted API
Why OAuth MUST share access token with 3rd party?!?
Why does Stripe require OAuth tokens to pass through a third party server?
Can someone who understands OAuth better than me explain to me why Stripe REQUIRES that their OAuth Access Keys get shared with a third party?
I've tried RTFM, but my biggest hangup is that the OAuth docs appear describe a very different situation than mine. They usually describe a user agent (web browser) as the client. And they talk about "your users" as if I have a bunch of users that I'm going to be fetching access keys for.
Nah, this is server <--> server. I have a server. Stripe has a server. I am one user. All I need is ONE API key for ONE account. But I'm forced to use OAuth. It doesn't seem appropriate, and it's especially concerning that the "flow" requires the (non-expiring!) Access Token to be shared with a third party server. Why?!?
I recently learned that Stripe has been pushing OAuth (branded as "Stripe Connect") to its integration apps as the "more secure" solution, compared to Restricted API
Intro Guide to Lemmy
I wrote a guide to help users with their migration to Lemmy
This guide will help new lemmy users find and subscribe-to (remote) lemmy subreddits communities
Intro to Lemmy (Video Guide)
Before reddit goes dark on Monday, I would like to add a short video to the join-lemmy.org site that shows new users how to create a lemmy account and subscribe to (remote) communities.
The video should be about 2-minutes long (shorter is better) with a screen recording and voiceover narration. If you do this, you'll get a lot of traffic to your youtube/peertube account ;)
Here's the outline of the video requested:
- Mention that lemmy is a federated reddit alterntaive based on ActivityPub where 'subreddits' are called 'communities'. Go to
join-lemmy.orgin your web browser and click the bigJoin a Serverbutton. - Tell the viewer that it doesn't really matter which instance they pick because you can subscribe to a 'community' from one instance from any other instance. Again reiterate that what reddit calls a 'subreddit' is called a 'community' on lemmy. Then just click
Joinfrom a random server from the "Recommended" list of instances. Tell the user to just pick one at r
BusKill Warrant Canary for 2023 H2 🕵️
We just published our #WarrantCanary for 2023 H2 🕵️
https://buskill.in/canary-006/
Warrant Canaries are a means for us to (not) inform you of (not being) breached if served with a State-issued, secret subpoena (gag order) #infosec
It doesn't say porn, it says adult. The legend describes how it's determined
Adult "Yes" means there's no profanity filters or blocking of NSFW content. "No" means that there are profanity filters or NSFW content is not allowed.
how do you do that? Is there a guide anywhere for how to setup mastodon seeing lemmy or lemmy seeing mastodon?
I think at the top, just above the "Recommended"
<h2>
add:undefined
For a more detailed comparison of Lemmy instances, see: <ul> <li><a href="https://github.com/maltfield/awesome-lemmy-instances">Awesome-Lemmy-Instances on GitHub</a></li> <li><a href="https://the-federation.info/platform/73">the-federation.info Lemmy Instances Page</a></li> <li><a href="https://lemmymap.feddit.de/">Feddit's Lemmymap</a></li> </ul> After you create an account, you can find communites across all instances using <a href="https://browse.feddit.de/">Feddit's Lemmy Community Browser</a> <h2>Recommended</h2> ...
oh shit I wish I knew that existed before XD
I'm literally just asking the instance's API how many users it has:
Check the users_active_month field. How your instance calculates that is a question for the lemmy devs ;D
I see TypeScript and get scared. Personally, I do think that the join-lemmy.org/instances page should link to:
- My table comparison https://github.com/maltfield/awesome-lemmy-instances
- The Lemmy Community Browser (to find communities across all instances) https://browse.feddit.de/
- The Lemmy Map https://lemmymap.feddit.de/
- The federation's lemmy page (with another table comparing instances) https://the-federation.info/platform/73
Can anyone with TypeScript experience make this PR for us? Here's the relevant file:
Because I had a bug. Fixing now :)
Hmm, I see community_creation_admin_only is set to false on the API. I'll look into this, thanks for letting me know :)
Edit: should be fixed now. Please let me know if you find any other issues :)
Comparison of Lemmy Instances
github.com GitHub - maltfield/awesome-lemmy-instances: Comparison of different Lemmy Instances
Comparison of different Lemmy Instances. Contribute to maltfield/awesome-lemmy-instances development by creating an account on GitHub.
I created a repo on GitHub that has a table comparing all the known lemmy instances
Why?
When I joined lemmy, I had to join a few different instances before I realized that:
- Some instances didn't allow you to create new communities
- Some instances were setup with an
allowlistso that you couldn't subscribe/participate with communities on (most) other instances - Some instances disabled important features like downvotes
- Some instances have profanity filters or don't allow NSFW content
I couldn't find an easy way to see how each instance was configured, so I used lemmy-stats-crawler and GitHub actions to discover all the Lemmy Instances, query their API, and dump the information into a data table for quick at-a-glance comparison.
I hope this helps others with a smooth migration to lemmy. Enjoy :)
Hi Lemmy!
I make BusKill laptop kill cords that make your computer lock, shutdown, or self-destruct if the device is physically separated from you.
This protects your (encrypted) data from theft, which can be useful for digital nomads and cryptotraders working in cafes/coworking spaces. But our target audience is journalists, activists, and human rights workers in oppressive regimes.
Both the hardware and the software are open-source (CC-BY-SA, GPLv3). We manufacture the hardware with injection molding, but if you have a 3D-printer, then you can take a stab at our 3D-printable prototype.
...And apparently I'm doing (minor) contributions to lemmy these days too
3D-Printable BusKill (USB Dead Man Switch) Prototype
www.buskill.in 3D Printable BusKill Prototypes - BusKill
Update on our progress on the 3D-printable BusKill prototype, a DIY USB kill cord to protect your laptop's data from thieves.
This article is about a new 3d-printable prototype version of the BusKill cable.
The BusKill cable is a laptop kill cord. If you're still struggling to understand what is a BusKill cable and why you'd need a laptop kill cord, there's a 2-minute explainer video that makes this clear:
Enjoy and happy printing :)