16
votes
Two-Factor Auth / Security
I’m still in awe of what’s happening here and wish I had a crystal ball to see the change this type of community will drive in broader social discourse. If that goal is realized, there will be very sophisticated folks looking to disrupt that progress.
As a security guy (especially in light of Reddit’s recent announcement) I had a few questions!
1.) How open are we to integrating some type of optional 2FA for users? Maybe a simple TOTP integration?
2.) Are the admins of the site implementing the right amount of fundamental controls for the backend? I’m 100% happy to provide thoughts on this if necessary! The decisions you make now, could impact us 5-6 years from now. And they’re oh-so-easy to change this early :-D.
I’m a doofus, I should have looked.
What about #2? :)
I’d recommend a bunch of things:
(I haven’t looked at source, or for broader architectural threads, so consider this general guidance to a broad audience - or I’ll sound like a condescending ass to some)
Make sure all authentication for administrative access uses token based MFA. This includes any SSH access, etc. I don’t believe GitLab supports SMS MFA, so that’s good, but make sure you don’t have SMS enabled ANYWHERE on your hosting provider (I know OVH supports non-SMS MFA).
Ensure the site is behind load balancers in some sort of stateless/horizontally scalable environment (data layer is a bit more nuanced). From the outset, ensure that the oldest ‘server’ is cycled regularly. This will allow you to make OS level security patches essentially automated. Bonus points if you just use kubernetes, or something of the sort :)
While a bit obnoxious, ensure all connections to any non-SaaS (e.g. gitlab) backend systems goes through a jump/bastion host. Just put duo on it and integrate your yubikey with duo. Disable SMS on Duo. (Note: A jumphost doesn’t preclude the need for the same MFA approach on every server, whether it’s behind a firewall or not - it should just be a base reality of your puppet/chef/ansible world :) )
Don’t forget your backups (see Reddit). If you’re doing backups (other than OVH/Provider hosted), go overboard. Encrypt em - drop em in a different account, probably on a different provider. Ensure you treat your backups like gold.
For the love of god, put complex passwords on any certificate’s you use. Don’t store the password in the same location you store private keys. And don’t pretend like certificate based authentication can function as a ‘2nd factor.’
Extending the points above, presume that every server you run is internet facing and secure it that way.
Acknowledge that if you enter the scopes of a state actor (this is a reality for what you’re trying to build here) that your workstations ARE compromisable, this level of actor has access to unpatched/unidentified vulns and customized malware. When you are using a 2nd factor it must be WHOLLY segregated from your laptop. If you are using TOTP and dropping the token into Authy so you can pop it open in Chrome, you’re doing silly things :).
I could go on, but I’m about to lose wifi. If this is too elementary, I can go deeper. If it’s good, I can think about a proper way to jot a bunch of fundamental ideas down.
You may also want a public policy around data retention. The thing that bugs me the most about the Reddit breach is that they had backups from a decade ago. If I delete comments, I really don’t want them coming back to haunt me a decade later.
Kinda - this is a common oversight. Do we backup databases? How long are those backups retained?
If you remove my comment from your production database, but someone snags a backup of the database before I deleted the comment - that’s gonna suck :).
I'm not overly worried on a personal level. I'm worried for Deimos if this site reaches it's potential/vision :)