Closed NicoHood closed 7 years ago
limpkin
commented
7 years ago This is a design choice that will not change if you want a Mooltipass Mini tied to one user or with strong user control then you'd create your own firmware. The complexity of adding such a feature would render the Mini unfriendly to use.
"However I still think that due to the bootloader key hack mooltipass" : what are you referring to?
NicoHood
commented
7 years ago what are you referring to?
The problem I wanted to describe is that users are able to hack their firmware/bootloader if you give out those keys. The problem with that is that every user who uses the MP Mini needs to extremely trust the user who has got this key. So for me it would be a nogo to use anyone else MP (for example at work).
To me the users make only sense in two different situations:
So In the last two options you still have a single point of trust: The user who own the bootloader key (normally the one who buyed the device). You need to fully trust this one. And since you have to do that it would make more sense to me that this "administrator" is able to delete users/databases and also needs to accept to add new ones to the MP.
I am aware that with the 32u4 this cannot be implemented. However I currently got the problem that my old (productive) MP has got 2 real and 2 ghost users of which I do not have a card anymore. Right now this is not that important, but I am never ever able to recover those 2 accounts (16 is plenty) but more those tons of test entries I've added will just consume data (is a valid argument when I will start storing ssh keys on the MP).
That is possibly something to tackle in the next version. Or at least a developer user delete command could be added to allow the bootloader admin to delete unused accounts with lost cards.
limpkin
commented
7 years ago "bootloader key hack mooltipass" : so that's actually not a hack, but an unlocked mooltipass.
NicoHood
commented
7 years ago However you call it. But the admin is the master of all backdoors himself. And if he is, he could just also get a way to delete unused accounts as described.
Missing feature
It is not possible to delete a user or keep someone from adding one on your device.
Furthermore it would be nice to know how much space a user "wastes", so you can track if somebody want to DOS you etc.
Justification
You could add tons of users or simply full the flash space and then the device is not useable. Thats more a DOS attack where you could simply destroy the device but it should still be somehow harder to add a new user.
If you lost a card of another user or simply want to delete him because your friend imported his database on your MP you have no chance to do so. I am not sure if you can even reset the whole flash and eeprom with the developer tools. But imagine your friend imports his database and then leaves. Then you loose this flash space, which can be quite big for some users.
The other question is: who has the privilegs to delte users? The same person with the bootloader key? However I still think that due to the bootloader key hack mooltipass is not really meant for multiuser usage. Possibly only in families with a high trust. But in the end the security relies on the person with the bootloader key in general. And so this person should be allowed to manage users.
So I'd give each account a unique identifier, like a name. The idea of users is not bad if you use it for different databases e.g. "home" and "work". But I'd never use it for different people. Maybe then the bootloader key (or UID key, whatever you call that one) could be used more generic to add or remove users. Then nobody else can add new accounts without your knowledge.
Workarounds
None