scidsg / hushline

Hush Line connects whistleblowers with organizations and people who can help.

https://hushline.app

GNU Affero General Public License v3.0

77 stars 21 forks source link

Define a threat model #265

Closed brassy-endomorph closed 6 months ago

brassy-endomorph commented 8 months ago

We need to define a threat model for what is and is not in scope as threats we will be considering. This document doesn't need to be complete, but it needs to at least be a starting point.

Questions to ask

Who are the intended users?
- As receivers of tips?
- As senders?
What sort of orgs/groups will be using this softer?
Where is it intended to be deployed? Shared cloud? Private VM? Bare metal in a rack at a DC? Bare metal in an EiC's office under careful supervision?
What types of adversaries are we expecting? And which do we actually plan to defend against?
What type of attacks (give then defined adversaries) are they going to use? Can we reasonably defend against them or do we need to change scope?

glenn-sorrentino commented 8 months ago

Updated threat model: https://scidsg.github.io/hushline-docs/book/prereqs/threat-modeling.html

Will add to new docs when migrating.

brassy-endomorph commented 8 months ago

I think we should re-open this ticket and not be hasty in closing it as this document is critically important to the app as it will inform decisions on how we code and what features we add.

This document still lacks some specificity such as:

Are all database admins at the same trust level?
- Are database admins the same people as those who deploy the app?
- If so, field level encryption doesn't buy us anything
Are we protecting against seized hardware (or VMs?)
- If so, we should add FDE
"Network Observers" and "Global Adversaries" are not the same thing. A random skid with a pineapple can watch network traffic but that's not the same as an APT who will kick down your door and confiscate your server

With more time to stew on it, there's probably more things to consider, and this ticket should be closed after a fairly long consensus process.

glenn-sorrentino commented 8 months ago

Sounds good. I added the first pass for threat model + docs here: https://github.com/scidsg/hushline/pull/294

glenn-sorrentino commented 8 months ago

Also here: https://github.com/scidsg/hushline/blob/main/docs/threat-model.md

glenn-sorrentino commented 6 months ago

Closing since we have a threat model. We can create a new ticket for updates that are needed.