WingNews logo WingNews
top | item 41110019

(no title)

legobeet | 1 year ago

The next step is to actually use underprivileged canary tokens on the client for your day-to-day work, intercept them with a proxy, and replace them with the real deal in a more isolated setting.

For example, an application-specific HTTP proxy for your GITHUB_TOKEN. You can use a canary token for the internal user-facing auth. https://github.com/legobeat/git-auth-proxy [0].

That piece is being used here[1] in order to make it transparent for the user and I intend to add more features there for credentials- and secrets compartmentalization. Been keeping it fairly structured so you could also use it as a reference if you ever do similar stuff and want some inspiration or copypasta for your personal hacking.

[0]: Caveat: The proxy repo is a fork and the documentation is still more reflective of the previous owners intentions. I ripped out all the Azure/k8s integrations.

[1]: https://github.com/legobeat/l7-devenv/

discuss

order

ghshephard|1 year ago

Don't the "underprivileged canary tokens" then become privileged by virtue of being proxied into more privileged tokens?

legobeet|1 year ago

Sure, but they are only usable as such if attackers also maintain access to the proxy and stay under the radar. Additionally, the proxy has logging and hooks for monitoring so you can audit and filter usage there.

As opposed to something which can be smuggled out and reused offsite.

I'm also thinking that by centralizing (still locally) the configuration, we can get better key rotation hygiene habits without needing to compromise on credential granularity .

Just like there are security benefits in using a secured HSM instead of a world-readable private-key file stored in your unencrypted home directory, even if, yes, the HSM can be abused by a locally privileged attacker.

(I'm definitely not saying I have a silver bullet though, and I don't think one exists. Like any realistic solution, it should be part of a defense-in-depth strategy. Things like hardware keys make for incremental gains, etc)

rcxdude|1 year ago

Yes, but this lets you sound an alarm if they're used from somewhere they shouldn't be (potentially quite tightly if you make the proxy also sound an alarm if the request comes from the wrong part of your internal network)