Evergreens

Mark Smith's Journal

Work related musings of a geek.

protected content security

[staff profile] mark
There's a bunch of talk going around right now about the whole issue of content security, and trusting the people who host your content and have access to it. I wanted to talk on that for a moment as it's something that is really important to me.

The only people that are authorized to view protected content on Dreamwidth that they don't otherwise have access to are [staff profile] denise and myself. We are the only people with the proper access level. On top of that, it's not automatic -- in order to view the protected content, every time one of us visits a URL we have to edit it and add "viewall=1" to the end of it. It's a very manual process (for good reason). It's also logged -- and I don't know about Denise, but I review the logs regularly, just like every other security log we have.

The second level of access is for people who have access to the production servers that run Dreamwidth. When someone has the ability to log in to our servers, they have full access to the data on the databases and could in theory access protected content. The only people with server access are again myself and Denise, plus our two sysadmins: [personal profile] matthew, who used to work for LJ (before and during Six Apart), and [personal profile] alierak, who I've known for a decade and I trust completely.

That's it. The four of us.

At some point, it comes down to trust. We need the ability to work on the servers, so there are always going to be a set of people who have the ability to see private data. This isn't something that we can feasibly get rid of, either. The data exists on the servers (that's how we can show it to you and the people who are authorized to see it) and we need access to those servers to maintain them. The data isn't just sitting around visible to us, though -- it's tucked away in the database and requires a lot of manual effort to dig out, unzip, and connect to a user account. We never see post content accidentally.

In the end, I think that the best that I can offer anybody is to be explicit about who has access (and what kind of access they have) and to personally watch the security logs. I watch to make sure we don't have unauthorized access to our servers, and I look for unauthorized access to private data as well. It's part of the routine, and it's something I take very seriously. Having dealt with some problems related to this in the past (on other projects, with other people) it's not something I want to see Dreamwidth have to go through.

I'm happy to talk about this, if anybody has any thoughts, comments, or questions.
09.05.2010 08:30 pm (UTC)

PGP Option?

Posted by [personal profile] krellis
One interesting feature, if enough people really want more assurance about this, would be to add a "PGP posting" feature to the software itself - it'd be a pseudo-security-level, really just the same as a normal "locked" type of entry, but you would be able to select from some set of PGP public keys that you've uploaded for the content to be encrypted with, and then, using some out of band means, provide the private key half of that PGP key to anyone you want to be able to read it. I can't think of a secure way of Dreamwidth doing the decryption half without it again being possible for you guys to read the content, but there are browser plugins designed for doing PGP work on webmail systems that would work.

It's quite possibly excessive, and not something I personally would necessarily use or care much about, just an idea that popped into my head if you wanted to offer something for those who are really paranoid or really have something they feel strongly that they need to keep confidential.
09.05.2010 11:55 pm (UTC)

Re: PGP Option?

msilverstar: (viggo 09)
Posted by [personal profile] msilverstar
I think an option for gentle encryption would be nice. Not designed to stop the NSA, but OK for dealing with non-hackers.

As long as it's clearly explained that this is no guarantee of privacy, it would be another useful tool.
10.05.2010 01:28 am (UTC)

Re: PGP Option?

eagle: Me at the Adobe in Yachats, Oregon (Default)
Posted by [personal profile] eagle
There's something to be said for simple symmetric-key encryption (using AES for instance) even if Dreamwidth also stores the key and decrypts on the fly for authorized users. It means that the data is encrypted at rest and no one can see it by accident.

A minor gain probably not worth the complexity, but that sort of server-side encryption is becoming increasingly common in the storage world. (Although there the concern is often about backups, which are frequently sent off-site to unaffiliated storage companies who shouldn't be able to read the stuff they're storing.)
10.05.2010 06:21 pm (UTC)

Re: PGP Option?

pseudomonas: (Default)
Posted by [personal profile] pseudomonas
Hmm, interesting. I like the idea of users being able to broadcast stuff securely like this. *but* I think if we do something like this it's got to be really rigorous. It's fine with stuff that's access-locked being by-and-large good enough, but things that are claiming to be crypto have to be done right - giving a false sense of security is much worse than just not offering the service.

If the encryption is done browser-side with another plugin then Dreamwidth never touches the plaintext or the keys and the only thing that needs security auditing is the plugin. All DW has to do is provide a nice way of tagging the text. Or am I missing something?