Clarify security implications of sharing an access key #2323
Comments
|
|
Thanks for filing this issue. I agree we could probably improve that help center article with more precise language and elaborate to avoid confusion about what is possible. The access key holder has the ability to decrypt all traffic encrypted with that access key. So if a key is shared between 2 users, both users will be able to decrypt each other's traffic if they for example are on the same network and have access to each other's packets. |
Is there an existing issue that is already proposing this?
Application
Outline Manager
What are you trying to do? What is your use case?
I'm interested in understanding the security implications of access keys being shared, either intentionally or unintentionally. This is crucial for designing secure key distribution mechanisms. There's a significant difference in risk between "a little extra, unaccounted-for traffic" and the claim made here: https://support.getoutline.org/s/article/multiuse-access-key, which states that "[s]omeone with your access key has access to all your internet traffic."
Consider a scenario where a chatbot within an app generates unique access keys for each user. If there's any reason to suspect that the app itself might not be trustworthy in keeping messages private, it would be safer to deliver the keys through a different, more secure channel.
This leads to the core question: what level of access does an access key holder truly possess?
Is your feature request related to a problem? Please describe it.
No response
Describe the solution you'd like.
I would appreciate a more comprehensive exploration of potential attack vectors related to access key sharing in the article.
Describe alternatives you've considered
No response
The text was updated successfully, but these errors were encountered: