WIP: Add secure note token #138
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Co-authored-by: Chris <[email protected]>
Todo decryption Co-authored-by: Chris <[email protected]>
Add secret key to url fragment automatically Co-authored-by: Chris <[email protected]>
Uses generate_new.html as a template for the new secure_note.html to generate a consistent ui with other canarytoken pages. Includes necessary handling to operate without javascript. Uses existing libraries to add styles. Co-authored-by: oli <[email protected]>
|
To clarify what the use is. Other tokens are meant to be stealthy so that an attacker trips over them. But if the attacker is wary about the presence of canary tokens, they could avoid tripping them. For example if you put your passwords in an excel document, the attacker could just turn off their internet before viewing the excel document and you would never be notified that they now have your passwords. Conversely, the contents of a secure note cannot be retrieved without tripping the token. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is a bit of a work in progress that @cdilga and I have been playing around with.
It implements a new token we're calling "Secure Note" (happy to change the name). We'd like feedback on what people think of the concept.
The basic idea is that you can add an extra note that is encrypted and can only be decrypted using the original url (it gets the decryption key from the url fragment). The use case is for organisations/individuals that want to store an important key or password or something for disaster recovery, but want to be notified in case someone retrieves it.