Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🔊 Replace fatal error with logging #50

Merged
merged 1 commit into from
Dec 4, 2023
Merged

🔊 Replace fatal error with logging #50

merged 1 commit into from
Dec 4, 2023

Conversation

sergei-maertens
Copy link
Member

There appear to be ~1 incident/day caused by this IP address check, and from the looks of it they all seems like genuine, non-malicious usage.

In office spaces where VPNs and network changes (which result in different IP addresses) are common, this check leads to false positives and we've assessed the likelihood of actual attacks to be low.

  • Session cookies are typically flagged as HttpOnly, so XSS to steal credentials/cookies is not a viable exploit path
  • If an attacker can intercept the session cookie via MITM over plain HTTP, the DigiD conditions are not met and you really, really should not run anything over plain HTTP.
  • If an attacker can MITM an HTTPS connection, you have far bigger issues, since then interecepting/modifying the actual HTTP traffic is much more interesting than hijacking a DigiD session.
  • Initial HTTP connections (first-ever) are possible, even when using HSTS (which you should deploy), but can be mitigated by making sure your URLs are added to the preload lists vendored in browsers.

@sergei-maertens
🔊 Replace fatal error with logging
e423f10 
There appear to be ~1 incident/day caused by this IP address check,
and from the looks of it they all seems like genuine, non-malicious
usage.

In office spaces where VPNs and network changes (which result in
different IP addresses) are common, this check leads to false positives
and we've assessed the likelihood of actual attacks to be low.

* Session cookies are typically flagged as HttpOnly, so XSS to steal
  credentials/cookies is not a viable exploit path
* If an attacker can intercept the session cookie via MITM over plain
  HTTP, the DigiD conditions are not met and you really, really should
  not run anything over plain HTTP.
* If an attacker can MITM an HTTPS connection, you have far bigger
  issues, since then interecepting/modifying the actual HTTP traffic is
  much more interesting than hijacking a DigiD session.
* Initial HTTP connections (first-ever) are possible, even when using
  HSTS (which you should deploy), but can be mitigated by making sure
  your URLs are added to the preload lists vendored in browsers.
alextreme
alextreme approved these changes Dec 4, 2023
View reviewed changes
Copy link
Member

@alextreme alextreme left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Logging a warning indeed seems more appropriate

@alextreme alextreme merged commit 2c27449 into master Dec 4, 2023
12 checks passed
@alextreme alextreme deleted the bug/remove-ip-address-pinning branch December 4, 2023 17:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alextreme alextreme alextreme approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@sergei-maertens @alextreme