From 448ef072e545d95fa674fe41e2c6066198f2b33d Mon Sep 17 00:00:00 2001 From: Jamil Date: Thu, 13 Oct 2022 14:59:41 -0500 Subject: [PATCH] Docs sec controls (#1018) * add security controls document * Add sec controls doc --- apps/fz_http/lib/fz_http_web/router.ex | 2 +- docs/docs/reference/security-controls.mdx | 72 +++++++++++++++++++++++ 2 files changed, 73 insertions(+), 1 deletion(-) create mode 100644 docs/docs/reference/security-controls.mdx diff --git a/apps/fz_http/lib/fz_http_web/router.ex b/apps/fz_http/lib/fz_http_web/router.ex index fcaf75900..5271e290f 100644 --- a/apps/fz_http/lib/fz_http_web/router.ex +++ b/apps/fz_http/lib/fz_http_web/router.ex @@ -5,7 +5,7 @@ defmodule FzHttpWeb.Router do use FzHttpWeb, :router - # Limit total requests to 20 per every 10 seconds + # Limit total requests to 50 per every 10 seconds @root_rate_limit [rate_limit: {"root", 10_000, 50}, by: :ip] pipeline :browser do diff --git a/docs/docs/reference/security-controls.mdx b/docs/docs/reference/security-controls.mdx new file mode 100644 index 000000000..4d2b6d12e --- /dev/null +++ b/docs/docs/reference/security-controls.mdx @@ -0,0 +1,72 @@ +--- +title: Security Controls +sidebar_position: 10 +--- + +Firezone employs a few different security controls to keep data secure in +transit and at rest. + +## Overview of Cryptography Used + +Below is a table of cryptography used and to which contexts they apply. + +| Cryptography | Context | Notes | +| --- | --- | | +| AES-GCM | Data at rest | Used to encrypt sensitive database fields such as device preshared keys and multi-factor authentication secrets. | +| Argon2 | Data at rest | Used to hash user passwords for the local authentication method. | +| TLSv1.2/TLSv1.3 | Data in transit | Used by the Caddy server to encrypt HTTP connections to the portal. Read more at https://caddyserver.com/docs/caddyfile/directives/tls. SSL certificates are provisioned automatically with the ACME protocol by Let's Encrypt by default. | +| ChaCha20, Poly1305, Curve25519, BLAKE2s, SipHash24, HKDF | Data in transit | Used by WireGuard® for VPN tunnels. Read more at https://wireguard.com/protocol. Firezone uses Linux kernel WireGuard without modification. | + +## Rate Limiting + +Firezone employs HTTP rate limiting to help limit the effectiveness of brute +force attacks against the web portal. Requests from a single IP are +limited to 5 per second before Firezone responds with an +`HTTP 429: Too Many Requests`. + +## Security Policy + +We take security issues very seriously and strive to fix all security issues +as soon as they're reported. + +### Announcements + +We'll announce major security issues on our security mailing list located at: + +https://discourse.firez.one + +### Supported Versions + +We release security patches for supported versions of Firezone. We recommend +running the latest version of Firezone at all times. + +### Reporting a Vulnerability + +Please **do not** open a Github Issue for security issues you encounter. +Instead, please send an email to `security AT firezone.dev` describing the issue +and we'll respond as soon as possible. + +### PGP Key + +You may use the public key below to encrypt emails to `security AT firezone.dev`. +You can also find this key at: + +https://pgp.mit.edu/pks/lookup?op=get&search=0x45113BA04AD83D8A + +``` +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: SKS 1.1.6 +Comment: Hostname: pgp.mit.edu + +mDMEYYwK5BYJKwYBBAHaRw8BAQdA4ooDpwDy3V0wHCftM/LHD5e713LSr0SQy49joUMgHoS0 +JkZpcmV6b25lIFNlY3VyaXR5IDxzZWN1cml0eUBmaXJlei5vbmU+iJoEExYKAEIWIQQlD4tW +gEEHBC38anNFETugStg9igUCYYwK5AIbAwUJA8JnAAULCQgHAgMiAgEGFQoJCAsCBBYCAwEC +HgcCF4AACgkQRRE7oErYPYoORwEAiYi3arrcR2e5OfqsoAbCN0O6M0HWeo1K/ZoFWH2jLy0B +AMsWk58vepKqNhUKhuDb8bSjK8TOr/IxB63lSkQaz9MIuDgEYYwK5BIKKwYBBAGXVQEFAQEH +QPLzia/me7FOsFfAJKWm0X1qC5byv2GWn6LZPV013AdoAwEIB4h+BBgWCgAmFiEEJQ+LVoBB +BwQt/GpzRRE7oErYPYoFAmGMCuQCGwwFCQPCZwAACgkQRRE7oErYPYr0ZQEAig86wu+zrNiT +B4t3dk3psHRj+Kdn4uURLjUBZqYNvXoA+QEBUPtP7hNjum+1FrzYmHUFdCBA/cszz7x7PQ36 +5gcE +=0gEr +-----END PGP PUBLIC KEY BLOCK----- +```