insomnia
insomnia copied to clipboard
Kong
[Discussion] Insecure storge of client certificate password
- Insomnia Version: 6.3.2
- Operating System: Linux Mint (installed by snap)
Details
When using a client certificate in a pfx/p12 file, the path and password for this key are stored unencrypted in a globally readable JSON file. This is potentially highly sensitive information and should probably be encrypted and certainly restricted to access by the owner.
When installed by snap install insomnia the file is located at ~/snap/insomnia/current/.config/Insomnia/insomnia.ClientCertificate.db. To make matters worse, attempts to restrict permissions on this file are futile as the file is reset to globally readable when the insomnia is restarted.
➜ Insomnia pwd
/home/wesley/snap/insomnia/24/.config/Insomnia
➜ Insomnia ls -l insomnia.ClientCertificate.db
-rw-r--r-- 1 wesley wesley 401 Feb 25 16:03 insomnia.ClientCertificate.db
➜ Insomnia chmod 600 insomnia.ClientCertificate.db
➜ Insomnia ls -l insomnia.ClientCertificate.db
-rw------- 1 wesley wesley 401 Feb 25 16:03 insomnia.ClientCertificate.db
➜ Insomnia insomnia&
[1] 7871
➜ Insomnia Error org.freedesktop.DBus.Error.Failed: cannot use setting "default-url-scheme-handler": not allowed
[fix] Running database repairs
[db] Initialized DB at /home/wesley/snap/insomnia/24/.config/Insomnia/insomnia.$TYPE.db
Init responses DB
[localstorage] Initialized at /home/wesley/snap/insomnia/24/.config/Insomnia/localStorage
[main] Loading file:///snap/insomnia/24/resources/app.asar/renderer.html
(electron) 'app.makeSingleInstance(cb)' is deprecated. Use 'app.requestSingleInstanceLock() and app.on('second-instance', cb)' instead.
[updater] Updater not running platform=linux dev=false
➜ Insomnia ls -l insomnia.ClientCertificate.db
-rw-r--r-- 1 wesley wesley 401 Feb 25 16:09 insomnia.ClientCertificate.db
👋 Thanks for opening your first issue! If you're reporting a 🐞 bug, please make sure you include steps to reproduce it. If you're requesting a feature 🎁, please provide real use cases that would benefit. 👪
To help make this a smooth process, please be sure you have first read the contributing guidelines.
![welcome[bot] avatar](https://avatars.githubusercontent.com/in/4141?v=4 "Published by a pub.dev verified publisher"){kind=small}
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
![stale[bot] avatar](https://avatars.githubusercontent.com/in/1724?v=4 "Published by a pub.dev verified publisher"){kind=small}
This could potentially be part of a larger discussion on security. Currently the app store everything unencrypted on the filesystem.
The simplest solution would probably be to create an Encrypted Value template tag that can be used to encrypt specific values (similar to the already-existing Prompt tag).
I'm definitely open to having a conversation about this. Any ideas or example of how other apps handle this are welcome.
I should also mention that it is highly likely that similarly-sensitive values are used throughout many places in the app. Environment variables to store passwords, API keys, OAuth credentials, responses, etc.
I would be interested in being included in the discussion regarding this.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
Is the ask here to allow users to select which data-fields to encrypt locally on their machines? In the time since this issue was posted, we have released Insomnia Sync which provides end to end encryption in the case of data being shared between Insomnia Users. I'm trying to understand whether or not the Insomnia Sync feature covers this issue.
I'm also interested in this. I've also reached out to insomnia support so if I get a reply I'll post it here.
FYI This is how RapidAPI (formerly PAW) secures sensitive info in the environment variables feature:
https://paw.cloud
I keep revisiting this since Insomnia is by far my favourite API client but I can't make much use of it without the ability to protect secrets on local storage. The 'end-to-end encryption' doesn't even cover this as all settings are decrypted when stored locally.