yggdrasil-go icon indicating copy to clipboard operation
yggdrasil-go copied to clipboard

Published 20 hours ago verified publisher icon yggdrasil-network

What is Yggdrasil security threat model?

Open zhoreeq opened this issue 4 years ago • 5 comments

Can applications with sensitive information theoretically run on top of Yggdrasil without any additional TLS? For example, a banking system.

zhoreeq avatar Jul 05 '20 11:07 zhoreeq

The technical answer is yes, all session traffic that flows across the network is end-to-end encrypted. Therefore even plain HTTP traffic is still encrypted in transit across the network. We use Go's NaCl box implementation to do that.

The sensible answer is, of course, that Yggdrasil has not been formally audited so building an application around it would be at your own risk.

neilalexander avatar Jul 05 '20 11:07 neilalexander

Maybe some security experts could enlighten us about certificate management/revoking requirements which TLS has and Yggdrasil doesn't?

zhoreeq avatar Jul 05 '20 11:07 zhoreeq

I'm not exactly a security expert, but I can think of two concerns:

  • Authentication. TLS certificates aren't just necessary to encrypt traffic, but also to prove that you're connected to the right server. I don't doubt the NaCl box library can provide this, but it might take some work to figure out how to fit it together.

  • Forward secrecy. In modern versions of TLS with modern algorithms, you can get the property that even if an attacker records the request and response and later compromises the server's private key, they still can't read it because the request and response were never actually encrypted with the long-term private key, only with ephemeral keys, which were signed by it and then discarded after use. I don't know if Yggdrasil provides this.

If these can be solved, I'll be thrilled.

ghost avatar Jul 06 '20 00:07 ghost

Does it still use NaCl and do we know if it has PFS?

jgoerzen avatar Jan 07 '22 19:01 jgoerzen

I'm not exactly a security expert, but I can think of two concerns:

  • Forward secrecy. In modern versions of TLS with modern algorithms, you can get the property that even if an attacker records the request and response and later compromises the server's private key, they still can't read it because the request and response were never actually encrypted with the long-term private key, only with ephemeral keys, which were signed by it and then discarded after use. I don't know if Yggdrasil provides this.

yggdrasil has base end-to-end encryption between source-destination, if you want forward secrecy you use TLS certificate in your server (or website). so you get another layer of encryption which is independent from base layer encryption provided by yggdrasil

eqn-group avatar Jun 02 '22 13:06 eqn-group