this post was submitted on 10 Jul 2023
55 points (96.6% liked)

lemmy.ml meta

1406 readers
1 users here now

Anything about the lemmy.ml instance and its moderation.

For discussion about the Lemmy software project, go to !lemmy@lemmy.ml.

founded 3 years ago
MODERATORS
 

Right guys?

you are viewing a single comment's thread
view the rest of the comments
[–] spiderplant@infosec.pub 3 points 1 year ago (2 children)

Really curious to see how they kill the existing tokens, and whether admins have tools to easily clear all sessions. On one of the Matrix chats someone suggested that the tokens have a one year expiry date!

[–] TheSaneWriter@lemm.ee 3 points 1 year ago (1 children)

The servers should theoretically have a way to murder the tokens, but I'm not sure how Lemmy has implemented authentication so I don't know for sure.

[–] spiderplant@infosec.pub 3 points 1 year ago (1 children)

Looks like you're right, admins will just need to update the JWT secret.

[–] TheSaneWriter@lemm.ee 1 points 1 year ago

That makes sense. Of course, updating the secret will log everyone out, but that's a small price to pay to fix an admin breach.

Tokens are signed with a secret string, which basically tells the server that it is legitimate. They could change that secret, and the server would immediately distrust any tokens signed with the old secret. This would be a pretty nuclear option though, because it would require every single user to log back in.

You’re not the first person to say that the expiration time is a year, which is hilariously long if true. A shorter expiration time is more secure (because it specifically limits attacks like this to a specific timeframe) but it also increases server load by requiring token requests more often. For instance, if the expiry was set at 5 minutes, you’d have requests every 5 minutes but an attacker would only have control of an account for a maximum of five minutes. Maybe it was done to help save on server load, since this is all basically run by a few people as a hobby.