211

It's the same as with Linux, GIMP, LibreOffice or OnlyOffice. Some people are so used to their routines that they expect everything to work the same and get easily pissed when not.

you are viewing a single comment's thread
view the rest of the comments
[-] Rusticus@lemmy.world 20 points 1 year ago

As someone who used Reddit when it was first released, Lemmy is 10x better than Reddit v0.1 and obviously better than current Reddit.

I guess as a user I didn't see the back-of-house tools for mods and admins, but so far Lemmy is at least competitive. There are risks with server security and threat of being hacked, along with the size of the team.

[-] riskable@programming.dev 29 points 1 year ago

There are risks with server security and threat of being hacked

[Citation Needed]. I'm a security professional (my day job involves auditing code). I had a look through the Lemmy source (I'm also a Rust developer) and didn't see anything there that would indicate any security issues. They made good architecture decisions (from a security perspective).

NOTES ABOUT LEMMY SECURITY:

User passwords are hashed with bcrypt which isn't quite as good a choice as argon2 but it's plenty good enough (waaaaay better than most server side stuff where developers who don't know any better end up using completely inappropriate algorithms like SHA-256 or worse stuff like MD5). They hard-coded the use of DEFAULT_COST which I think is a mistake but it's not a big deal (maybe I'll open a ticket to get that changed to a configurable parameter after typing this).

I have some minor nitpicks with the variable naming which can lead to confusion when auditing the code (from a security perspective). For example: form_with_encrypted_password.password_encrypted = password_hash; A hashed password is not the same thing as an "encrypted password". An "encrypted password" can be reversed if you have the key used to encrypt it. A hashed password cannot be reversed without spending enormous amounts of computing resources (and possibly thousands of years in the case of bcrypt at DEFAULT_COST). A trivial variable name refactoring could do wonders here (maybe I should submit a PR).

From an OWASP common vulnerabilities standpoint Lemmy is protected via the frameworks it was built upon. For example, Lemmy uses Diesel for Object Relational Mapping (ORM, aka "the database framework") which necessitates the use of its own syntax instead of making raw SQL calls. This makes it so that Lemmy can (in theory) work with many different database back-ends (whatever Diesel supports) but it also completely negates SQL injection attacks.

Lemmy doesn't allow (executable) JavaScript in posts/comments (via various means not the least of which is passing everything through a Markdown compiler) so cross-site scripting vulnerabilities are taken care of as well as Cross Site Request Forgery (CSRF).

Cookie security is handled via the jsonwebtoken crate which uses a randomly-generated secret to sign all the fields in the cookie. So if you tried to change something in the cookie Lemmy would detect that and throw it out the whole cookie (you'd have to re-login after messing with it). This takes care of the most common session/authentication management vulnerabilities and plays a role in protecting against CSRF as well.

Lemmy's code also validates every single API request very robustly. It not only verifies that any given incoming request is in the absolute correct format it also validates the timestamp in the user's cookie (it's a JWT thing).

Finally, Lemmy is built using a programming language that was engineered from the ground up to be secure (well, free from bugs related to memory management, race conditions, and unchecked bounds): Rust. The likelihood that there's a memory-related vulnerability in the code is exceptionally low and Lemmy has tests built into its own code that validate most functions (clone the repo and run cargo test to verify). It even has a built-in test to validate that tampered cookies/credentials will fail to authenticate (which is fantastic--good job devs!).

REFERENCES:

[-] juicebox@aussie.zone 8 points 1 year ago

I have nothing to add, just wanted to give a kudos on the epic comment.

load more comments (3 replies)
load more comments (3 replies)
load more comments (8 replies)
this post was submitted on 02 Jul 2023
211 points (96.1% liked)

Showerthoughts

29525 readers
1724 users here now

A "Showerthought" is a simple term used to describe the thoughts that pop into your head while you're doing everyday things like taking a shower, driving, or just daydreaming. The best ones are thoughts that many people can relate to and they find something funny or interesting in regular stuff.

Rules

founded 1 year ago
MODERATORS