Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.
Keep your secrets (in a)
safe
Dimitri Merejkowsky February
2017
Me and Tanker
Keep your secrets (in a) safe
Tanker: powerful end-to-end encryption for cloud services
(Dropbox, Onedrive, ...
Tanker security model
Software stack

Client backend: C++ (14!) with Botan

GUI: Qt WebView + HTML, CSS, JavaScript, React

Server backend: G...
But we use HTTPS!
HTTPs alone won’t save you (especially if you don’t
check the certificates)
A virus can patch the client...
Applications store to the rescue!
Our client binaries are signed, so as soon as
you change something in the executable, th...
Tanker secrets
Keep your secrets (in a) safe
We have a few secrets to keep safe here at Tanker.

Signing keys for Windows...
The Hardware Security Module and the Air Gap
Keep your secrets (in a) safe
Lots of fancy words for a very simple idea:
The...
Open or closed?
Keep your secrets (in a) safe
When everyone has left the office, should the safe be
opened or closed?
Open or closed?
Keep your secrets (in a) safe
During office hours, should the safe be opened or closed?
What happens when the safe is always closed
Keep your secrets (in a) safe

You have to type the password and use the key ...
What happens when the safe is opened during office
hours
Keep your secrets (in a) safe

You only have to enter the passwo...
One last hack
Keep your secrets (in a) safe

The key to the office door is placed right in front of the
safe’s door

Sam...
Parting words
Keep your secrets (in a) safe
We’re hiring !
https://app.tanker.io/rabbit/
https://www.linkedin.com/company/...
Prochain SlideShare
Chargement dans…5
×

Tanker: keep your secrets (in a) safe

Talk given at second SecParis Meetup.

Livres associés

Gratuit avec un essai de 30 jours de Scribd

Tout voir
  • Soyez le premier à commenter

  • Soyez le premier à aimer ceci

Tanker: keep your secrets (in a) safe

  1. 1. Keep your secrets (in a) safe Dimitri Merejkowsky February 2017
  2. 2. Me and Tanker Keep your secrets (in a) safe Tanker: powerful end-to-end encryption for cloud services (Dropbox, Onedrive, ...) Me:  Part-time Scrum Master  Buildfarm Guru  Continuous Integration  Deployment / Release scripts
  3. 3. Tanker security model
  4. 4. Software stack  Client backend: C++ (14!) with Botan  GUI: Qt WebView + HTML, CSS, JavaScript, React  Server backend: Go  Scripts: Python3
  5. 5. But we use HTTPS! HTTPs alone won’t save you (especially if you don’t check the certificates) A virus can patch the client to by-pass the certificate verifications, or even send the data to an other server, so we need to make sure the client executables are not compromised.
  6. 6. Applications store to the rescue! Our client binaries are signed, so as soon as you change something in the executable, the operating system will notice :) On Linux we can sign with a GPG key for instance.
  7. 7. Tanker secrets Keep your secrets (in a) safe We have a few secrets to keep safe here at Tanker.  Signing keys for Windows and Mac  (This is required when you have an “official” Dropbox application such as ours)  Private ssh keys (stored on a USB drive)  ….
  8. 8. The Hardware Security Module and the Air Gap Keep your secrets (in a) safe Lots of fancy words for a very simple idea: The hardware that contains the “secret” files (aka the HSM) is never connected to any network. And so, we put the HSM in a safe (a real one!) The safe has a key and a password
  9. 9. Open or closed? Keep your secrets (in a) safe When everyone has left the office, should the safe be opened or closed?
  10. 10. Open or closed? Keep your secrets (in a) safe During office hours, should the safe be opened or closed?
  11. 11. What happens when the safe is always closed Keep your secrets (in a) safe  You have to type the password and use the key over and over again  You might forget to put stuff back in when you leave the office
  12. 12. What happens when the safe is opened during office hours Keep your secrets (in a) safe  You only have to enter the password once per day (By the way, this is how sudo and ssh-agent work)  You are less likely to forget to close it when you leave  You see the contents of the safe so you are less likely to leave secrets outside, unprotected
  13. 13. One last hack Keep your secrets (in a) safe  The key to the office door is placed right in front of the safe’s door  Same thing: you are less likely to forget to close the door when you leave
  14. 14. Parting words Keep your secrets (in a) safe We’re hiring ! https://app.tanker.io/rabbit/ https://www.linkedin.com/company/tankerapp Follow us on twitter: @Tanker_Security

×