About:Pharmacopedia.ext: Difference between revisions
From Pharmacopedia
More actions
| [checked revision] | [checked revision] |
MDElliottMD (talk | contribs) Version bump to 0.9.8.6 |
MDElliottMD (talk | contribs) Add Security & encryption section (verbatim config + crypto detail per server-claude inventory; disclosure block per Mark) |
||
| Line 61: | Line 61: | ||
** <code>ext.pharmacopedia.skin.plants</code> / <code>ext.pharmacopedia.skin.fungi</code>: the earth-toned plants-skin overlay and the fungi sub-skin override layer | ** <code>ext.pharmacopedia.skin.plants</code> / <code>ext.pharmacopedia.skin.fungi</code>: the earth-toned plants-skin overlay and the fungi sub-skin override layer | ||
* '''Schema:''' <code>sql/</code>, roughly three dozen core tables plus migration patches. Picked up via the <code>LoadExtensionSchemaUpdates</code> hook. | * '''Schema:''' <code>sql/</code>, roughly three dozen core tables plus migration patches. Picked up via the <code>LoadExtensionSchemaUpdates</code> hook. | ||
== Security & encryption == | |||
Pharmacopedia stores deliberately personal data, including self-reports across mood, addiction, sexuality, and clinical history. The cryptographic + operational posture below is documented in detail so that a security researcher can read it in one pass and know exactly what is on the ground. Values are quoted verbatim where they are already observable from the public surface (HTTP headers, TLS handshake, public APIs); secrets and rotation policy are described without disclosing their values. | |||
=== Transport === | |||
TLS terminates at Apache 2 (mod_ssl) on the same host as the application. No CDN, no reverse proxy, no load balancer is in front. Certificate is a Let's Encrypt ECDSA leaf, renewed by <code>certbot.timer</code> (fires twice daily, renews when within 30 days of expiry). Private key on disk is mode 600 root:root in <code>/etc/letsencrypt/archive/pharmacopedia.wiki/</code>. | |||
Apache TLS config (from <code>/etc/letsencrypt/options-ssl-apache.conf</code>, loaded by every Pharmacopedia vhost): | |||
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 | |||
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256: | |||
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384: | |||
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305: | |||
DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 | |||
SSLHonorCipherOrder off | |||
SSLSessionTickets off | |||
Effective enabled: TLS 1.2 + TLS 1.3 only. TLS 1.0 / 1.1 refused. <code>SSLSessionTickets off</code> preserves forward secrecy across server restarts. | |||
HSTS: | |||
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload | |||
Two years, subdomains included, preload-ready. | |||
=== HTTP security headers === | |||
Set at the Apache layer (<code>/etc/apache2/conf-enabled/security-headers.conf</code>), not relying on PHP: | |||
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://challenges.cloudflare.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob: https:; media-src 'self' blob:; font-src 'self' data:; object-src 'none'; frame-src 'self' https://challenges.cloudflare.com; worker-src blob:; base-uri 'self'; form-action 'self'; | |||
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload | |||
Referrer-Policy: strict-origin-when-cross-origin | |||
X-Frame-Options: SAMEORIGIN | |||
Permissions-Policy: geolocation=(), camera=(self), microphone=(), payment=() | |||
X-Content-Type-Options: nosniff (set by MediaWiki) | |||
<code>'unsafe-inline'</code> + <code>'unsafe-eval'</code> are required by MediaWiki's JS/CSS pipeline; <code>challenges.cloudflare.com</code> is whitelisted only for the Cloudflare Turnstile widget. <code>object-src 'none'</code> blocks Flash/applet vectors; <code>base-uri 'self'</code> blocks base-tag hijack; <code>form-action 'self'</code> blocks off-origin form POST. No COOP / COEP / CORP set: MW does not need cross-origin isolation. | |||
=== Apache file filters + URL redaction === | |||
A backup-pattern denylist applies under the document root: | |||
<FilesMatch "\.pre-|\.bak|\.orig|\.php\.|~$"> | |||
Require all denied | |||
</FilesMatch> | |||
This closes editor swap files, ad-hoc <code>.pre-<feature></code> snapshots, <code>.orig</code> merge debris, and emacs / vim trailing-tilde backups (a source-disclosure path closed 2026-05-20). | |||
Skin asset directories run a positive allowlist (default-deny, only the whitelisted suffixes are served): | |||
<FilesMatch "(?i)^(?!.*\.(php|js|mjs|css|json|png|gif|jpe?g|svg|ico|webp|woff2?|ttf|eot|otf|html?|map|pdf)$)"> | |||
Require all denied | |||
</FilesMatch> | |||
The web installer at <code>/mw-config/</code> is 403'd at the vhost layer regardless of any <code>$wgUpgradeKey</code> value. | |||
Token-bearing URLs are redacted from access logs by <code>/etc/apache2/conf-enabled/pcp-log-redaction.conf</code>. Pharmacopedia issues two URL families that carry per-request secrets in the path: <code>Special:RespondToAssessment/<token></code> (the invite token derives the AES key for the respondent-readable AdminCrypto copy) and <code>Special:Perspective/<token></code>. The redaction rule rewrites the request URI in the access log to a literal "[pcp: token-bearing URL redacted]" while preserving IP, time, method, status, byte count, and User-Agent. Three match-paths (request URL, Referer, query string) cover navigation, subresource, and <code>?title=</code> invocations. | |||
=== PHP-FPM hardening === | |||
Production pool <code>/etc/php/8.5/fpm/pool.d/mediawiki-prod.conf</code> runs as <code>www-data</code> on an UDS socket (<code>0660 www-data:www-data</code>), <code>pm = ondemand</code>, <code>pm.max_children = 16</code>, <code>pm.max_requests = 500</code> (workers cycle every 500 requests to recover memory). Per-pool <code>open_basedir</code> restricts filesystem access to the small set of directories the wiki actually needs: | |||
/var/www/mediawiki, /tmp, /var/log/mediawiki, /var/lib/php, | |||
/var/cache/mediawiki, /var/lib/pharmacopedia-verification, | |||
/var/lib/pharmacopedia-literature, /var/lib/pharmacopedia-life, | |||
/usr/bin, /dev/null, /dev/urandom, | |||
/var/lib/pharmacopedia-feature-requests, | |||
/var/lib/pharmacopedia-adminkeys, /var/lib/mwoauth2 | |||
A workspace outside this list is unreadable from PHP regardless of file mode. | |||
ini hardening: <code>expose_php = Off</code>, <code>display_errors = Off</code> (errors go to log only), <code>allow_url_include = Off</code> (remote-PHP include attack vector closed; <code>allow_url_fopen = On</code> stays because MW needs upload-from-URL). Session cookies: <code>secure = 1</code>, <code>httponly = 1</code>, <code>samesite = "Lax"</code>, <code>use_strict_mode = 1</code>, <code>use_only_cookies = 1</code>, session-end lifetime, 24-minute idle gc. opcache enabled with <code>validate_timestamps = 1</code> + 2-second revalidate (no stale-code-after-deploy risk). | |||
=== Database === | |||
MariaDB 10.11.14, <code>bind-address = 127.0.0.1</code> only (the loopback). DB ports are not exposed to the network; UFW does not need a rule because the bind never reaches the wire. <code>sql_mode</code> includes <code>STRICT_TRANS_TABLES</code> + <code>ERROR_FOR_DIVISION_BY_ZERO</code> (strict type + math behavior). <code>have_ssl = DISABLED</code> is deliberate (loopback-only connections do not benefit from TLS overhead). The wiki's DB account is scoped to the two MW schemas (<code>mediawiki</code>, <code>mediawiki_staging</code>); no <code>FILE</code>, no <code>SUPER</code>, no <code>GRANT OPTION</code>. A DB compromise via injection is bounded to those two schemas. | |||
=== SSH + host === | |||
<code>sshd</code> is key-only (<code>PasswordAuthentication no</code>, <code>KbdInteractiveAuthentication no</code>, <code>PermitEmptyPasswords no</code>), <code>PermitRootLogin prohibit-password</code> (root accessible only with an authorized key), <code>MaxAuthTries 6</code>, X11 forwarding off. Modern key exchange algorithms preferred (sntrup761x25519, curve25519); legacy SHA1 MACs left in the list for client compatibility. | |||
UFW is deny-by-default for incoming traffic, allow-all outgoing. The only open ingress ports are 22/tcp, 80/tcp, and 443/tcp. The database, the SMTP relay, and the application cache are all loopback-only. | |||
fail2ban runs five jails: <code>sshd</code>, <code>apache-auth</code>, <code>apache-badbots</code>, <code>mediawiki-auth</code> (matches failed wiki logins by spotting <code>200</code> responses on POSTs to <code>Special:UserLogin</code> / <code>Special:CreateAccount</code> — successful logins redirect <code>302</code>), and <code>web-scanners</code> (matches the usual probe patterns). | |||
=== Secrets and keys on disk === | |||
The high-trust paths and their modes (no values published): | |||
/var/www/mediawiki/LocalSettings.php 640 www-data:www-data | |||
contains: $wgSecretKey, $wgUpgradeKey, $wgDBpassword, | |||
$wgTurnstileSecretKey, $wgSMTP['password'], | |||
$wgPharmacopediaVoteHashSecret, | |||
$wgOAuth2{Private,Public}Key paths | |||
/root/.backup-passphrase 600 root:root (64 bytes random) | |||
/var/lib/mwoauth2/oauth-private.key 600 www-data:www-data (RSA-4096) | |||
/var/lib/mwoauth2/oauth-public.key 644 www-data:www-data | |||
/var/lib/pharmacopedia-adminkeys/ 700 www-data:www-data | |||
master.key (lazy-provisioned on first Mode B owner) 600 www-data:www-data | |||
/etc/exim4/passwd.client 640 root:Debian-exim | |||
/etc/letsencrypt/archive/.../privkey1.pem 600 root:root | |||
/root/.config/rclone/rclone.conf 600 root:root | |||
Public values that are safe to read: | |||
* Cloudflare Turnstile site key: <code>0x4AAAAAADMu_bvOguDp0U52</code> | |||
* Backup target: <code>dropbox:pharmacopedia-backups</code> (Dropbox holds only AES-256-encrypted bundles; the passphrase never leaves the host) | |||
Rotation policy: | |||
* <code>$wgSecretKey</code> is NOT rotated (would invalidate every session and signed-state cookie). | |||
* <code>$wgUpgradeKey</code> rotated 2026-05-22 to 256 bits. | |||
* <code>$wgPharmacopediaVoteHashSecret</code> is intentionally never rotated (rotation invalidates every voter-state mapping, retroactively breaking voter anonymity for existing votes). | |||
* TLS private key rotates on Let's Encrypt renewal (automatic, twice-daily check). | |||
* AdminCrypto Mode B master key + OAuth2 RSA keypair are NOT rotated today; rotation would invalidate existing wrappings + outstanding tokens. Future rotation is overlap-aware (re-wrap under new key, accept either during the cutover window). | |||
=== Application-layer cryptography === | |||
==== Passwords and second factor ==== | |||
MediaWiki passwords are stored as PBKDF2 hashes (MW core default). Verified across every <code>user_password</code> row: HMAC-SHA-512 inner hash, 30,000 iterations, 64-byte derived key, 16-byte random salt per user. The <code>$wgPasswordConfig</code> default is unmodified; bcrypt is available in MW core but not enabled. | |||
Two-factor authentication via the OATHAuth extension. Default module is TOTP per RFC 6238: HMAC-SHA-1 inner, 6 digits, 30-second time-step, 80-bit shared secret. Ten recovery codes per user, each a random 10-character string, hashed at rest, consumed on use. WebAuthn / FIDO2 (passkey) is available in the same extension and is the operator's first-choice path. | |||
==== AdminCrypto ==== | |||
The "Administer to others" subsystem uses a per-owner asymmetric envelope so that respondents can submit results without an account and the owner can decrypt while absent. Implementation (<code>extensions/Pharmacopedia/includes/Assessments/AdminCrypto.php</code>): | |||
Per-owner X25519 keypair generated via <code>sodium_crypto_box_keypair()</code> (libsodium, kernel CSPRNG). The public key is stored in the clear; the secret key is wrapped at rest in <code>pcp_administer_userkey.uk_wrapped_seckey</code> with AES-256-GCM (12-byte fresh IV per call, 16-byte authentication tag, empty AAD; wrapped layout: <code>IV || ciphertext || tag</code>). | |||
Respondent submissions are sealed to the owner's public key via <code>crypto_box_seal</code> (libsodium, anonymous X25519 sender): anyone can encrypt with the public key; only the owner can decrypt with the secret key. | |||
Two key-custody modes: | |||
* '''Mode A (passphrase, zero-knowledge).''' The wrap key for the owner's X25519 secret key derives from a passphrase the server never stores, via Argon2id (libsodium <code>sodium_crypto_pwhash</code> with <code>ARGON2ID13</code>). Two version tracks: v1 uses INTERACTIVE limits (2 ops, 64 MiB memory); v2 uses MODERATE limits (3 ops, 256 MiB memory). The 16-byte salt is stored in <code>uk_kdf_salt</code>; the derivation produces a 32-byte wrap key and a 32-byte verifier (domain-separated SHA-256 of the wrap key). Older-version owners are transparently re-wrapped to the current KDF version on their next successful unlock. ''In Mode A, a database leak alone yields nothing the attacker can decrypt without the owner's passphrase, by design.'' | |||
* '''Mode B (managed key).''' The wrap key is a 32-byte random AES-256-GCM key in <code>/var/lib/pharmacopedia-adminkeys/master.key</code> (mode 600 <code>www-data:www-data</code>), lazy-provisioned on first Mode B owner setup. The directory is excluded from the backup tar by path; a database-plus-backup leak does not yield decryption power, because the master key never enters the backup pipeline. | |||
A separate respondent-readable copy of each submission is encrypted with a key derived from the invite token: <code>respondentKey = SHA-256("pcp-administer-respondent-v1:" || rawToken)</code>. The server never stores this key; the rawToken lives only in the URL handed to the respondent. The token-bearing URL is redacted from access logs (see ''Apache file filters'' above). | |||
==== OAuth 2.0 (iOS app) ==== | |||
The iOS app authenticates against the wiki via the MWOAuth extension. RSA-4096 signing keypair generated 2026-05-22 with <code>openssl genrsa</code>; JWT signing algorithm RS256. Access tokens live 1 hour; refresh tokens 1 month (MWOAuth defaults). PKCE with S256 challenge is REQUIRED for public clients (<code>$wgOAuth2RequireCodeChallengeForPublicClients = true</code>); the iOS bundle never holds a client secret. Tokens are stored at rest in the wiki's session cache keyed by hashed token (the tokens themselves are opaque to the cache row). The browser-to-app handoff goes via a small HTML+JS bridge at <code>https://pharmacopedia.wiki/app/oauth-callback</code> that forwards the authorization code + state to the <code>pharmacopedia://oauth</code> custom URL scheme. | |||
==== Voter anonymity ==== | |||
Every vote stores a HMAC-SHA-256 of the voter's user id, salted with <code>$wgPharmacopediaVoteHashSecret</code> (256 bits, never rotated by policy). The hash is a 64-character hex string in <code>pcp_votes</code> in place of the user id, so an administrator reading the votes table cannot map a vote back to an identity without the secret. The secret lives only in LocalSettings. | |||
=== Backups === | |||
<code>/usr/local/bin/pharmacopedia-backup.sh</code> runs daily at 03:15 local. Every artifact is GPG-symmetric encrypted with AES-256 before it touches the off-host stage: | |||
gpg --batch --yes --symmetric --cipher-algo AES256 | |||
--passphrase-file /root/.backup-passphrase | |||
GPG packet inspection on a current bundle confirms cipher 9 (AES256), S2K mode 3 (iterated and salted), S2K count 65,011,712 iterations, MDC method 2 (modification-detection code present). Local retention is 7 days; off-host (Dropbox via rclone) is 60 days. The passphrase file is 64 bytes random, mode 600 root:root, never transmitted off-host. | |||
The backup tar covers <code>/var/www/mediawiki/images</code>, <code>LocalSettings.php</code>, the Pharmacopedia extension, and local skin assets. The full <code>mediawiki</code> schema is dumped separately to a sibling SQL file (also encrypted). Deliberately excluded by path: the AdminCrypto master key, the OAuth2 RSA private key, the backup passphrase itself, the Gmail SMTP credential, and the Let's Encrypt private key. ''A leak of any single backup bundle does not yield Mode B decryption power, JWT signing power, or further off-host backup decryption — those keys live elsewhere on the host and are not in the bundle.'' | |||
=== Logging + audit === | |||
Apache access/error logs and the MediaWiki exception / error / dberror / fatal logs all rotate daily and retain 14 days, then delete. Log files are <code>640 root:adm</code> (Apache) and <code>640 www-data:adm</code> (MW); the world-readable mode that existed prior to 2026-05-22 was tightened in the same audit pass that hardened the rest of the host. | |||
MW exception logs live at <code>/var/log/mediawiki/{exception,error,dberror,fatal}.log</code>. The <code>pcp_visibility_view_log</code> table records every permitted view through a share rule (rule type, viewer, timestamp); the table stores raw IP for anonymous viewers (no /24 mask today — a feature gap, not a privacy claim). | |||
=== Abuse protection === | |||
* Cloudflare Turnstile gates account creation, repeated failed logins, URL-bearing edits, and email-sending. Editors are not challenged on normal edits (a deliberate friction trade-off). | |||
* The AbuseFilter extension is installed and configured; the active-rule set is small today and the lane will grow as live-fire patterns emerge. | |||
* Every file or image upload is scanned by ClamAV before the file moves into the persistent store. The scanner is run via <code>clamdscan</code> (persistent daemon, fast) with a fallback to <code>clamscan</code>. The gate is fail-closed: exit 0 = clean (proceed), exit 1 = infected (reject + unlink), any other exit = error (reject + unlink). A scanner crash never becomes a pass. | |||
* fail2ban (see ''SSH + host'' above) bans abusive IPs at the network layer. | |||
* No CDN or DDoS mitigation layer sits in front; a determined volumetric attacker can degrade availability. We do not claim 24/7 uptime. | |||
=== Honest limitations === | |||
The posture above is reasonable for a single-operator project that handles personal data; it is not pretending to be anything else. | |||
* '''Single point of failure.''' Host-root compromise yields AdminCrypto Mode B decryption, OAuth2 JWT signing, backup decryption (via the passphrase file), and outbound email impersonation. Defense-in-depth lives in per-key file separation + filesystem perms + open_basedir, but a root-on-host attacker who clears each gate gets everything. | |||
* '''Backup-lag on deletion.''' When a user requests deletion, the live row is purged; encrypted backups containing the deleted data roll off naturally over their retention window (up to 60 days off-host). Disclosed in About:Privacy. | |||
* '''No CDN, no DDoS layer.''' One VM, three open ports, UFW + fail2ban. Hostile traffic can take the site down; it cannot exfiltrate. | |||
* '''Some application-layer key rotation is "never" by design.''' The voter-hash secret and the AdminCrypto Mode B master key cannot rotate without breaking either anonymity or existing wrappings respectively. Loss of either key has the obvious one-time consequence; trading that off against the alternative (re-encrypt every historical record) was the deliberate choice. | |||
* '''Two enabled AbuseFilter rules.''' The pipeline is in place; the rule set is small. Honest signal: this is plumbing for future use, not active filtering today. | |||
* '''The perspective-invite token is cleartext at rest in <code>pcp_perspective_invite.pvi_token</code>.''' Hash-on-store migration is queued (interface-claude + parser-claude lane). Severity: an attacker with DB read can submit a perspective under a planted invite identity; not access to medical data. | |||
=== Security researchers welcome === | |||
I'm a long-term privacy hobbyist, but new at building real infrastructure. I'm trying my best and honestly it seems world-class good to me (and claude), but if it's not. I need to know ASAP. | |||
If you find anything worth flagging — vulnerability, weakness, design concern, or just an observation — email [mailto:info@pharmacopedia.wiki me] directly. No bug-bounty program; just genuine appreciation for the time and the love of [https://markelliottmd.com/pubkey.asc pretty darn good privacy]. No NDA, no scope restriction, no preferred-disclosure-window. Reach out for any reason. | |||
== Skins, layout, and the Appearance rail == | == Skins, layout, and the Appearance rail == | ||