Attacks
TODO This should be expanded to a proper attack tree.
To obtain a root shell, an attacker would have to achieve one of these goals (list is non-exhaustive):
- (somehow) steal TLS secrets and impersonate
tere-server - (somehow) gain a false TLS certificate for the domain name
- make
tere-serverrun arbitrary code, and wait for the next admin connection - make
tere-serverrun arbitrary code, and attach/hijack an existing admin connection (in-process TLS or HTTP/2 only, otherwise the connection is no longer visible totere-server) - convince
tere-policy@of incorrect authentication (as spoken to throughtere-user@'s limited protocol) - convince
tere-policy@of incorrect authorization (as spoken to throughtere-user@andtere-policy@, bound to a successfully authenticated username)
Our insistence on WebAuthn should mean phishing is not a viable attack.
And so on.