1.4.1 Security audit and analysis
As part of the NLNet project, a security audit will be run against madada to help identify potential security issues.
This ticket tracks the preparation and support for this audit.
Security audit briefing
MaDada helps users send Access to Information requests to public bodies in France. The site is freely available to anyone interested. There is no payment, but we require manual approval to grant users with a "pro/MaDada++" account. When users post a request on the site, we email the corresponding public body through a "magic email" which allows them to reply, and the reply to be directed back to the original request. The content of such exchanges is made public, unless the request was embargoed by its author (the embargo is only defined for a period of time up to 1 year, renewable. When the embargo period expires, the content become public).
Access to confidential information
While the aim of the site is to make as much data as possible open, there is still some data that requires staying confidential:
- users' personal information provided during sign-up. In particular, their personal emails are not meant to be shared with anyone.
- embargoed requests content. Such requests are only visible to their author until the embargo period expires, besides the fact that they exist in general, no specific information should be available to non-authors.
- censored data: the site applies censor rules to sensitive data as directed by admins. Items such as phone numbers, private email addresses, some names, etc... are redacted when the site renders pages.
The main risk from our point of view is this data being accessed without authorisation.
As a secondary risk, vandalism in the form of modifying publicly visible data or posting abusive requests.
Email server abuse
Our email server is central to the site's proper functioning. It is critical for us that our server stays up and is not abused, for instance to send spam, which would make it harder for our legitimate emails to reach their destination.
The main/production server runs at https://madada.fr. A staging replica is available at https://dadastaging.okfn.fr, this one should be privileged for any testing that might be destructive. There are some configuration differences with the main server, particularly around DNS and email setup.
The deployment is done from gitlab CI. Some secrets are stored in the CI's environment variable, but the majority is in the ansible vault files which are stored in this repository.
Open source config
As all our config is open (in this repo), as well as deployment logs, there might be information leaking out that would be best kept secret.
See comments below