4. Software stack
Client backend: C++ (14!) with Botan
GUI: Qt WebView + HTML, CSS, JavaScript, React
Server backend: Go
Scripts: Python3
5. But we use HTTPS!
HTTPs alone won’t save you (especially if you don’t
check the certificates)
A virus can patch the client to by-pass the certificate
verifications, or even send the data to an other server,
so we need to make sure the client executables are not
compromised.
6. Applications store to the rescue!
Our client binaries are signed, so as soon as
you change something in the executable, the
operating system will notice :)
On Linux we can sign with a GPG key for
instance.
7. Tanker secrets
Keep your secrets (in a) safe
We have a few secrets to keep safe here at Tanker.
Signing keys for Windows and Mac
(This is required when you have an “official” Dropbox application such as
ours)
Private ssh keys (stored on a USB drive)
….
8. The Hardware Security Module and the Air Gap
Keep your secrets (in a) safe
Lots of fancy words for a very simple idea:
The hardware that contains the “secret” files (aka the HSM)
is never connected to any network.
And so, we put the HSM in a safe (a real one!)
The safe has a key and a password
9. Open or closed?
Keep your secrets (in a) safe
When everyone has left the office, should the safe be
opened or closed?
10. Open or closed?
Keep your secrets (in a) safe
During office hours, should the safe be opened or closed?
11. What happens when the safe is always closed
Keep your secrets (in a) safe
You have to type the password and use the key over and
over again
You might forget to put stuff back in when you leave the
office
12. What happens when the safe is opened during office
hours
Keep your secrets (in a) safe
You only have to enter the password once per day
(By the way, this is how sudo and ssh-agent work)
You are less likely to forget to close it when you leave
You see the contents of the safe so you are less likely to
leave secrets outside, unprotected
13. One last hack
Keep your secrets (in a) safe
The key to the office door is placed right in front of the
safe’s door
Same thing: you are less likely to forget to close the door
when you leave
14. Parting words
Keep your secrets (in a) safe
We’re hiring !
https://app.tanker.io/rabbit/
https://www.linkedin.com/company/tankerapp
Follow us on twitter: @Tanker_Security