Log in or register

Security

This page outlines the security measures and cryptographic design principles implemented within profile.rocks to ensure data integrity and user privacy.

Authentication Flow

profile.rocks employs a hybrid stateful/stateless design for One-Time Password (OTP) management. By using envelope encryption, the server avoids storing sensitive credentials directly, instead maintaining only opaque random IDs to track session progress.

The Process:

  1. Token Generation: When an OTP is created, its metadata (credential, expiry, attempts...) is compressed and appended to an encrypted list (one entry per credential). The server utilizes envelope encryption featuring AES-256-KW for the Key Encryption Key (KEK) and AES-256-GCM for the Data Encryption Key (DEK).
  2. Client-side storage: The encrypted list is delivered to the client via a secure, HttpOnly cookie. To prevent CSRF (Cross-Site Request Forgery), the cookie is strictly scoped using the SameSite=Strict attribute.
  3. Server-side mapping: A unique, random ID is generated on the server and linked to the encrypted list to track the specific verification session without exposing underlying data.
  4. Verification: When the client submits an OTP, the encrypted list is returned to the server. The server decrypts the list, validates the specific credential, and rotates the session ID to prevent replay attacks.

Key Management: KEKs are randomly generated, automatically rotated and encrypted at rest.

Session Management

Similar to the authentication mechanism, active user sessions are secured using envelope encryption with AES-256-KW (KEK) and AES-256-GCM (DEK) and stored in HttpOnly secure cookies.

While these cookies use SameSite=Lax to balance security with user experience, the application architecture inherently mitigatesCSRF risks by using other methods rather than GET.

Payment Security

profile.rocks relies on Polar to handle all payment processing. Polar is an open source and secure Merchant of Record that uses Stripe's infrastructure.

profile.rocks does not store or process any payment information, those operations remain entirely within Stripe's PCI DSS compliant environment.

Reporting a Vulnerability

If you discover a security vulnerability in profile.rocks, please report it privately first by sending an email to [email protected] or by creating a security advisory in one of the profile.rocks GitHub repositories.

You will receive an acknowledgment as soon as possible, and we will work together to verify and address the issue.