chore: update security docs (#163)

Kong · Oct 19, 2023 · 7293757 · 7293757 · vercel · Oct 19, 2023
1 parent 106a92b
commit 7293757
Show file tree

Hide file tree

Showing 4 changed files with 71 additions and 57 deletions.
diff --git a/docs/insomnia/analytics-collected.md b/docs/insomnia/analytics-collected.md
@@ -5,33 +5,45 @@ category: Security
 category-url: security
 ---
 
-When you first download Insomnia, you were asked if you wanted to send analytics data to the Insomnia team about your Insomnia Apps performance and your behavior in the app. This article is a description of what analytics are collected and sent.
+If you are logged into your Insomnia account or if you have not opted out of analytics in the desktop application, we collect information about your usage. If you use the Insomnia desktop application without an account, we provide you with the choice to opt out to avoid sending us this information in the desktop application user interface.
 
-You can edit your preference on sharing analytics data with Insomnia via the Insomnia app Preference Page by scrolling down to the **Network Activity** section and checking or unchecking the box next to **Send Usage Statistics**
+We collect usage analytics to evaluate user behavior for the purpose of guiding product decisions.
 
-# Error Data Collection
-When you opt-in to the collection of analytics, the Insomnia app will send anonymized action event data to Kong that may later be used to evaluate user behavior for the purpose of guiding product decisions.
+If you use the application without an Insomnia account, you can edit your preference on sharing analytics data with Insomnia via the Insomnia app Preference Page by scrolling down to the **Network Activity** section and checking or unchecking the box next to **Send Usage Statistics**.
 
-This is the format of the JSON data body for a sent event:
+If you are logged into your Insomnia account, or if you are using the Insomnia application without an account and have not opted out of collection, this is the format of the JSON data body for a sent event:
 
-```
+```json
 {
-  "anonymousId": "device-specific-UUID-here",
+  "anonymousId": "device-Specific-UUID-here",
   "context": {
-    "app": {
-      "name": "Insomnia",
-      "version": "2022.6.0"
-    },
-    "library": {
-      "name": "analytics-node",
-      "version": "6.2.0"
-    },
-    "os": {
-      "name": "mac",
-      "version": "12.2.0"
-    }
+ "app": {
+   "name": "Insomnia",
+   "version": "8.2.0"
+ },
+ "library": {
+   "name": "@segment/analytics-node",
+   "version": "1.0.0"
+ },
+ "os": {
+   "name": "mac",
+   "version": "14.0.0"
+ }
   },
-  "event": event_name,
+  "event": "Request Executed",
   "integrations": {},
-  }
-  ```
+  "messageId": "node-next-message-specific-id-here",
+  "originalTimestamp": "2023-10-10T09:57:53.346Z",
+  "properties": {
+ "mimeType": "application/json",
+ "preferredHttpVersion": "default"
+  },
+  "receivedAt": "2023-10-10T09:58:05.056Z",
+  "sentAt": null,
+  "timestamp": "2023-10-10T09:57:53.346Z",
+  "type": "track",
+  "writeKey": "REDACTED"
+}
+```
+
+Please also see our [Privacy Policy](https://insomnia.rest/privacy) for information about personal data we process in connection with Insomnia products and services.
diff --git a/docs/insomnia/security-features.md b/docs/insomnia/security-features.md
@@ -1,80 +1,82 @@
 ---
 layout: article-detail
-title:  Key Security Features
+title:  Key Security Data Features
 category: Security
 category-url: security
 ---
 
-When signing up for Insomnia Sync, you gain access to end-to-end encrypted data sync. Simply sign into your account and your data will be there, seamlessly synced across all of your (and optionally your teams’) devices.
+When you create an Insomnia account, you gain access to end-to-end encrypted project data sync. Simply sign into your account and your data will be there, seamlessly synced across all of your (and optionally your teams') devices.
 
-Insomnia believes that it is your right to know how your sensitive data is transported and handled, so this document is an effort to explain exactly how it works.
+Insomnia believes that it is your right to know how your sensitive project data is transported and handled, so this document is an effort to explain exactly how it works.
 
-If you find that any part of this document is incorrect, missing, or wrong, please don’t hesitate to reach out.
+If you find that any part of this document is incorrect, missing, or wrong, please don't hesitate to reach out.
 
-## Key Security Features
+## Key Security Data Features
 
-This section gives a high level overview of Insomnia paid plans security. If you read anything in this document, it should be this section.
+This section gives a high level overview of Insomnia project data sync security. If you read anything in this document, it should be this section.
 
 ### What End-To-End encryption means
 
-E2EE means that all encryption keys are generated locally, all encryption is performed before sending any data over the network, and all decryption is performed after receiving data from the network. At no point in the sync process can the Insomnia servers, or an intruder read or access sensitive application data.
+E2EE means that all encryption keys are generated locally, all encryption is performed before sending any data over the network, and all decryption is performed after receiving data from the network. At no point in the sync process can the Insomnia servers, or an intruder read or access sensitive application project data.
 
-### Not even Insomnia can access your data
+## What is project data?
 
-Insomnia never sends unencrypted data or keys that can be used to decrypt data to the server. This means that neither Insomnia, network spies, or server hackers can gain access to your sensitive data. You can rest assured that your data is safe on your machine.
+Project data are your  API design specifications, collections, tests and other files that you choose to share with others in your organization through Insomnia's hosted data synchronization service.
+
+Please note that the Insomnia service may provide you the ability to develop tests for your API design specifications, as well as other functionality, using artificial intelligence tools. Data you provide to use these AI tools are not end-to-end encrypted and so this document does not apply to such data.
 
 ### Encryption algorithms we use
 
 All data is encrypted using randomly generated 256 bit symmetric keys for use with AES-GCM-256 (Galois Counter Mode).
 
-### Passwords cannot be reset
+### Resetting Passphrases
+
+Losing your passphrase means losing the ability to decrypt your account keys. If you lose your passphrase there is no way to access your project data that is not stored by you locally, and there is nothing Insomnia can do to help apart from resetting your passphrase as well as your account.
 
-Losing your password means losing the ability to decrypt your account keys. If you lose your password there is no way to access your data, and there is nothing Insomnia can do to help apart from resetting your account. You can change your password but you need a copy of your old one to do so.
+You can reset your passphrase through the "Forgot your Passphrase" flow. Once you go through the "Forgot your Passphrase" flow and define a new passphrase, you'll lose access to your previous encrypted project data. If you have been invited to collaborate with other organizations, you can reset your passphrase and then ask to be invited back. You will only be able to retrieve data for the organizations that you are invited back to. If you have shared your personal organizations or project data, you can ask other users with Admin permissions to also re-invite you after resetting the passphrase.
 
 ### Unencrypted Fields
 
-By default, resources within the application are fully encrypted before being sent to the server. However, both id and name of each resource are attached in plaintext before uploading.
+By default, project data resources within the Insomnia application are fully encrypted before being sent to the server. However, both id and name of each resource are attached in plaintext before uploading.
 
 ### Local data is not encrypted on disk
 
-Insomnia currently stores application data on disk in raw form. E2EE only applies to data that is transmitted over the network. It is still possible for malicious software to access the application data stored on your machine. Please take the usual precautions to keep your local data safe.
+Insomnia currently stores application project data locally on disk in raw form. E2EE only applies to project data that is transmitted over the network. It is still possible for malicious software to access the project data stored on your machine. Please take the usual precautions to keep your local project data safe.
 
 ## Useful Definitions
 
 Here are definitions for the common things that will be talked about.
 
-
 ### Data Models
 
 The following are data models we use.
 
 {:.table .table-striped}
 Data Model | Definition
 ---------- | ---------
-`M_Account`	| A user that can log in
-`M_Resource` |	An entity that can be synced (eg. Request, Workspace, etc.)
-`M_ResourceGroup`	| A group of M_Resource that can be shared as one
+`M_Account` | A user that can log in
+`M_Resource` | An entity that can be synced (eg. Request, Workspace, etc.)
+`M_ResourceGroup` | A group of M_Resource that can be shared as one
 `M_Link` | A relationship linking a M_Account to M_ResourceGroup
 
-
 ### Keys and Salts
 
 The following are keys and salts we use.
 
 {:.table .table-striped}
-Name |	Description	| Stored?
+Name | Description | Stored?
 ----- | ------ | -----
-`PUB_Account` |	Public key for M_Account |	Yes
-`PRV_Account`	| Private key for M_Account	| Yes 🔒
-`SYM_Account`	| Symmetric key for M_Account |	Yes 🔒
-`SYM_ResourceGroup`	| Symmetric Key for data encryption	 | No
-`SYM_Link` | Encrypted form of SYM_ResourceGroup |	Yes 🔒
-`SLT_Auth_1` |	Salt for PBKDF2 of password for auth |	Yes
-`SLT_Auth_2` |	Salt for SRP authentication process |	Yes
-`SLT_Enc`	| Salt for PBKDF2 of password for encryption |	Yes
-`SEC_PWD_Auth` |	Secret derived from password using SLT_Auth_1 | No
-`SEC_PWD_Enc`	| Secret derived from password using SLT_Enc |	No
-`SRP_Verifier` | Verification string used for SRP	| Yes
+`PUB_Account` | Public key for M_Account | Yes
+`PRV_Account` | Private key for M_Account | Yes 🔒
+`SYM_Account` | Symmetric key for M_Account | Yes 🔒
+`SYM_ResourceGroup` | Symmetric Key for data encryption  | No
+`SYM_Link` | Encrypted form of SYM_ResourceGroup | Yes 🔒
+`SLT_Auth_1` | Salt for PBKDF2 of password for auth | Yes
+`SLT_Auth_2` | Salt for SRP authentication process | Yes
+`SLT_Enc` | Salt for PBKDF2 of password for encryption | Yes
+`SEC_PWD_Auth` | Secret derived from password using SLT_Auth_1 | No
+`SEC_PWD_Enc` | Secret derived from password using SLT_Enc | No
+`SRP_Verifier` | Verification string used for SRP | Yes
 
 {:.alert .alert-primary}
 **Note**: `SYM_Link` and `SYM_ResourceGroup` are essentially the same thing, but are defined separately for the purpose of discussion. This will become clear later on.
diff --git a/docs/insomnia/security-standards.md b/docs/insomnia/security-standards.md
@@ -31,16 +31,16 @@ Not at the moment.
 
 **How often do you release major updates, and or security patches?**
 
-* Major updates are usually released once a month, or every two weeks depending on the scope.
+* We regularly update the Insomnia desktop application.
 * Security, and hotfix patches are handled on a case-by-case basis and can occur at any time.
 
 **Do you retain server logs, or event logs?**
 
-* All server logs stored, are kept within GCP, and only accessed by engineers authorized to manage the Insomnia servers.
+* All server logs stored are kept within GCP and only accessed by engineers authorized to manage the Insomnia servers.
 
 **Do you maintain documentation when an incident/event occurs?**
 
-* When an incident occurs, we perform an internal post-mortem and delegate information accordingly. Either through the site in the form of a blog post, or through social media/support on a case-by-case basis.
+* When an incident occurs, we perform an internal post-mortem and disseminate information accordingly, either through the site in the form of a blog post, or through social media/support on a case-by-case basis.
 
 **In case of a breach, do you notify customers?**
 

diff --git a/docs/insomnia/signup-and-auth.md b/docs/insomnia/signup-and-auth.md
@@ -5,7 +5,7 @@ category: Security
 category-url: security
 ---
 
-Since the password you choose at registration time is used during the encryption process (although indirectly), it's vital that it's never sent or stored on the server in an easily crackable form. To help with this goal, Insomnia uses the [Secure Remote Passwords (SRP)](http://srp.stanford.edu/) encrypted key exchange protocol.
+Since the passphrase you choose at registration time is used during the encryption process (although indirectly), it's vital that it's never sent or stored on the server in an easily crackable form. To help with this goal, Insomnia uses the [Secure Remote Passwords (SRP)](http://srp.stanford.edu/) encrypted key exchange protocol.
 
 You can read more about the exact SRP implementation that Insomnia paid plans use in [RFC-2945](https://datatracker.ietf.org/doc/html/rfc2945).
 
@@ -38,4 +38,4 @@ These are the steps taken on the client during login.
 2. Use `SLT_Auth_2` to perform SRP exchange
 3. Store SRP-generated `K` locally to use as session key
 
-Now that we know how signup and authentication are performed, we can talk about data encryption.
+Now that we know how signup and authentication are performed, we can talk about data encryption.