Security/Reviews/BrowserIDCAPI

The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Items to be reviewed

https://github.com/ozten/sasl-browserid

Introduce Feature

Overview Diagram -- https://github.com/ozten/mozillians/blob/browserid/docs/browserid.rst

https://bugzilla.mozilla.org/show_bug.cgi?id=684085

https://github.com/ozten/sasl-browserid/blob/master/plugins/verifier.c#L101

Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)

code is a SASL extension for OpenLDAP to allow an LDAP server to function as an intermediary between an LDAP consuming relying party and an Identity Authority (in this case, BrowserID.org)

What solutions/approaches were considered other than the proposed solution?

Putting BID auth flow in Django
BID proxy daemon (very thin plugin)
Implementing verification locally
Session store in Django, hashing in Django
storing hash of assertion in cookie, instead of entire assertion

Why was this solution chosen?

Works with OpenLDAP ACL (security in depth)
Balances amount of C code with deployment complexity

Any security threats already considered in the design and why?=

Buffer overflow
session cache attack (?)

Threat Brainstorming

django to open-ldap is across the network
is the SASL client plugin exposed externally at all ? ie is it only django itself that can call into it, there's no exposure via direct URL's ?
- you could potentially pass bad email address to django which forwards to the plugin
- urls like /login and /register potentially - entry points are limited to the web forms that talk to the plugin, there shouldn't be any direct access
using SSL in the plugins
- https://github.com/ozten/sasl-browserid/blob/master/plugins/verifier.c#L101
  - I think option should be changed to CURLUSESSL_ALL instead of CURLUSESSL_TRY
  - http://curl.haxx.se/libcurl/c/curl_easy_setopt.html (SSL and and SECURITY OPTIONS)
- verifying that the plugin is really talking to the real browserid.org
- verify that SSL cert verification is enabled for the plugins
signing of the cookie is done by django (django provided Signed Cookies)
- username/password is stored in the cookie
- this will be replaced with a browser ID assertion

Conclusions / Action Items

[dchan] Code Review
- may be constrained by goals implementation
[possible?] fuzzing
need secure SASL dev expertise
- Cyrus Daboo, Howard Chu - SASL experts - may lead to consultants?
[ozten] Vagrant VM

Security/Reviews/BrowserIDCAPI

Contents

Introduce Feature

Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)

What solutions/approaches were considered other than the proposed solution?

Why was this solution chosen?

Any security threats already considered in the design and why?=

Threat Brainstorming

Conclusions / Action Items

Navigation menu

Security/Reviews/BrowserIDCAPI

Introduce Feature

Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)

What solutions/approaches were considered other than the proposed solution?

Why was this solution chosen?

Any security threats already considered in the design and why?=

Threat Brainstorming

Conclusions / Action Items

Navigation menu

Search