Security/Reviews/BrowserIDCAPI

Items to be reviewed

https://github.com/ozten/sasl-browserid

Introduce Feature

• Overview Diagram -- https://github.com/ozten/mozillians/blob/browserid/docs/browserid.rst

https://bugzilla.mozilla.org/show_bug.cgi?id=684085

• https://github.com/ozten/sasl-browserid/blob/master/plugins/verifier.c#L101

Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)

• code is a SASL extension for OpenLDAP to allow an LDAP server to function as an intermediary between an LDAP consuming relying party and an Identity Authority (in this case, BrowserID.org)

What solutions/approaches were considered other than the proposed solution?

• Putting BID auth flow in Django
• BID proxy daemon (very thin plugin)
• Implementing verification locally
• Session store in Django, hashing in Django
• storing hash of assertion in cookie, instead of entire assertion

Why was this solution chosen?

• Works with OpenLDAP ACL (security in depth)
• Balances amount of C code with deployment complexity

Any security threats already considered in the design and why?=

• Buffer overflow
• session cache attack (?)

Threat Brainstorming

• django to open-ldap is across the network
• is the SASL client plugin exposed externally at all ? ie is it only django itself that can call into it, there's no exposure via direct URL's ?
  • you could potentially pass bad email address to django which forwards to the plugin
  • urls like /login and /register potentially - entry points are limited to the web forms that talk to the plugin, there shouldn't be any direct access
• using SSL in the plugins
  • https://github.com/ozten/sasl-browserid/blob/master/plugins/verifier.c#L101
    • I think option should be changed to CURLUSESSL_ALL instead of CURLUSESSL_TRY
    • http://curl.haxx.se/libcurl/c/curl_easy_setopt.html (SSL and and SECURITY OPTIONS)
  • verifying that the plugin is really talking to the real browserid.org
  • verify that SSL cert verification is enabled for the plugins
• signing of the cookie is done by django (django provided Signed Cookies)
  • username/password is stored in the cookie
  • this will be replaced with a browser ID assertion

Conclusions / Action Items

• [dchan] Code Review
  • may be constrained by goals implementation
• [possible?] fuzzing
• need secure SASL dev expertise
  • Cyrus Daboo, Howard Chu - SASL experts - may lead to consultants?
• [ozten] Vagrant VM