Security/Reviews/PersonaRealms

From MozillaWiki
Jump to: navigation, search
Please use "Edit with form" above to edit this page.

Item Reviewed

Persona Realms SSO
Target `


Introduce the Feature

Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)

Realms are the Persona way of being able to log into a group of sites with a single login event. If you login at webmaker.org, then when you click the link to thimble.webmaker.org, realms will allow the user to be automatically logged in there as well.

  1. API

RPs will signal they are part of a realm by added a parameter to their invocation of navigator.id.watch(). The parameter must be a hostname. Scheme is assumed to be HTTPS.

 navigator.id.watch({
   realm: 'webmaker.org'
 });

The Persona service will make a request to a browserid-realm well-known file, and determine if the requesting site is indeed part of the realm.

 GET https://webmaker.org/.well-known/browserid-realm
 {
   realm: ["https://webmaker.org", "https://thimble.webmaker.org", "https://popcorn.webmaker.org", "http://foo.com"]
 }

If the site is found in the list defined by the realm, then we mark a flag saying the user is logged_in on the realm as well. When the user visits thimble.webmaker.org, and they call navigator.id.watch() with the same realm property, we will again verify that the request site is part of the realm, notice the realm is logged_in, and log them in automatically to Thimble.

What solutions/approaches were considered other than the proposed solution?

We also considered not using a central file as the authority, instead requiring each site to list all sites that were part of the realm. That felt less secure, as well as more tiresome, as every site would need to be updated if you brought online a new part of the realm. The current proposal allows the realm owner to simply update the browserid-realm file.

Why was this solution chosen?

`

Any security threats already considered in the design and why?

A bad website, evil.com, can claim to be part of the webmaker.org realm. However, the browserid-realm file will not include their domain, so we won't accept their claim. Before, we allowed the browserid-realm to be hosted without HTTP. The attacker behind evil.com could poison DNS so that the realm file retrieved would their own, claiming their site is part of the realm. Requiring that file be served over HTTPS removes that risk.

Threat Brainstorming

'

  • Property "SecReview feature goal" (as page type) with input value "Realms are the Persona way of being able to log into a group of sites with a single login event. If you login at webmaker.org, then when you click the link to thimble.webmaker.org, realms will allow the user to be automatically logged in there as well.
    1. API

    RPs will signal they are part of a realm by added a parameter to their invocation of navigator.id.watch(). The parameter must be a hostname. Scheme is assumed to be HTTPS.

     navigator.id.watch({
       realm: 'webmaker.org'
     });
    

    The Persona service will make a request to a browserid-realm well-known file, and determine if the requesting site is indeed part of the realm.

     GET https://webmaker.org/.well-known/browserid-realm
     {
       realm: ["https://webmaker.org", "https://thimble.webmaker.org", "https://popcorn.webmaker.org", "http://foo.com"]
     }
    
    If the site is found in the list defined by the realm, then we mark a flag saying the user is logged_in on the realm as well. When the user visits thimble.webmaker.org, and they call navigator.id.watch() with the same realm property, we will again verify that the request site is part of the realm, notice the realm is logged_in, and log them in automatically to Thimble." contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.
  • Property "SecReview alt solutions" (as page type) with input value "We also considered not using a central file as the authority, instead requiring each site to list all sites that were part of the realm. That felt less secure, as well as more tiresome, as every site would need to be updated if you brought online a new part of the realm. The current proposal allows the realm owner to simply update the browserid-realm file." contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.
  • Property "SecReview threats considered" (as page type) with input value "A bad website, evil.com, can claim to be part of the webmaker.org realm. However, the browserid-realm file will not include their domain, so we won't accept their claim. Before, we allowed the browserid-realm to be hosted without HTTP. The attacker behind evil.com could poison DNS so that the realm file retrieved would their own, claiming their site is part of the realm. Requiring that file be served over HTTPS removes that risk." contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.

Action Items

Action Item Status In Progress
Release Target `
Action Items
* technical privacy review
  • privacy review
  • server for test environment

Realms are the Persona way of being able to log into a group of sites with a single login event. If you login at webmaker.org, then when you click the link to thimble.webmaker.org, realms will allow the user to be automatically logged in there as well.

  1. API

RPs will signal they are part of a realm by added a parameter to their invocation of navigator.id.watch(). The parameter must be a hostname. Scheme is assumed to be HTTPS.

 navigator.id.watch({
   realm: 'webmaker.org'
 });

The Persona service will make a request to a browserid-realm well-known file, and determine if the requesting site is indeed part of the realm.

 GET https://webmaker.org/.well-known/browserid-realm
 {
   realm: ["https://webmaker.org", "https://thimble.webmaker.org", "https://popcorn.webmaker.org"]
 }

If the site is found in the list defined by the realm, then we mark a flag saying the user is logged_in on the realm as well. When the user visits thimble.webmaker.org, and they call navigator.id.watch() with the same realm property, we will again verify that the request site is part of the realm, notice the realm is logged_in, and log them in automatically to Thimble.

  1. Other approaches

We also considered not using a central file as the authority, instead requiring each site to list all sites that were part of the realm. That felt less secure, as well as more tiresome, as every site would need to be updated if you brought online a new part of the realm. The current proposal allows the realm owner to simply update the browserid-realm file.

  1. Considered Threats

A bad website, evil.com, can claim to be part of the webmaker.org realm. However, the browserid-realm file will not include their domain, so we won't accept their claim. Before, we allowed the browserid-realm to be hosted without HTTP. The attacker behind evil.com could poison DNS so that the realm file retrieved would their own, claiming their site is part of the realm. Requiring that file be served over HTTPS removes that risk.