mozilla :: #security

15 May 2017
15:12itsfemme-Mjld: the issues on the tracker aren't super clear on this: will firefox support systems that dont enable user namespaces (using a setuid sandbox)? having user namespaces enabled is the cause of many of the recent linux priv escalations.
16:33Caspy7This is currently on top of /r/firefox on reddit https://www.reddit.com/r/firefox/comments/6b9db0/google_is_working_on_better_site_isolation_what/
16:33Caspy7maybe someone would like to chime in
18:41ulfrkeeler: I'm rather confused by this https://ulfr.io/f/Screenshot_2017-05-15_14-40-46.png
18:42ulfrspecifically about the circumstances that could lead firefox to use the CertPlus CA as a root for a wosign cert
18:43ulfrthe server would have to send all necessary intermediates to build an exact chain to the CertPlus CA, right?
18:43keelerulfr: yes, or the client's profile has them cached
18:44ulfrthere's a pattern here of CA corporations unionizing to protect themselves from browsers
18:45ulfrand I'm not sure what to make of it, but I'm not a fan
18:45keeleryeah, the prolific cross-signing can be problematic, I think
18:45davidwalshkang: In using Flask-pyoidc, do you recall running into "KeyError: 'state'" during the login process? It appears to be an error happening within pyoidc. Especially annoying because there is a state value in the querystring
18:47jlditsfemme-M: We won't require user namespace support, but the fallback is to use seccomp-bpf by itself; there are currently no plans to ship a setuid root helper like chrome-sandbox.
18:47jldI should write up a better explanation of this; https://wiki.mozilla.org/Security/Sandbox#Linux_2 is... not good.
18:48jldAlso, #boxing is the main sandboxing channel; I think not everyone from there is also in here.
18:49keelerulfr: although if the end-entity has a notBefore after October 21 2016, we wouldn't trust it regardless of the eventual root: https://dxr.mozilla.org/mozilla-central/source/security/certverifier/NSSCertDBTrustDomain.cpp#787
18:51ulfrkeeler: sure, because wosign, but I'm more interested in the systemic problem here
18:51keeleryeah
18:52ulfrwhen I have some time, I'll try to graph the intermediate/root webpki relationships
18:53keelerthat would be interesting to see
18:54ulfrdigicert does the same thing, though at a lesser degree https://tls-observatory.services.mozilla.com/static/certsplainer.html?id=1814956
18:58keelerI think the cybertrust root is just a horrible legacy thing - basically everyone cross-signed it
18:58keeleror vice-versa
19:00kangdavidwalsh: no, sounds odd - state is definitely required
19:04kangandrew: what version of python does the sso dashboard runs on, if you know?
19:05Alex_GaynorCyberTrust was part of the old verizon infra that DigiCert has been untangling, right?
19:06keelerpossibly?
19:12Peng_Baltimore CyberTrust? Yes, that's one of the Verizon roots DigiCert got.
19:19andrewKang currently 2.7 but no blockers for 3.6
19:21kangandrew: ok thx - davidwalsh ran into some issues with the oic lib with python 3.5 - i suspect this might be why
19:22andrewServer less observatory is written on python 3.6
19:22andrewWorks great
19:25davidwalshandrew: I'm modeling my code after your dash (https://github.com/mozilla-conduit/lando-ui/pull/4), with alpine-3.5, but getting the weird error shown in teh PR upon login
19:25davidwalshSuper frustrating
19:50andrewSo I've seen this error
19:51andrewIt's usually because I enabled flask secure cookie and it break flask-pyoidc
19:51andrewAlso fwiw secure session != Httponly
19:52andrew^^ davidwalsh
19:57davidwalshomg andrew you're a genius
19:59andrewDavidwalsh hardly genius I just tried putting the security slider to max once and spent the next several hours debugging
20:00andrewFlask-pyoidc needs a little help
20:00andrewBut does work
20:00* andrew memorized all the pyoidc bugs
20:03davidwalshandrew: Thank you so much and don't hate on me if I have more questions! I owe you and kang a beer in SF!
20:04andrewDavidwalsh thanks for modeling anything after my code. A compliment in it of itself
20:04andrewFeel free to send up a flare any time
20:25itsfemme-Mjld: that means that kernels with userns disabled won't have filesystem isolation either though, right? I use Oz with a profile that only shows firefox the files it needs but ofc it can't do anything fancy like per-site namespaces. As I mentioned earlier I keep userns disabled because its still causing many vulnerabilities (I'm on subgraph os but other distros like Arch also disable it by default), making users choose between security
20:25itsfemme-Moptions isn't a good thing imo when it can be avoided (using a helper binary). I hope I reached out early enough that the plans can take this into consideration :)
20:28itsfemme-Mjld: seccomp-bpf is nice but since firefox needs all the syscalls to access files and transfer them over the network it doesn't stop an attacker that did some QA (they have all the syscalls they need)
16 May 2017
No messages
   
Last message: 12 days and 5 hours ago