1215457 - [TV 2.5][meta] Secure connection between remote control server and client

Status: RESOLVED FIXED

(Firefox OS Graveyard :: Gaia::TV::System, defect, P1)

Description

[Eric Tsai (no more review request accepted)]

httpd.js only supports http, we need secure connection like https to provide remote control service.

Comment 1

[Eric Tsai (no more review request accepted)]

Try to find some clue for implementation a https server:
1) necko client test case for https server
2) WebRTC default certification, try to leverage for build-in https server

Comment 2

[Eric Tsai (no more review request accepted)]

Hi Paul, Luke and I have secure connection proposal for remote control:

https://wiki.mozilla.org/Firefox_OS/Remote_Control#Secure_Connection

Would you mind to give us some opinion on the proposal?

Comment 3

[Paul Theriault [:pauljt] (no longer reading bugmail)]

I've a look here but really there isn't enough information. From the information I can see on the wiki, this solution seems to add almost no security at all. But really there isn't enough information to go off. From our consersations it sounds as thought you have a more detailed plan than documented. 

As we discussed, I'll get some feedback from platform security team, but my advice here would be stop trying to implement your own security protocol, and use something provided by the platform as previously suggested (WebRTC peerConnection), or dont do anything at all.

My overall though is that it would be significantly easier to re-implement your communication protocol than trying to replace SSL with some encryption at the javascript layer.

Comment 4

[Eric Tsai (no more review request accepted)]

Add steps to verify public key by fingerprint:
1. User connect to TV firstly.
2. TV send public key to user, print fingerprint on TV screen.
3. User receive public key, generate fingerprint on device screen. Compare the two fingerprints are the same.
4. User press "Confirm" on the device.
5. TV dismiss the fingerprint on TV screen.
6. Continue to exchange symmetric key and follow the PIN code pairing steps.

Comment 5

[Eric Tsai (no more review request accepted)]

1. Unpaired device musn’t be able to just send commands directly to the TV. 
	- I think this is protected by the requirement of a UUID cookie

2. Prevent CSRF attacks against the remote control
	- This attack involves a malicious website making an request to the TV
	- While any website can induce an XHR request to the TV which will include the UUID cookie, the website doesn’t know the encryption key stored in localStorage, so it can’t make a valid request (you should be sure to use an authenticated encryption mode to reduce the attack surface here). 

3.Prevent clickjacking attacks against the remote control
	- make sure the remote control web page can not be framed (i.e. set the "X-Frame-Options DENY;” http header see https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options)

Comment 6

[Eric Tsai (no more review request accepted)]

After try webcrypto, I think use RSA-OEAP to do exchange AES-GCM key is fine. But AES-GCM encrypt and decrypt requires the same IV, I think we can send IV with non-encrypted message or cookie?

Comment 7

[Luke Chang [:lchang] (inactive)]

Change this bug to a meta bug and break down works.

Comment 8

[Josh Cheng [:josh]]

Hi ChunMin,
Could you help to take this bug for now we change the use case of Remote Control to use TCP socket.
Thanks.

Comment 9

[Evelyn Hung]

It's a meta bug, so ChunMin's part is on 1228262.

Comment 10

[Eric Tsai (no more review request accepted)]

Modify dependency, TV part is in bug 1207996, addon is in bug 1228262. Both are landed, set this bug to resolved fixed.