On certificate error pages, trigger an internal canary request to detect MitM
Categories
(Firefox :: Security, enhancement, P1)
Tracking
()
Tracking | Status | |
---|---|---|
firefox67 | --- | fixed |
People
(Reporter: johannh, Assigned: johannh)
References
(Blocks 2 open bugs)
Details
Attachments
(2 files)
Our current AV MitM detection works by listening to failed internal requests such as the update or blocklist pings and comparing the issuer certificates to those in certificate errors when loading content. If they match, we show a special error that should be much more helpful to users.
However, this method is lacking because the user's browser may not have triggered any internal requests at the time they view the certificate error.
We should consider triggering such a request automatically when the user hits certain error codes (such as UNKNOWN_ISSUER).
Comment 1•5 years ago
|
||
Note that we'd discussed having a 'probe' of whether a MITM is currently "ITM" be tied to a supposed "Fix it" button, so whatever means is used to trigger the probe, it'd be good to be able to call it from privileged JS, too.
Assignee | ||
Updated•5 years ago
|
Assignee | ||
Comment 2•5 years ago
|
||
Assignee | ||
Comment 3•5 years ago
|
||
Assignee | ||
Comment 4•5 years ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=try&revision=b28027b3aa1e96462fc92ffc47a9a768ae8ac529
Updated•5 years ago
|
Updated•5 years ago
|
Assignee | ||
Comment 5•5 years ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=try&revision=05e4c1f636854d2ed6f1922567cd9a643ae68d98
Pushed by jhofmann@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/e4718a35d70b Implement MitM priming on certificate error pages. r=keeler,mconley https://hg.mozilla.org/integration/autoland/rev/000dfd4caca0 Don't do MitM priming in tests. r=whimboo,gbrown
Comment 7•5 years ago
|
||
Backed out 2 changesets (bug 1529643) for eslint failure at NetErrorChild.jsm on a CLOSED TREE.
Backout link: https://hg.mozilla.org/integration/autoland/rev/99581ff1fb9d0114c516f5c0e4ed62fea8c5e9d1
Log link: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=233736999&repo=autoland&lineNumber=269
Log snippet:
[task 2019-03-13T22:53:18.674Z] New python executable in /builds/worker/checkouts/gecko/obj-x86_64-pc-linux-gnu/_virtualenvs/init/bin/python2.7
[task 2019-03-13T22:53:18.674Z] Also creating executable in /builds/worker/checkouts/gecko/obj-x86_64-pc-linux-gnu/_virtualenvs/init/bin/python
[task 2019-03-13T22:53:20.354Z] Installing setuptools, pip, wheel...done.
[task 2019-03-13T22:53:21.422Z] running build_ext
[task 2019-03-13T22:53:21.422Z] building 'psutil._psutil_linux' extension
[task 2019-03-13T22:53:21.422Z] creating build
[task 2019-03-13T22:53:21.422Z] creating build/temp.linux-x86_64-2.7
[task 2019-03-13T22:53:21.422Z] creating build/temp.linux-x86_64-2.7/psutil
[task 2019-03-13T22:53:21.422Z] x86_64-linux-gnu-gcc -pthread -DNDEBUG -g -fwrapv -O2 -Wall -Wstrict-prototypes -fno-strict-aliasing -Wdate-time -D_FORTIFY_SOURCE=2 -g -fstack-protector-strong -Wformat -Werror=format-security -fPIC -DPSUTIL_POSIX=1 -DPSUTIL_VERSION=543 -DPSUTIL_LINUX=1 -I/usr/include/python2.7 -c psutil/_psutil_common.c -o build/temp.linux-x86_64-2.7/psutil/_psutil_common.o
[task 2019-03-13T22:53:21.422Z] x86_64-linux-gnu-gcc -pthread -DNDEBUG -g -fwrapv -O2 -Wall -Wstrict-prototypes -fno-strict-aliasing -Wdate-time -D_FORTIFY_SOURCE=2 -g -fstack-protector-strong -Wformat -Werror=format-security -fPIC -DPSUTIL_POSIX=1 -DPSUTIL_VERSION=543 -DPSUTIL_LINUX=1 -I/usr/include/python2.7 -c psutil/_psutil_posix.c -o build/temp.linux-x86_64-2.7/psutil/_psutil_posix.o
[task 2019-03-13T22:53:21.422Z] x86_64-linux-gnu-gcc -pthread -DNDEBUG -g -fwrapv -O2 -Wall -Wstrict-prototypes -fno-strict-aliasing -Wdate-time -D_FORTIFY_SOURCE=2 -g -fstack-protector-strong -Wformat -Werror=format-security -fPIC -DPSUTIL_POSIX=1 -DPSUTIL_VERSION=543 -DPSUTIL_LINUX=1 -I/usr/include/python2.7 -c psutil/_psutil_linux.c -o build/temp.linux-x86_64-2.7/psutil/_psutil_linux.o
[task 2019-03-13T22:53:21.422Z] creating build/lib.linux-x86_64-2.7
[task 2019-03-13T22:53:21.422Z] creating build/lib.linux-x86_64-2.7/psutil
[task 2019-03-13T22:53:21.422Z] x86_64-linux-gnu-gcc -pthread -shared -Wl,-O1 -Wl,-Bsymbolic-functions -Wl,-Bsymbolic-functions -Wl,-z,relro -fno-strict-aliasing -DNDEBUG -g -fwrapv -O2 -Wall -Wstrict-prototypes -Wdate-time -D_FORTIFY_SOURCE=2 -g -fstack-protector-strong -Wformat -Werror=format-security -Wl,-Bsymbolic-functions -Wl,-z,relro -Wdate-time -D_FORTIFY_SOURCE=2 -g -fstack-protector-strong -Wformat -Werror=format-security build/temp.linux-x86_64-2.7/psutil/_psutil_common.o build/temp.linux-x86_64-2.7/psutil/_psutil_posix.o build/temp.linux-x86_64-2.7/psutil/_psutil_linux.o -o build/lib.linux-x86_64-2.7/psutil/_psutil_linux.so
[task 2019-03-13T22:53:21.422Z] building 'psutil._psutil_posix' extension
[task 2019-03-13T22:53:21.422Z] x86_64-linux-gnu-gcc -pthread -DNDEBUG -g -fwrapv -O2 -Wall -Wstrict-prototypes -fno-strict-aliasing -Wdate-time -D_FORTIFY_SOURCE=2 -g -fstack-protector-strong -Wformat -Werror=format-security -fPIC -DPSUTIL_POSIX=1 -DPSUTIL_VERSION=543 -DPSUTIL_LINUX=1 -I/usr/include/python2.7 -c psutil/_psutil_common.c -o build/temp.linux-x86_64-2.7/psutil/_psutil_common.o
[task 2019-03-13T22:53:21.422Z] x86_64-linux-gnu-gcc -pthread -DNDEBUG -g -fwrapv -O2 -Wall -Wstrict-prototypes -fno-strict-aliasing -Wdate-time -D_FORTIFY_SOURCE=2 -g -fstack-protector-strong -Wformat -Werror=format-security -fPIC -DPSUTIL_POSIX=1 -DPSUTIL_VERSION=543 -DPSUTIL_LINUX=1 -I/usr/include/python2.7 -c psutil/_psutil_posix.c -o build/temp.linux-x86_64-2.7/psutil/_psutil_posix.o
[task 2019-03-13T22:53:21.423Z] x86_64-linux-gnu-gcc -pthread -shared -Wl,-O1 -Wl,-Bsymbolic-functions -Wl,-Bsymbolic-functions -Wl,-z,relro -fno-strict-aliasing -DNDEBUG -g -fwrapv -O2 -Wall -Wstrict-prototypes -Wdate-time -D_FORTIFY_SOURCE=2 -g -fstack-protector-strong -Wformat -Werror=format-security -Wl,-Bsymbolic-functions -Wl,-z,relro -Wdate-time -D_FORTIFY_SOURCE=2 -g -fstack-protector-strong -Wformat -Werror=format-security build/temp.linux-x86_64-2.7/psutil/_psutil_common.o build/temp.linux-x86_64-2.7/psutil/_psutil_posix.o -o build/lib.linux-x86_64-2.7/psutil/_psutil_posix.so
[task 2019-03-13T22:53:21.423Z] copying build/lib.linux-x86_64-2.7/psutil/_psutil_linux.so -> psutil
[task 2019-03-13T22:53:21.423Z] copying build/lib.linux-x86_64-2.7/psutil/_psutil_posix.so -> psutil
[task 2019-03-13T22:53:21.423Z]
[task 2019-03-13T22:53:21.423Z] Error processing command. Ignoring because optional. (optional:packages.txt:comm/build/virtualenv_packages.txt)
[task 2019-03-13T22:59:10.517Z] TEST-UNEXPECTED-ERROR | /builds/worker/checkouts/gecko/browser/actors/NetErrorChild.jsm:361:21 | Method 'onCertErrorDetails' has a complexity of 45. (complexity)
[taskcluster 2019-03-13 22:59:10.996Z] === Task Finished ===
[taskcluster 2019-03-13 22:59:10.996Z] Unsuccessful task run with exit code: 1 completed in 623.513 seconds
Pushed by jhofmann@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/08d0bcbb20e3 Implement MitM priming on certificate error pages. r=keeler,mconley https://hg.mozilla.org/integration/autoland/rev/b4a06ea3abad Don't do MitM priming in tests. r=whimboo,gbrown
Comment 9•5 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/08d0bcbb20e3
https://hg.mozilla.org/mozilla-central/rev/b4a06ea3abad
Assignee | ||
Updated•5 years ago
|
Assignee | ||
Comment 11•5 years ago
|
||
Romain, do we have any recorded test steps for known MitM software? The new feature is that the browser will immediately pick up the fact that it's being mitm, vs. previously it needed to wait for an update ping to finish.
Comment 12•5 years ago
|
||
This is what I suggest:
Run this test with the feature enabled through the pref:
1 Install Firefox on Windows 10, check that the security.enterprise_roots.enabled pref is set to false
2 Install http://legendasbrasil.org/ (AFAICT this software seems to MITM traffic without adding its cert to the Firefox store)
3 Browse a HTTPs website
4 No cert error page should show and the network section of the webconsole should show a request to the URL used for the canary request? Not sure what that URL is...). The website loads fine.
5 Check that the security.enterprise_roots.enabled pref is set to true
Run this test with the feature disabled through the pref:
1 Install Firefox on Windows 10, check that the security.enterprise_roots.enabled pref is set to false
2 Install http://legendasbrasil.org/ (AFAICT this software seems to MITM traffic without adding its cert to the Firefox store)
3 Browse a HTTPs website
4 The MITM error page shows
5 Check that the security.enterprise_roots.enabled pref is set to false
Assignee | ||
Comment 13•5 years ago
|
||
Thanks Romain!
Note that for the above to work security.certerrors.mitm.auto_enable_enterprise_roots
needs to be set to true as well. Otherwise you will get an error page that is customized for MitM errors (which you could also test).
Not sure what that URL is...
Comment 14•5 years ago
|
||
Johann: when security.certerrors.mitm.auto_enable_enterprise_roots
is enabled and a MITM is encountered, will there be any indication to the user that there was an error, or will the page just load as if nothing happened? Also, once this happens, will the security.enterprise_roots.enabled
pref be permanently set to true (unless the user changes it back)?
Assignee | ||
Comment 15•5 years ago
|
||
(In reply to Wayne Thayer [:wayne] from comment #14)
Johann: when
security.certerrors.mitm.auto_enable_enterprise_roots
is enabled and a MITM is encountered, will there be any indication to the user that there was an error, or will the page just load as if nothing happened? Also, once this happens, will thesecurity.enterprise_roots.enabled
pref be permanently set to true (unless the user changes it back)?
In an ideal scenario there will be no visible error page (though there's most likely a short flicker while we do the network request), and the pref will be permanently set to true if we actually fixed the issue. If the user continues to get an error then the pref is flipped off again. Otherwise yes, it's permanently set.
Comment 16•5 years ago
|
||
Hi,
We have completed testing this request with the instructions provided in Comment 12, on Firefox Beta 67.0b6 (20190328152334) using AdGuard antivirus v6.4. During this testing under Windows 10 x64, one new bug 1540164 was uncovered. We've checked on different HTTPs websites from top 100 alexa list.
Unfortunately, we were not able to install the http://legendasbrasil.org/ software, due to our internal SV restrictions; please let us know if we should cover other AVs as well, or if this should suffice. Thanks!
Comment 17•5 years ago
|
||
Hi Romain, I just want to check with you if we're OK with the testing performed in comment 16. In that case, I think we should close this bug as verified fixed. Thank you!
Comment 18•5 years ago
|
||
After discussions with the team I can confirm it's OK.
Comment 19•5 years ago
|
||
For future QA on this space, Dana recommended the use of ZAP: https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
Updated•2 years ago
|
Description
•