Closed Bug 1529643 Opened 9 months ago Closed 8 months ago

On certificate error pages, trigger an internal canary request to detect MitM

Categories

(Firefox :: Security, enhancement, P1)

enhancement

Tracking

()

RESOLVED FIXED
Firefox 67
Tracking Status
firefox67 --- fixed

People

(Reporter: johannh, Assigned: johannh)

References

(Blocks 2 open bugs, Regressed 1 open bug)

Details

Attachments

(2 files)

Our current AV MitM detection works by listening to failed internal requests such as the update or blocklist pings and comparing the issuer certificates to those in certificate errors when loading content. If they match, we show a special error that should be much more helpful to users.

However, this method is lacking because the user's browser may not have triggered any internal requests at the time they view the certificate error.

We should consider triggering such a request automatically when the user hits certain error codes (such as UNKNOWN_ISSUER).

Note that we'd discussed having a 'probe' of whether a MITM is currently "ITM" be tied to a supposed "Fix it" button, so whatever means is used to trigger the probe, it'd be good to be able to call it from privileged JS, too.

Assignee: nobody → jhofmann
Status: NEW → ASSIGNED
Priority: P2 → P1
Attachment #9049011 - Attachment description: Bug 1529643 - Implement MitM priming on certificate error pages. r=Gijs,keeler → Bug 1529643 - Implement MitM priming on certificate error pages. r=mconley,keeler
Attachment #9049012 - Attachment description: Bug 1529643 - Don't do MitM priming in tests. r=whimboo → Bug 1529643 - Don't do MitM priming in tests. r=whimboo,gbrown
Pushed by jhofmann@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/e4718a35d70b
Implement MitM priming on certificate error pages. r=keeler,mconley
https://hg.mozilla.org/integration/autoland/rev/000dfd4caca0
Don't do MitM priming in tests. r=whimboo,gbrown

Backed out 2 changesets (bug 1529643) for eslint failure at NetErrorChild.jsm on a CLOSED TREE.

Backout link: https://hg.mozilla.org/integration/autoland/rev/99581ff1fb9d0114c516f5c0e4ed62fea8c5e9d1

Push with failures: https://treeherder.mozilla.org/#/jobs?repo=autoland&resultStatus=success%2Cpending%2Crunning%2Ctestfailed%2Cbusted%2Cexception&selectedJob=233736999&searchStr=linting%2Copt%2Csource-test-mozlint-eslint%2C%28es%29&revision=000dfd4caca0183893f821c4856d2a97c043bf5c

Log link: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=233736999&repo=autoland&lineNumber=269

Log snippet:
[task 2019-03-13T22:53:18.674Z] New python executable in /builds/worker/checkouts/gecko/obj-x86_64-pc-linux-gnu/_virtualenvs/init/bin/python2.7
[task 2019-03-13T22:53:18.674Z] Also creating executable in /builds/worker/checkouts/gecko/obj-x86_64-pc-linux-gnu/_virtualenvs/init/bin/python
[task 2019-03-13T22:53:20.354Z] Installing setuptools, pip, wheel...done.
[task 2019-03-13T22:53:21.422Z] running build_ext
[task 2019-03-13T22:53:21.422Z] building 'psutil._psutil_linux' extension
[task 2019-03-13T22:53:21.422Z] creating build
[task 2019-03-13T22:53:21.422Z] creating build/temp.linux-x86_64-2.7
[task 2019-03-13T22:53:21.422Z] creating build/temp.linux-x86_64-2.7/psutil
[task 2019-03-13T22:53:21.422Z] x86_64-linux-gnu-gcc -pthread -DNDEBUG -g -fwrapv -O2 -Wall -Wstrict-prototypes -fno-strict-aliasing -Wdate-time -D_FORTIFY_SOURCE=2 -g -fstack-protector-strong -Wformat -Werror=format-security -fPIC -DPSUTIL_POSIX=1 -DPSUTIL_VERSION=543 -DPSUTIL_LINUX=1 -I/usr/include/python2.7 -c psutil/_psutil_common.c -o build/temp.linux-x86_64-2.7/psutil/_psutil_common.o
[task 2019-03-13T22:53:21.422Z] x86_64-linux-gnu-gcc -pthread -DNDEBUG -g -fwrapv -O2 -Wall -Wstrict-prototypes -fno-strict-aliasing -Wdate-time -D_FORTIFY_SOURCE=2 -g -fstack-protector-strong -Wformat -Werror=format-security -fPIC -DPSUTIL_POSIX=1 -DPSUTIL_VERSION=543 -DPSUTIL_LINUX=1 -I/usr/include/python2.7 -c psutil/_psutil_posix.c -o build/temp.linux-x86_64-2.7/psutil/_psutil_posix.o
[task 2019-03-13T22:53:21.422Z] x86_64-linux-gnu-gcc -pthread -DNDEBUG -g -fwrapv -O2 -Wall -Wstrict-prototypes -fno-strict-aliasing -Wdate-time -D_FORTIFY_SOURCE=2 -g -fstack-protector-strong -Wformat -Werror=format-security -fPIC -DPSUTIL_POSIX=1 -DPSUTIL_VERSION=543 -DPSUTIL_LINUX=1 -I/usr/include/python2.7 -c psutil/_psutil_linux.c -o build/temp.linux-x86_64-2.7/psutil/_psutil_linux.o
[task 2019-03-13T22:53:21.422Z] creating build/lib.linux-x86_64-2.7
[task 2019-03-13T22:53:21.422Z] creating build/lib.linux-x86_64-2.7/psutil
[task 2019-03-13T22:53:21.422Z] x86_64-linux-gnu-gcc -pthread -shared -Wl,-O1 -Wl,-Bsymbolic-functions -Wl,-Bsymbolic-functions -Wl,-z,relro -fno-strict-aliasing -DNDEBUG -g -fwrapv -O2 -Wall -Wstrict-prototypes -Wdate-time -D_FORTIFY_SOURCE=2 -g -fstack-protector-strong -Wformat -Werror=format-security -Wl,-Bsymbolic-functions -Wl,-z,relro -Wdate-time -D_FORTIFY_SOURCE=2 -g -fstack-protector-strong -Wformat -Werror=format-security build/temp.linux-x86_64-2.7/psutil/_psutil_common.o build/temp.linux-x86_64-2.7/psutil/_psutil_posix.o build/temp.linux-x86_64-2.7/psutil/_psutil_linux.o -o build/lib.linux-x86_64-2.7/psutil/_psutil_linux.so
[task 2019-03-13T22:53:21.422Z] building 'psutil._psutil_posix' extension
[task 2019-03-13T22:53:21.422Z] x86_64-linux-gnu-gcc -pthread -DNDEBUG -g -fwrapv -O2 -Wall -Wstrict-prototypes -fno-strict-aliasing -Wdate-time -D_FORTIFY_SOURCE=2 -g -fstack-protector-strong -Wformat -Werror=format-security -fPIC -DPSUTIL_POSIX=1 -DPSUTIL_VERSION=543 -DPSUTIL_LINUX=1 -I/usr/include/python2.7 -c psutil/_psutil_common.c -o build/temp.linux-x86_64-2.7/psutil/_psutil_common.o
[task 2019-03-13T22:53:21.422Z] x86_64-linux-gnu-gcc -pthread -DNDEBUG -g -fwrapv -O2 -Wall -Wstrict-prototypes -fno-strict-aliasing -Wdate-time -D_FORTIFY_SOURCE=2 -g -fstack-protector-strong -Wformat -Werror=format-security -fPIC -DPSUTIL_POSIX=1 -DPSUTIL_VERSION=543 -DPSUTIL_LINUX=1 -I/usr/include/python2.7 -c psutil/_psutil_posix.c -o build/temp.linux-x86_64-2.7/psutil/_psutil_posix.o
[task 2019-03-13T22:53:21.423Z] x86_64-linux-gnu-gcc -pthread -shared -Wl,-O1 -Wl,-Bsymbolic-functions -Wl,-Bsymbolic-functions -Wl,-z,relro -fno-strict-aliasing -DNDEBUG -g -fwrapv -O2 -Wall -Wstrict-prototypes -Wdate-time -D_FORTIFY_SOURCE=2 -g -fstack-protector-strong -Wformat -Werror=format-security -Wl,-Bsymbolic-functions -Wl,-z,relro -Wdate-time -D_FORTIFY_SOURCE=2 -g -fstack-protector-strong -Wformat -Werror=format-security build/temp.linux-x86_64-2.7/psutil/_psutil_common.o build/temp.linux-x86_64-2.7/psutil/_psutil_posix.o -o build/lib.linux-x86_64-2.7/psutil/_psutil_posix.so
[task 2019-03-13T22:53:21.423Z] copying build/lib.linux-x86_64-2.7/psutil/_psutil_linux.so -> psutil
[task 2019-03-13T22:53:21.423Z] copying build/lib.linux-x86_64-2.7/psutil/_psutil_posix.so -> psutil
[task 2019-03-13T22:53:21.423Z]
[task 2019-03-13T22:53:21.423Z] Error processing command. Ignoring because optional. (optional:packages.txt:comm/build/virtualenv_packages.txt)
[task 2019-03-13T22:59:10.517Z] TEST-UNEXPECTED-ERROR | /builds/worker/checkouts/gecko/browser/actors/NetErrorChild.jsm:361:21 | Method 'onCertErrorDetails' has a complexity of 45. (complexity)
[taskcluster 2019-03-13 22:59:10.996Z] === Task Finished ===
[taskcluster 2019-03-13 22:59:10.996Z] Unsuccessful task run with exit code: 1 completed in 623.513 seconds

Flags: needinfo?(jhofmann)
Pushed by jhofmann@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/08d0bcbb20e3
Implement MitM priming on certificate error pages. r=keeler,mconley
https://hg.mozilla.org/integration/autoland/rev/b4a06ea3abad
Don't do MitM priming in tests. r=whimboo,gbrown
Status: ASSIGNED → RESOLVED
Closed: 8 months ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 67
Flags: needinfo?(jhofmann)

Johann, can you maybe comment with verification steps?

Flags: qe-verify+

Romain, do we have any recorded test steps for known MitM software? The new feature is that the browser will immediately pick up the fact that it's being mitm, vs. previously it needed to wait for an update ping to finish.

Flags: needinfo?(rtestard)

This is what I suggest:

Run this test with the feature enabled through the pref:
1 Install Firefox on Windows 10, check that the security.enterprise_roots.enabled pref is set to false
2 Install http://legendasbrasil.org/ (AFAICT this software seems to MITM traffic without adding its cert to the Firefox store)
3 Browse a HTTPs website
4 No cert error page should show and the network section of the webconsole should show a request to the URL used for the canary request? Not sure what that URL is...). The website loads fine.
5 Check that the security.enterprise_roots.enabled pref is set to true

Run this test with the feature disabled through the pref:
1 Install Firefox on Windows 10, check that the security.enterprise_roots.enabled pref is set to false
2 Install http://legendasbrasil.org/ (AFAICT this software seems to MITM traffic without adding its cert to the Firefox store)
3 Browse a HTTPs website
4 The MITM error page shows
5 Check that the security.enterprise_roots.enabled pref is set to false

Flags: needinfo?(rtestard)

Thanks Romain!

Note that for the above to work security.certerrors.mitm.auto_enable_enterprise_roots needs to be set to true as well. Otherwise you will get an error page that is customized for MitM errors (which you could also test).

Not sure what that URL is...

https://mitmdetection.services.mozilla.com/

Johann: when security.certerrors.mitm.auto_enable_enterprise_roots is enabled and a MITM is encountered, will there be any indication to the user that there was an error, or will the page just load as if nothing happened? Also, once this happens, will the security.enterprise_roots.enabled pref be permanently set to true (unless the user changes it back)?

(In reply to Wayne Thayer [:wayne] from comment #14)

Johann: when security.certerrors.mitm.auto_enable_enterprise_roots is enabled and a MITM is encountered, will there be any indication to the user that there was an error, or will the page just load as if nothing happened? Also, once this happens, will the security.enterprise_roots.enabled pref be permanently set to true (unless the user changes it back)?

In an ideal scenario there will be no visible error page (though there's most likely a short flicker while we do the network request), and the pref will be permanently set to true if we actually fixed the issue. If the user continues to get an error then the pref is flipped off again. Otherwise yes, it's permanently set.

Hi,

We have completed testing this request with the instructions provided in Comment 12, on Firefox Beta 67.0b6 (20190328152334) using AdGuard antivirus v6.4. During this testing under Windows 10 x64, one new bug 1540164 was uncovered. We've checked on different HTTPs websites from top 100 alexa list.

Unfortunately, we were not able to install the http://legendasbrasil.org/ software, due to our internal SV restrictions; please let us know if we should cover other AVs as well, or if this should suffice. Thanks!

Hi Romain, I just want to check with you if we're OK with the testing performed in comment 16. In that case, I think we should close this bug as verified fixed. Thank you!

Flags: needinfo?(rtestard)

After discussions with the team I can confirm it's OK.

Flags: needinfo?(rtestard)

For future QA on this space, Dana recommended the use of ZAP: https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

Duplicate of this bug: 1521857
Regressions: 1553950
You need to log in before you can comment on or make changes to this bug.