Closed Bug 1547995 Opened 5 years ago Closed 5 years ago

Add option to .get() to verify signatures on read

Categories

(Firefox :: Remote Settings Client, enhancement)

Product:
Firefox
Component:
Remote Settings Client
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Firefox 68
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox67 --- wontfix
firefox68 --- fixed

People

(Reporter: leplatrem, Assigned: leplatrem)

References

Details

(Keywords: sec-want, Whiteboard: [post-critsmash-triage][adv-main68-])

Attachments

(2 files, 2 obsolete files)

Bug 1547995 - Upgrade kinto-offline-client.js to v12.4.0
47 bytes, text/x-phabricator-request
Details | Review
Bug 1547995 - Add option to Remote Settings get() to verify signatures on read
47 bytes, text/x-phabricator-request
Details | Review

So that can do something like this:

try {
  data = await client.get({ verifySignature: true });
} catch (e) {
   if (e instanceof RemoteSettings.InvalidSignatureError) {
     await client.clear();
     await client.loadDump();
     // or client.sync();
   }
}
Type: defect → enhancement

After digging into this, I realize that we'll have to force a synchronization or store the collection metadata locally during synchronization. Otherwise, if we fetch the signature from the server on .get(), and the local data is not up-to-date, the signature won't be valid.

Why does this need to be hidden? This might be better/safer but how could the knowledge be used to exploit our users?

Flags: needinfo?(mathieu)
Keywords: sec-want

Why does this need to be hidden? This might be better/safer but how could the knowledge be used to exploit our users?

It does not have to be hidden indeed. Since it makes explicit that we don't verify signature on read, I thought it would be safer. Basically an attacker could alter the local IndexedDB in the profile folder to alter the records. On next synchronization those changes will be erased though.

Flags: needinfo?(mathieu)
Assignee: nobody → mathieu

Bug 1547995 - Upgrade kinto-offline-client.js to v12.4.0

Attachment #9063215 - Attachment description: Bug 1547995 - Add option to Remote Settings get() to verify signatures on read → Bug 1547995 - Upgrade kinto-offline-client.js to v12.4.0
Attachment #9063215 - Attachment is obsolete: true
Attachment #9062215 - Attachment is obsolete: true

I'm stuck on this:
https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=245559065&repo=try&lineNumber=2336-2342

Could be this? [Exception... "Unexpected error" nsresult: "0x8000ffff (NS_ERROR_UNEXPECTED)" location: "JS frame :: resource://testing-common/httpd.js :: finish :: line 3455" data: no]

Tests pass locally :/

Sorry for the troubles. Phabricator now has the fix.

Flags: needinfo?(mathieu)
Keywords: checkin-needed
Group: firefox-core-security → core-security-release
Regressions: 1551952
Blocks: 1553831
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main68-]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: