867489 - Security review for the Mozilla identity provider (Persona for mozilla.{com,org})

Status: RESOLVED INCOMPLETE

(mozilla.org :: Security Assurance: Review Request, task)

Description

[lhilaiel]

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.65 Safari/537.36

Steps to reproduce:

# What are we talking about?

We are building LDAP/Persona integration so employees with mozilla.{org,com} email addresses can log into any persona enabled website with their mozilla email and LDAP password.

The goal is to make it safer and more convenient to log into websites with your mozilla email, and to limit the number of servers who ever have access to a raw password.

# Where is the source code located?

https://github.com/mozilla/vinz-clortho

# Is there a stage server running that we can also test against? If so, please indicate what machine the web server is running on.

currently live is the development environment: https://mozilla.personatest.org
You can "activate" it by logging in with <mozilla username or alias>@mozilla.personatest.org

We will have a mirror of the production environment available at login.allizom.org by the time of review.

# Where would you like the bugs filed in bugzilla? Please specify the product, component and if anyone specific should be copied on the bugs.

Mozilla Services/Server: Identity
Or if you want to use github: https://github.com/mozilla/vinz-clortho

# Please describe if this app will be connecting to any internal or external services or if it is able to interact with the OS.

The application will access ldaps://ldap.mozilla.org:636 - this will be secured with transport level security (ip whitelisting).  There will also be "headless" ldap user credentials to allow us to support aliases - perform an initial bind so we can search for the canonical user name given an alias.

# Does this app support logins or multiple roles? If so, we'll need test accounts created for each available role.

Any test LDAP account may be used to authenticate.

# What is the worst case scenario that could happen with this system, data or connected systems? (This is used to help understand the criticality of this server.)

All of our internal and external applications which employees authenticate to will eventually rely on this deployment for user authentication.  This server will authenticate users using LDAP credentials and certify client generated keypairs.  At launch, it will not change security dynamics of existing applications.  Compromise of this server would be analogous to compromise of persona.

As we proceed, the authentication more and more internal applications will be dependent on the integrity of this service. 

Critical applications can and will be security with network level security in addition to authentication for defense in depth - no net change to the status quo here.

# Does this website contain an administration page? If so, have the admin page blockers (listed here) all been addressed?

No admin page.

# This review will be scheduled amongst other requested reviews. What is the urgency or needed completion date of this review?

This is a Q2 goal for IT, and the identity team is supporting this goal.  We aim to go live by 5/20.  here is the schedule and further details: https://etherpad.mozilla.org/niWnndybQs

Comment 1

[lhilaiel]

Proposed strawperson security review agenda:

1. high level overview of The Mozilla IDP application: goals and functioning
2. the schedule
3. application level security - review of application design and attack surface
4. infrastructure level security - review of deployment infrastructure
5. deployment / update procedures
6. Interaction with LDAP
7. What's coming - How internal applications will interact and schedule

I'm 100% willing to change this based on what you guys need.  Schedule a slot and we'll be ready.

Comment 3

[Lloyd Hilaiel [:lloyd]]

Met with yvan and the following concrete actions resulted:

CEF logging:
* (lloyd) add cef-loggging to mozilla idp and log failed password attempts (https://npmjs.org/package/cef)
* (yvan) advise how to route cef logging into the security teams infrastructure
* (lloyd/benson) perform said routing

LDAP:
* (yvan) figure out whether we can mitigate ldap brute force attempts within ldap (ldap.mozilla.org)

Code review:
* (lloyd) review https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines - open and resolve issues that result.
* (yvan) review the code.

Orthogonal stuff that yvan want's lloyd to do and lloyd is willing to do:
* (lloyd) fast track the implementation of brute force countermeasures in persona
* (lloyd) help the effort to generate security requirements for node.js apps written at mozilla

We'll reconvene on 2013.05.14 to confirm all work was complete, and make a call on whether we're approved to go live, or whether more needs to be done.

Comment 4

[Lloyd Hilaiel [:lloyd]]

I do believe we're ready for a final security review.

Point by point responses are available for Secure Coding guidelines, here: https://github.com/mozilla/vinz-clortho/issues/11

The final outstanding issues are:
* Input validation audit: https://github.com/mozilla/vinz-clortho/issues/11
* Routing CEF logging into secops: https://github.com/mozilla/vinz-clortho/issues/66

For when could we schedule a final security review, and what form shall that take?

Comment 5

[Lloyd Hilaiel]

validation audit is complete, we use the same (security reviewed) approach as in persona: https://github.com/mozilla/vinz-clortho/commit/a5717517f4dffe55d5415d1fb2ac07c17520124d

I'd love a final blessing from you guys...

Comment 6

[Ryan Kelly [:rfkelly]]

The persona service will be decommissioned later this year, so I'm closing out persona-related bugs