headers
Curtis Koenig | 21 May 14:38
Gravatar

[Security Reviews] Wee of 21-Apr


        Security Reviews

Date / Time 	Item
Mon Apr 21 / 13:00 PST 	Network Monitor
<https://mail.mozilla.com/home/ckoenig <at> mozilla.com/Security%20Review.html?view=month&action=view&invId=130654-130653&pstat=AC&exInvId=130654-179151&useInstance=1&instStartTime=1337630400000&instDuration=3600000>

Wed Apr 23 / 13:00 PST 	Expose a client TCP socket/UDP datagram API to
web applications
<https://mail.mozilla.com/home/ckoenig <at> mozilla.com/Security%20Review.html?view=month&action=view&invId=110473-110472&pstat=AC&exInvId=110473-179809&useInstance=1&instStartTime=1337803200000&instDuration=3600000>

Thu Apr 24 / 10:00 PST 	Script Debugger
<https://mail.mozilla.com/home/ckoenig <at> mozilla.com/Security%20Review.html?view=month&action=view&invId=110484-110483&pstat=AC&exInvId=110484-179672&useInstance=1&instStartTime=1337878800000&instDuration=3600000>

Fri Apr 25 / 10:00 AM PST 	Land module loader to firefox
<https://mail.mozilla.com/home/ckoenig <at> mozilla.com/Security%20Review.html?view=month&action=view&invId=110490-110489&pstat=AC&exInvId=110490-180042&useInstance=1&instStartTime=1337965200000&instDuration=3600000>

*Calendar and Meeting details
<https://mail.mozilla.com/home/ckoenig <at> mozilla.com/Security%20Review.html>*

--

-- 
/Curtis
Permalink | Reply | 2 comments |
headers
Daniel Veditz | 16 May 20:34

test dev-security mail

Mailman was down yesterday and some of the lists didn't come back.
If you're seeing this mail then dev-security is working.

-Dan Veditz
Permalink | Reply | 0 comments |
headers
cruejones | 14 May 19:37
Picon

firefox smartcard issue?

I have firefox working with CAC smartcard auth via the coolkey module and/or cackey.. The only problem is
that when accessing a secure site firefox is not prompting me to select a certificate even though I have
"ask every time" selected. The smartcard has two certs on it. 

Verified that both libcackey.so and libcoolkeypk11.so modules see both certificates outside of
firefox. 

When I try via IE it prompts me to select a cert. 

Anyone have any ideas? 

Thanks, 
Crue
Permalink | Reply | 0 comments |
headers
Kai Engert | 11 May 17:53
Picon
Favicon

Flowerbeetle & Flowerduck

I've started a project to produce an 
experimental browser (Flowerbeetle) and an
experimental e-mail client (Flowerduck).

The purpose is to enable early testing of security 
and PKI related changes, which are proposed for the Mozilla
platform (including Firefox and Thunderbird), but which
haven't yet been fully reviewed and accepted for inclusion.

Just to make it clear, this isn't an official Mozilla.org 
project, it's (currently) my own initiative.

If you're interested in testing and giving feedback, please visit 
https://kuix.de/flowerbeetle and https://kuix.de/flowerduck
for more information.

For the full list of experimental changes included, 
please visit the download pages.

Notable changes are:
- support for OCSP stapling and the OCSP HTTP GET mechanism
- disable acceptance of MD5 in signatures
- use of the smarter libPKIX certificate verification engine
  (which unfortunately still has some stability bugs and would
   benefit from contributions to improve it)
- libPKIX allows for automatic download of CRLs and missing 
  certificates during verification
- strictly require fresh revocation information when verifying
  certificates (if the availability of such information is
  declared inside certificates)
(Continue reading)

Permalink | Reply | 0 comments |
headers
Paul Theriault | 10 May 19:06

WebAPI Security Discussion:Background API

(Please reply-to dev-webapps <at> lists.mozilla.org)

Name of API: Alarm API
Reference: 
https://groups.google.com/d/topic/mozilla.dev.webapi/pkx1uz_pnhQ/discussion

Brief purpose of API:
General Use Cases:Add an alarm (relaunch the app via alarm intentat a 
future time)

Inherent threats:Annoyance

Threat severity: Low

== Regular web content (unauthenticated) ==
Use  cases for unauthenticated code: Relaunch the app via an alarm 
intent at a future time
Authorization model for normal content: None
Authorization model for installed content: Implicit
Potential mitigations: Should be a way to disable alarm for a given app

== Trusted (authenticated by publisher) ==
Same as for installed untrusted app

== Certified (vouched for by trusted 3rd party) ==
Same as for installed untrusted app
Permalink | Reply | 1 comment |
headers
Paul Theriault | 9 May 21:02

WebAPI Security Discussion:Battery API

(Please reply-to dev-webapps <at> lists.mozilla.org)

Name of API: Battery API
Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=678694
http://dvcs.w3.org/hg/dap/raw-file/tip/battery/Overview.html

Note from spec:
The API defined in this specification is used to determine the battery 
status of the hosting device. The information disclosed has minimal 
impact on privacy or fingerprinting, and therefore is exposed without  
permission grants. For example, authors cannot directly know if there is 
a battery or not in the hosting device.

Brief purpose of API:
General Use Cases:Adjust app behavior based upon power status

Inherent threats:Fingerprinting, abuse of battery?

Threat severity:low

== Regular web content (unauthenticated) ==
Use  cases:Same
Authorization model for normal content: Implicit
Authorization model for installed content: Implicit
Potential mitigations: None

== Trusted (authenticated by publisher) ==
Use cases:Same
Authorization mode: Implicit
Potential mitigations:None
(Continue reading)

Permalink | Reply | 0 comments |
headers
Paul Theriault | 9 May 20:57

WebAPI Security Discussion:Network Information API

(Please reply-to dev-webapps <at> lists.mozilla.org)

Name of API: Network Information API Sec
Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=677166
https://wiki.mozilla.org/WebAPI/NetworkAPI

Brief purpose of API:
General Use Cases:
Read current bandwidth estimate or ask if connection is metered

Listen for connection change events

Inherent threats: Privacy (de-anonymize users based on connection change 
events?)

Threat severity:Low

== Regular web content (unauthenticated) ==
Use cases for unauthenticated code: Read current bandwidth estimate or 
ask if connection is metered
Authorization model for normal content: Read current bandwidth estimate 
or ask if connection is metered
Authorization model for installed content:
Potential mitigations: Maybe fuzz the exact time of the network change 
event in a similar manner to idle API.

== Trusted (authenticated by publisher) ==
Use cases for authenticated code:As above
Use cases for trusted code:
Potential  mitigations:
(Continue reading)

Permalink | Reply | 0 comments |
headers
Lucas Adamski | 9 May 20:31

WebAPI Security Discussion: Web Bluetooth API

Please reply-to dev-webapps <at> lists.mozilla.org

Name of API: Web Bluetooth API
Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=674737
https://wiki.mozilla.org/WebAPI/WebBluetooth

Brief purpose of API: The aim of WebBluetooth is to establish a DOM API to set up and  communicate with
Bluetooth devices.  This includes setting properties on  adapters and devices, scanning for devices,
bonding, and socket initialization for audio and communication. 

General Use Cases:

Inherent threats: Privacy, access to sensitive user devices, de-anonimization based on bluetooth state

Threat severity: high

== Regular web content (unauthenticated) ==
Use cases: None
Authorization model for normal content: None
Authorization model for installed content: None
Potential mitigations: 

== Trusted (authenticated by publisher) ==
Use  cases: None
Authorization model: None
Potential mitigations: 

== Certified (vouched for by trusted 3rd party) ==
Use cases:
Read bluetooth adapter state
(Continue reading)

Permalink | Reply | 0 comments |
headers
Lucas Adamski | 9 May 20:17

WebAPI Security Discussion: Keyboard API

Please reply-to dev-webapps <at> lists.mozilla.org

Name of API: Keyboard API
Reference:
See: https://groups.google.com/d/topic/mozilla.dev.webapi/Vs3-HGv9NNw/discussion

Brief purpose of API: Allow virtual keyboard to be implemented as a Web App
General Use Cases: 
*Replace the installed keyboard with a different one
*Choose what keyboard is shown (numeric, alphanumeric, symbols, first letter capiltaized etc)

Inherent  threats: Access to user keystrokes (steal passwords, bank account details, etc), send trusted
key events
Threat severity: high

== Regular web content (unauthenticated) ==
Use cases for unauthenticated code:  Request which keyboard [type?] is displayed
Authorization model for uninstalled web content:  implicit for focused top-level content
Authorization model for installed web content: implicit
Potential mitigations: Request keyboard [type] only.

== Trusted (authenticated by publisher) ==
Use cases for authenticated code: Implement new keyboard.
Authorization model: Implicit
Potential mitigations: 

== Certified (vouched for by trusted 3rd party) ==
Use cases for certified code: Implement new keyboard
Authorization model: Implicit
Potential mitigations: None
(Continue reading)

Permalink | Reply | 0 comments |
headers
Paul Theriault | 9 May 01:59

WebAPI Security Discussion:Background API

(Please reply-to dev-webapps <at> lists.mozilla.org)

Name of API: Background API
Reference: 
http://groups.google.com/group/mozilla.dev.webapi/browse_thread/thread/3455cb056e40d095

Related:

Brief purpose of API: Provide for applications to request to remain and 
run in the background.  It is not intended for pure background services.

General Use Cases:Use cases: Navigation app continuing to run and 
provide driving prompts from the background.

Inherent threats: Resource utilization

Threat severity: Low by itself.  Could raise the security concerns of 
other APIs.

== Regular web content (unauthenticated) ==
Use  cases for unauthenticated code: Streaming radio station wants to 
continue to play in the background.
Authorization model for normal content: Implicit
Authorization model for installed content: Implicit
Potential mitigations:

== Trusted (authenticated by publisher) ==
Use cases for authenticated code:Implicit
Use cases for trusted code:Implicit
Potential  mitigations:
(Continue reading)

Permalink | Reply | 0 comments |
headers
Lucas Adamski | 9 May 01:47

WebAPI Security Discussion: Permission API

Please reply-to dev-webapps <at> lists.mozilla.org

Name of API: Permission API
Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=707625

Brief purpose of API: Allow an app to manage app permissions in a centralized location
General Use Cases: None

Inherent threats: Change security and privacy permissions, potentially leading to device compromise

Threat severity: Critical

== Regular web content (unauthenticated) ==
Use  cases for unauthenticated code:None
Authorization model for normal content:  None
Authorization model for installed content: None
Potential mitigations: 

== Trusted (authenticated by publisher) ==
Use cases for authenticated code: None
Use cases for trusted code: None
Potential mitigations:

== Certified (vouched for by trusted 3rd party) ==
Use cases for certified code:  Centralized permissions management app; modify per-app settings
Authorization model: Implicit
Potential mitigations: None

Note: We are not exposing permission settings to non-certified apps.  Apps cannot determine their current
settings without actually requesting a permission.
(Continue reading)

Permalink | Reply | 0 comments |

Gmane