Security
PyCon: Mozilla Persona
At first blush, PyCon doesn't seem like quite the right venue for a talk on Mozilla's Persona web authentication and identity system. Persona is not Python-specific at all, but given the number of web application and framework developers at the conference, it starts to become clear why Mozilla's Dan Callahan was there. Python also gave him the ability to do a live demo of adding Persona support to a Flask-based web site during the well-attended talk.
Kill the password
In a nutshell, Persona is Mozilla's attempt to "kill the password", Callahan said to applause. It is a simple, open system that is federated and works cross-browser. Beyond that set of buzzwords, though, the idea for Persona is that it "works everywhere for everyone".
![[Dan Callahan]](https://static.lwn.net/images/2013/pycon-callahan-sm.jpg)
For an example of using Persona, Callahan visited ting.com—a mobile phone service site from Tucows—that has a login page supporting Persona. Clicking the "Sign in with Persona" button popped up a window with two of his email addresses and a sign-in button. Since he had already used the site before, to log in he just needed to choose one of his email addresses (if he is using a different address from the last time he visited the site) and click "Sign in". It's "dead simple", he said.
Persona ties identities to email addresses. That has several advantages, he said. Everyone already has an email address and sites often already track them. For many web sites, adding Persona support requires no change to the database schema. That also helps prevent lock-in, as sites that decide not to continue with Persona are not stuck with it.
Some in the audience might be saying "I can already log in with two clicks" using a password manager, Callahan said. That's true, but Persona is not managing passwords. There is no shared secret between the site and the user.
That means a database breach at the site would not disclose any information that would be useful for an attacker to authenticate to the service as the user. While site owners will need to alert their users to a breach, they won't have to ask them to change passwords. Better still, they won't have to recommend that the users change their identical passwords at other sites.
If there are no shared secrets, many of the existing account registration questions can simply be skipped. The Persona sign-in process provides an email address, so there is no reason to prompt for that (twice in many cases), nor for a password (twice almost always). For example, with sloblog.io and an existing Persona, he can set up a blog with two clicks.
To prove a point, he was doing his demos from the Opera web browser. Persona works the same in all major browsers (Firefox, Chrome, Safari, IE). It uses existing technology and standards and "works everywhere the web works", he said.
The story behind Persona comes right out of the Mozilla Manifesto,
Callahan said. That manifesto was "written at the height of the browser
wars" and lists ten points that are "crucial to the open web". Principle #2,
"The Internet is a global public resource that must remain open and
accessible
", is particularly threatened today, while principle #5,
"Individuals must have the ability to shape their own experiences on
the Internet
" speaks directly to the Persona ideal. Nothing is more
important to shape one's internet experience than is the choice of
identity, he said.
"Single" sign-on
There has been a movement toward single sign-on (SSO) in recent years, but "single" is a misnomer at this point. Many sites allow people to sign in with their Facebook or Twitter (or Google or Yahoo or MSN or ...) account. His slide had an example login with a bunch of login icons for those services, ending with a "Good luck with OpenID" button.
The problem with that approach is that it is like Tribbles (with a requisite Kirk and Tribbles slide); there are more and more of these service-based login mechanisms appearing. How does a site pick the right one (or, more likely, ones)? How does a user remember which of the choices they used so they can use it on a subsequent visit?
He gave another example: the 500px login screen. It splits the screen in half, into two sets of choices, either logging in via a social network (Facebook, Twitter, or Klout) on one side, or with a username and password on the other. If a user wants to use a Google or Microsoft login, they are out of luck. They must create a username and trust that 500px will do the right thing with their password. He was also amused to note that he hadn't heard of Klout, so he visited to see what it was and Klout wanted him to log in using either Facebook or Twitter.
There are also some implications of using the login network of certain services. Google and Facebook have real-name policies that can sometimes lead to account suspension when a violation is suspected. That suspension then trickles out to any other services that use those login mechanisms. Facebook policies disallow multiple accounts (e.g. personal and business) as well. Basically, services using Facebook logins are outsourcing their account policies to Facebook.
It is worth a lot of money for the social networks to get their buttons onto sites, Callahan said. So "any solution has to come from someone outside who is not trying to make a buck off every login". Since Mozilla is on the outside, it is well positioned to help solve the problem.
The earlier Persona demonstrations were for email addresses that had already been set up, but Callahan also wanted to show what happens for users who are not yet signed up. In that case, the user must type in an email address in the Persona pop-up. Persona checks with the email provider to see if it supports Persona, if so the email provider authenticates the user via its normal mechanisms (e.g. web-based login) that the user has seen plenty of times before. If the user successfully authenticates, the email provider indicates that to the site.
Using Persona team members as props, Callahan showed the process. The user claims a particular email address and the site contacts the email provider for verification. The email provider asks the user to authenticate (using a password, two-factor authentication, facial recognition, ...) and if that is successful, the provider signs the email address and hands it back to the site (along with some anti-replay-attack data). The site then verifies the signature, at which point it knows that the user has that email identity.
Implementing Persona
As can be seen, the description of the protocol and cryptography used was rather high-level. Callahan's clear intent was to try to convince web application and framework programmers to get on board with Persona. There is more information about the underlying details at developer.mozilla.org/persona, he said.
For the moment, few email providers support Persona, so as an "optional temporary" measure, sites can ask Mozilla to vouch for the email address. For example, Gmail does not support Persona (yet), but Mozilla can vouch for Gmail users by way of a challenge email. Authenticating the email address to Mozilla need only be done once. But that puts Mozilla in the middle of each initial authentication right now; eventually the user's email providers will be serving that role.
The documentation lists four things that a site owner needs to do to use Persona. There is a JavaScript library to include in the login page, the login/logout buttons need "onClick" attributes added, and the library needs to be configured. The final piece of the puzzle is to add verification of the identity assertions (signed email addresses from the email provider or Mozilla). That verification needs to be done in the server-side code.
In the future, the hope is that browsers will natively support Persona, but for now the JavaScript is needed. On the client side, it is 30 or so lines of JavaScript called from the login and logout paths. The server side is a little more complicated, as assertions are cryptographically signed, but that verification can be handed off to a service that Mozilla runs. The back end just posts some JSON to the Mozilla service and reads its response. Those changes take less than 40 lines to implement.
Using the code directly from his slides, Callahan changed both client and server sides of a demo application. That added the "great user experience" of Persona logins. It also showed an "amazing developer experience" in how easy it is to add Persona. Once the demo was done, and the applause died down, Callahan said "I am so glad that worked" with a relieved grin.
Callahan had three tips for site developers adding Persona support. The first was to make a library specific to the framework being used that can be reused in multiple applications. Second, his example used the Mozilla verifier, but that is not a good long-term solution for privacy reasons. But, he cautioned, make sure to use the Python "requests" library when doing verification as the standard library does not check SSL certificates properly. Lastly, he wanted to make it clear that using Persona did not mean that a site had to get rid of the other login buttons, "just that maybe you should", he said. Persona can peacefully coexist with these other login mechanisms.
In conclusion, Callahan said he had a request: "spend one hour with Persona this week". You could add it to your site in an hour, he said, but if not, just try it out on some site. Persona is still in beta, so it is "able to be shaped by your feedback". Also, he requested, please ask one site that you use to support Persona, "that's how we are going to change the future of the web". Persona will allow everyone—not just the few who understand OpenID or password managers—to have a safer, more secure web.
[ In keeping with Callahan's request, we will be looking into Persona support for LWN. ]
Brief items
Security quote of the week
New vulnerabilities
apt: altered package installation
| Package(s): | apt | CVE #(s): | CVE-2013-1051 | ||||
| Created: | March 15, 2013 | Updated: | March 20, 2013 | ||||
| Description: | From the Ubuntu advisory: Ansgar Burchardt discovered that APT incorrectly handled repositories that use InRelease files. The default Ubuntu repositories do not use InRelease files, so this issue only affected third-party repositories. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could potentially be used to install altered packages. | ||||||
| Alerts: |
| ||||||
bugzilla: cross-site scripting
| Package(s): | bugzilla | CVE #(s): | CVE-2013-0785 CVE-2013-0786 | ||||||||||||||||
| Created: | March 18, 2013 | Updated: | March 20, 2013 | ||||||||||||||||
| Description: | From the Bugzilla advisory:
* When viewing a bug report, a bug ID containing random code is not correctly sanitized in the HTML page if the specified page format is invalid. This can lead to XSS. * When running a query in debug mode, it is possible to determine if a given confidential field value (such as a product name) exists. Bugzilla 4.1 and newer are not affected by this issue. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
chromium: multiple vulnerabilities
| Package(s): | chromium | CVE #(s): | CVE-2013-0879 CVE-2013-0880 CVE-2013-0881 CVE-2013-0882 CVE-2013-0883 CVE-2013-0884 CVE-2013-0885 CVE-2013-0886 CVE-2013-0887 CVE-2013-0888 CVE-2013-0889 CVE-2013-0890 CVE-2013-0891 CVE-2013-0892 CVE-2013-0893 CVE-2013-0894 CVE-2013-0895 CVE-2013-0896 CVE-2013-0897 CVE-2013-0898 CVE-2013-0899 CVE-2013-0900 | ||||||||||||||||||||||||||||||||||||
| Created: | March 14, 2013 | Updated: | October 28, 2013 | ||||||||||||||||||||||||||||||||||||
| Description: | From the openSUSE advisory: Chromium was updated to version 27.0.1425 having both stability and security fixes:
| ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
clamav: unspecified vulnerabilities
| Package(s): | clamav | CVE #(s): | |||||||||||||||||||||||||||||||||
| Created: | March 20, 2013 | Updated: | April 15, 2013 | ||||||||||||||||||||||||||||||||
| Description: | From the Mandriva advisory: ClamAV 0.97.7 addresses several reported potential security bugs. Thanks to Felix Groebert, Mateusz Jurczyk and Gynvael Coldwind of the Google Security Team for finding and reporting these issues. | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
firebird: multiple vulnerabilities
| Package(s): | firebird | CVE #(s): | CVE-2013-2492 CVE-2012-5529 | ||||||||||||||||||||||||||||||||
| Created: | March 18, 2013 | Updated: | December 30, 2015 | ||||||||||||||||||||||||||||||||
| Description: | From the CVE entries:
Stack-based buffer overflow in Firebird 2.1.3 through 2.1.5 before 18514, and 2.5.1 through 2.5.3 before 26623, on Windows allows remote attackers to execute arbitrary code via a crafted packet to TCP port 3050, related to a missing size check during extraction of a group number from CNCT information. (CVE-2013-2492) TraceManager in Firebird 2.5.0 and 2.5.1, when trace is enabled, allows remote authenticated users to cause a denial of service (NULL pointer dereference and crash) by preparing an empty dynamic SQL query. (CVE-2012-5529) | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
glance: information disclosure
| Package(s): | glance | CVE #(s): | CVE-2013-1840 | ||||||||
| Created: | March 15, 2013 | Updated: | April 5, 2013 | ||||||||
| Description: | From the Ubuntu advisory: Stuart McLaren discovered an issue with Glance v1 API requests. An authenticated attacker could exploit this to expose the Glance operator's Swift and/or S3 credentials via the response headers when requesting a cached image. | ||||||||||
| Alerts: |
| ||||||||||
kernel: multiple vulnerabilities
| Package(s): | kernel | CVE #(s): | CVE-2013-0913 CVE-2013-0914 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | March 18, 2013 | Updated: | July 18, 2013 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat bugzilla [1, 2]:
[1] Linux kernel built with Direct Rendering Manager(DRM) i915 driver for the the Direct Rendering Infrastructure(DRI) introduced by XFree86 4.0, is vulnerable to a heap overflow flaw. An user/program with access to the DRM driver could use this flaw to crash the kernel, resulting in DoS or possibly escalate privileges. [2] Linux kernel is vulnerable to an information leakage flaw. This occurs when a process calls routine - sigaction() - to access - sa_restorer - parameter. This parameter points to an address that belongs to its parent process' address space. A user could use this flaw to infer address layout of a process. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
kernel: privilege escalation
| Package(s): | kernel | CVE #(s): | CVE-2013-1860 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | March 20, 2013 | Updated: | March 22, 2013 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat bugzilla:
Linux kernel built with USB CDC WDM driver is vulnerable to heap buffer overflow flaw. An unprivileged local user could use this flaw to crash the kernel or, potentially, elevate their privileges. Please note that a physical access to the system or plugging in random USB device is needed in order to exploit this bug. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
krb5: denial of service
| Package(s): | krb5 | CVE #(s): | CVE-2012-1016 | ||||||||||||||||||||||||||||||||
| Created: | March 18, 2013 | Updated: | March 20, 2013 | ||||||||||||||||||||||||||||||||
| Description: | From the CVE entry:
The pkinit_server_return_padata function in plugins/preauth/pkinit/pkinit_srv.c in the PKINIT implementation in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.10.4 attempts to find an agility KDF identifier in inappropriate circumstances, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted Draft 9 request. | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
libvirt-bin: unintended write access
| Package(s): | libvirt-bin | CVE #(s): | CVE-2013-1766 | ||||||||
| Created: | March 18, 2013 | Updated: | March 20, 2013 | ||||||||
| Description: | From the Debian advisory:
Bastian Blank discovered that libvirtd, a daemon for management of virtual machines, network and storage, would change ownership of devices files so they would be owned by user `libvirt-qemu` and group `kvm`, which is a general purpose group not specific to libvirt, allowing unintended write access to those devices and files for the kvm group members. | ||||||||||
| Alerts: |
| ||||||||||
lighttpd: symlink attack
| Package(s): | lighttpd | CVE #(s): | CVE-2013-1427 | ||||
| Created: | March 18, 2013 | Updated: | March 20, 2013 | ||||
| Description: | From the Debian advisory:
Stefan Bühler discovered that the Debian specific configuration file for lighttpd webserver FastCGI PHP support used a fixed socket name in the world-writable /tmp directory. A symlink attack or a race condition could be exploited by a malicious user on the same machine to take over the PHP control socket and for example force the webserver to use a different PHP version. | ||||||
| Alerts: |
| ||||||
pam-xdg-support: privilege escalation
| Package(s): | pam-xdg-support | CVE #(s): | CVE-2013-1052 | ||||
| Created: | March 18, 2013 | Updated: | March 20, 2013 | ||||
| Description: | From the Ubuntu advisory:
Zbigniew Tenerowicz and Sebastian Krzyszkowiak discovered that pam-xdg-support incorrectly handled the PATH environment variable. A local attacker could use this issue in combination with sudo to possibly escalate privileges. | ||||||
| Alerts: |
| ||||||
poppler: multiple vulnerabilities
| Package(s): | poppler | CVE #(s): | CVE-2013-1788 CVE-2013-1790 | ||||||||||||||||||||||||||||||||
| Created: | March 14, 2013 | Updated: | July 16, 2013 | ||||||||||||||||||||||||||||||||
| Description: | From the Red Hat bugzilla: CVE-2013-1788: A number of invalid memory access flaws were reported in poppler (fixed in version 0.22.1):
CVE-2013-1790: An uninitialized memory read flaw was reported in poppler (fixed in version 0.22.1): Initialize refLine totally Fixes uninitialized memory read in 1004.pdf.asan.7.3 | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
sssd: privilege violation
| Package(s): | sssd | CVE #(s): | CVE-2013-0287 | ||||||||||||||||||||||||
| Created: | March 20, 2013 | Updated: | April 1, 2013 | ||||||||||||||||||||||||
| Description: | From the Red Hat advisory:
When SSSD was configured as a Microsoft Active Directory client by using the new Active Directory provider (introduced in RHSA-2013:0508), the Simple Access Provider ("access_provider = simple" in "/etc/sssd/sssd.conf") did not handle access control correctly. If any groups were specified with the "simple_deny_groups" option (in sssd.conf), all users were permitted access. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
stunnel: code execution
| Package(s): | stunnel | CVE #(s): | CVE-2013-1762 | ||||||||||||||||||||||||||||||||||||
| Created: | March 18, 2013 | Updated: | August 7, 2013 | ||||||||||||||||||||||||||||||||||||
| Description: | From the Mageia advisory:
stunnel 4.21 through 4.54, when CONNECT protocol negotiation and NTLM authentication are enabled, does not correctly perform integer conversion, which allows remote proxy servers to execute arbitrary code via a crafted request that triggers a buffer overflow. | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
telepathy-gabble: denial of service
| Package(s): | telepathy-gabble | CVE #(s): | CVE-2013-1769 | ||||||||||||||||||||
| Created: | March 14, 2013 | Updated: | March 22, 2013 | ||||||||||||||||||||
| Description: | From the Red Hat bugzilla: So we have a remotely-triggered DoS: send Gabble a <presence> with a caps hash; include a form with an anonymous fixed field in the reply; boom. Since anyone can send presence to anyone else, and Gabble always looks up any caps it sees in any presences it receives. (Note that this is a presence leak, too; another bug, I think.) | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
typo3-src: multiple vulnerabilities
| Package(s): | typo3-src | CVE #(s): | CVE-2013-1842 CVE-2013-1843 | ||||||||
| Created: | March 18, 2013 | Updated: | March 21, 2013 | ||||||||
| Description: | From the Debian advisory:
CVE-2013-1842: Helmut Hummel and Markus Opahle discovered that the Extbase database layer was not correctly sanitizing user input when using the Query object model. This can lead to SQL injection by a malicious user inputing crafted relation values. CVE-2013-1843: Missing user input validation in the access tracking mechanism could lead to arbitrary URL redirection. See the upstream advisory for additional information. | ||||||||||
| Alerts: |
| ||||||||||
wireshark: multiple vulnerabilities
| Package(s): | wireshark | CVE #(s): | CVE-2013-2478 CVE-2013-2480 CVE-2013-2481 CVE-2013-2483 CVE-2013-2484 CVE-2013-2488 | ||||||||||||||||||||
| Created: | March 15, 2013 | Updated: | March 20, 2013 | ||||||||||||||||||||
| Description: | From the Mageia advisory:
| ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
wireshark: multiple vulnerabilities
| Package(s): | wireshark | CVE #(s): | CVE-2013-2475 CVE-2013-2476 CVE-2013-2477 CVE-2013-2479 CVE-2013-2482 CVE-2013-2485 CVE-2013-2486 CVE-2013-2487 | ||||||||||||||||||||||||||||||||
| Created: | March 20, 2013 | Updated: | June 11, 2013 | ||||||||||||||||||||||||||||||||
| Description: | From the CVE entries:
The TCP dissector in Wireshark 1.8.x before 1.8.6 allows remote attackers to cause a denial of service (application crash) via a malformed packet. (CVE-2013-2475) The dissect_hartip function in epan/dissectors/packet-hartip.c in the HART/IP dissector in Wireshark 1.8.x before 1.8.6 allows remote attackers to cause a denial of service (infinite loop) via a packet with a header that is too short. (CVE-2013-2476) The CSN.1 dissector in Wireshark 1.8.x before 1.8.6 does not properly manage function pointers, which allows remote attackers to cause a denial of service (application crash) via a malformed packet. (CVE-2013-2477) The dissect_mpls_echo_tlv_dd_map function in epan/dissectors/packet-mpls-echo.c in the MPLS Echo dissector in Wireshark 1.8.x before 1.8.6 allows remote attackers to cause a denial of service (infinite loop) via invalid Sub-tlv data. (CVE-2013-2479) The AMPQ dissector in Wireshark 1.6.x before 1.6.14 and 1.8.x before 1.8.6 allows remote attackers to cause a denial of service (infinite loop) via a malformed packet. (CVE-2013-2482) The FCSP dissector in Wireshark 1.6.x before 1.6.14 and 1.8.x before 1.8.6 allows remote attackers to cause a denial of service (infinite loop) via a malformed packet. (CVE-2013-2485) The dissect_diagnosticrequest function in epan/dissectors/packet-reload.c in the REsource LOcation And Discovery (aka RELOAD) dissector in Wireshark 1.8.x before 1.8.6 uses an incorrect integer data type, which allows remote attackers to cause a denial of service (infinite loop) via crafted integer values in a packet. (CVE-2013-2486) epan/dissectors/packet-reload.c in the REsource LOcation And Discovery (aka RELOAD) dissector in Wireshark 1.8.x before 1.8.6 uses incorrect integer data types, which allows remote attackers to cause a denial of service (infinite loop) via crafted integer values in a packet, related to the (1) dissect_icecandidates, (2) dissect_kinddata, (3) dissect_nodeid_list, (4) dissect_storeans, (5) dissect_storereq, (6) dissect_storeddataspecifier, (7) dissect_fetchreq, (8) dissect_findans, (9) dissect_diagnosticinfo, (10) dissect_diagnosticresponse, (11) dissect_reload_messagecontents, and (12) dissect_reload_message functions, a different vulnerability than CVE-2013-2486. (CVE-2013-2487) | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
zoneminder: multiple vulnerabilities
| Package(s): | zoneminder | CVE #(s): | CVE-2013-0232 CVE-2013-0332 | ||||||||
| Created: | March 15, 2013 | Updated: | April 3, 2013 | ||||||||
| Description: | From the Debian advisory: Multiple vulnerabilities were discovered in zoneminder, a Linux video camera security and surveillance solution. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2013-0232: Brendan Coles discovered that zoneminder is prone to an arbitrary command execution vulnerability. Remote (authenticated) attackers could execute arbitrary commands as the web server user. CVE-2013-0332: zoneminder is prone to a local file inclusion vulnerability. Remote attackers could examine files on the system running zoneminder. | ||||||||||
| Alerts: |
| ||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>