Identity/Security/2012-07-10 Cert Chaining
Discovery: 2012-07-02, 11:00 US Pacific Time
Fix Deployed: 2012-07-02, 17:00 US Pacific Time
Discovered By: Internal Mozilla
Users/Sites Affected: none, to the best of our knowledge
Overview
The Persona Verifier (https://browserid.org/verify) did not properly check certificate chains, allowing a user to extend his certificate chain and become a different user.
Details
When presenting a login assertion to a web site, Persona provides:
- a certificate that binds a public-key to an email address
- an assertion, signed by secret-key counterpart to the public-key defined in the previous step, of login to a particular origin at a particular time.
In preparation for future applications, the Persona verifier included the ability to verify chained certificates, much like X.509 SSL certificates: the root certificate signs a public key, its secret key counterpart signs another certificate for another public key, and so on until the assertion.
The verifier code for Persona correctly checked proper signatures and expiration dates down the chain of certificates, but *only* checked the identity on the last certificate, ignoring email-address bindings on prior certificates. This meant that a user, equipped with a proper certificate for their email address, could use their secret key to extend their chain and bind a new email address at the tip of this new chain, thereby becoming someone else.
Action
Upon discovery, we immediately prepared a patch that turns off all certificate chaining support in the verifier, since so far there are no legitimate uses of this feature. We tested and deployed this patch as quickly as we reasonably could. Within 6 hours of discovery, we had patched all production systems. A second verifier library (PyBrowserID) was affected in the same way, as its logic was copied from that of our main verifier. We patched this library and redeployed under-development systems the next day. No production systems were affected by this sub-issue.
Later that day, we emailed the list with an innocuous message attempting to make contact with anyone else who might have written their own verifier based on our flawed logic. We found no other implementations (which was reassuring, as we had advised people not to implement their own verifier yet.)
On Thursday, July 5th, we merged the fix back into the main codebase, with a still innocuous commit message.
As of today, Tuesday, July 10th, we are confident that no other production systems are affected by this issue.
Root Cause and Remediation
The Persona verification process, in presence of chained certificates, was under-specified. We are working now to improve this specification:
https://github.com/mozilla/id-specs/blob/dev/browserid/index.md#chained-certificates
We are specifically working to ensure that certificate chaining cannot occur without expicit buy-in from the certifier. More generally, cryptographic features should always be disabled until they are actively in use, well understood and tested.