fedora-infrastructure

Clone
Source Code
GIT

#9943 Insecure HTTP logins
Closed: Fixed 3 years ago by kevin. Opened 3 years ago by xvitaly.

Closed: Fixed
Reopen Issue

Describe what you would like us to do:

Please fix insecure HTTP logins on all Fedora websites when using Kerberos login from web browsers (tested on Firefox).

Steps to reproduce:

Clean all cookies, login with Kerberos, then press Login button on any Fedora SSO compatible website. It will redirect to http://id.fedoraproject.org/login?ipsilon_transaction_id=XXXX instead of https://id.fedoraproject.org/login?ipsilon_transaction_id=XXXX.

When do you need this to be done by? (YYYY/MM/DD)

ASAP.

@puiterwijk If you could take a look at this and review it, that would be useful.

From the stand up today:

[14:02:58] <nirik> I think this is intended/fine, but I'd prefer our security officer check it.

Metadata Update from @mohanboddu:
- Issue assigned to puiterwijk
- Issue priority set to: Waiting on Assignee (was: Needs Review)
- Issue tagged with: medium-gain, medium-trouble, ops, security
3 years ago

<nirik> I think this is intended/fine

This is definitely not fine. Insecure HTTP redirects can be used for MITM attacks and credentials hijacking.

Also it doesn't work with Firefox's HTTPS only mode:

Screenshot
Edited 3 years ago by xvitaly

Clean all cookies, login with Kerberos, then press Login button on any Fedora SSO compatible website

Could you tell us which website you are seeing this with?
curl https://pagure.io/login seems to redirect to https, so I think it's not any
website

Could you tell us which website you are seeing this with?

  1. Enable HTTPS only mode in Firefox's settings.
  2. Open https://pagure.io/login.

So, the reason I said this was expected is because our openid identities have always been http://username.id.fedoraproject.org. Your first guess will be that this is insecure, but it's not due to the way openid works. See: https://meetbot.fedoraproject.org/fedora-classroom/2013-02-22/fas-openid-class.2013-02-22-18.00.log.html
basically it sends you that http:// redirect, but it also connects to id.fedoraproject.org and they exchange info, so if someone MITM's the http connection, the reply there will fail to match what the sites have negotiated and be rejected. At least this is my recollection of how it works.

In any case we can't change them now I don't think or everyone will have new identities. Also, we don't want to keep using openid anymore if we can possibly avoid it.

So, perhaps this is more fuel to move pagure over to oidc?

Perhaps @puiterwijk could chime in here and correct me...

basically it sends you that http:// redirect, but it also connects to id.fedoraproject.org and they exchange info, so if someone MITM's the http connection, the reply there will fail to match what the sites have negotiated and be rejected. At least this is my recollection of how it works.

But a few weeks ago it worked fine in Firefox with HTTPS only feature enabled.

This is definitely not intended, and have indeed been able to reproduce it.
I am now looking at this.

Many thanks @puiterwijk

Commit 31a3e49c relates to this ticket

@xvitaly Thank you very much for your report. Could you please try to log in again?

@xvitaly Thank you very much for your report. Could you please try to log in again?

Fixed. Thanks.

Thanks! Sorry if I sidetracked things... :(

Metadata Update from @kevin:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)
3 years ago

Log in to comment on this ticket.

Metadata

medium-trouble security ops medium-gain

None
None
Waiting on Assignee
Boards 1
ops Status: Done
Powered by Pagure 5.14.1
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.