On 5/1/12 4:07 AM, Shane Tomlinson wrote:
>
> About a month ago I sent out a message asking for opinions on placing
> the RP name and logo inside of the dialog. While some very valid
> concerns over phishing and XSS were aired, feedback was mostly
> positive.
One concern that came mind (late, I know) was the "attacker tricks you
into signing into their own account" attack, where you think you're
logged in your web-mail provider and you send a message, but actually it
goes into the attacker's outbox so they can read it later. (there's a
cooler name for this one, but I can't seem to find it right now).
> There is a limitation with respect to the logoURL. Since the BrowserID
> dialog is served up using HTTPS, RP logos must also be served using
> secure methods to avoid any mixed content errors. This means RPs must
> serve up the logo using either an "https" based URL or a data-URI.
The dialog needs to be careful about those URLs, to avoid allowing the
RP to do an injection attack against the dialog provider (
browserid.org,
or a native implementation). SVGs delivered as <img> tags don't run
scripts, right?
> A second option we have considered is to proxy all RP logos.
It looks like there are other good reasons to avoid proxying, but I'll
just note that if we did that, you should avoid the approach where the
domain that hosts the dialog also proxies raw image bytes (i.e. if
https://browserid.org/proxy?url=http://example.com/logo.png just served
anything retrieved from
http://example.com/logo.png). If the image is an
SVG, then loading that URL directly (instead of inside an <img> tag,
like if my page just redirects your browser to it) will execute any
scripts inside the SVG, giving
example.com control over
browserid.org,
which would be bad. And some browsers are known to get clever and look
inside the file for type indicators rather than honoring the server's
Content-Type, so you might wind up with a file named logo.png and served
as Content-Type: image/png but which actually contains (and executes as)
SVG.
If you really had to do that, the safest thing would be for the proxy to
render the image down into a grid of pixels, then build it back up into
a brand new PNG to be served, giving the attacker less control over the
output. Also, serve the images from a separate domain (e.g.
logo-proxy.browserid.org) that isn't used for anything else, so if it
fails, they get control over something useless.
cheers,
-Brian