Hi,
I have no idea where to report
but I have a feeling that dev-planning is where I can point out that the
current
e-mail request sent by
mozilla.org for LDAP password change leaves rooms
for improvement so that the improvement can be planned for the future
e-mails.
Here is what happened:
I have received an e-mail that requests LDAP password change from
mozilla.org if I were to believe that it comes from
mozilla.org by
looking at the From: line.
If it is genuine, the mail is not worded very clearly
to avoid misunderstanding. Many people may take it as phishing e-mail.
(Possibly that is why I can't find the first notice?)
The following e-mail quoted below came in today and requested me to
change my password at mozilla LDAP database. Initially, I have no idea
if this request e-mail is genuine or not. Why?
Issue 1:
It would be great that
mozilla.org has an easy to access webpage on its
website, in its own .
mozilla.org domain to make sure that the recipient
can check the authenticity of the e-mail: that
mozilla.org does send out
such e-mails periodically to request the change of password with such a
wording, etc.
A single web page would at least assure such requests do come in.
As it stands, it is no different from phishing e-mail from bad guys to
log in to my banking account, etc. to change the password immediately
due to breach incident, etc.
(Also, I don't think I received the first request in the last few weeks?
Maybe I overlooked it somehow. Or it could have gone into spam folder?)
Issue 2:
If every URL involved in the process or in the accompanying text is
within .
mozilla.org,
the recipient has more assurance that the e-mail is genuine.
What compounded my uncertainty is this: naturally I wanted to check the
"further instruction" in the mentioned URL
https://mana.mozilla.org/wiki/display/SD/LDAP+Password+Reset+Instructions.
But when I accessed it, although it is supposed to be a wiki page for
MERE BROWSING of the instruction, it requested for me to log in using
the said mozilla LDP account (!) using an EXTERNAL authentication site.
If this is a phishing attempt, a perfect method to obtain the password
of an account holder.
The authentication URL is
https://mozilla.okta.com/login/login.htm?fromURI=%2Fapp%2Fmozillacorp_mana_1%2Fexk17bvb7gwCMzi161d8%2Fsso%2Fsaml%3FSAMLRequest%3DhZJbSwMxEIX%252FypL3NhvdbpfQFuouhUIVqZcHX0qMow3NzUy2Xn692S2V6oM%252BBU7mMOc7zASF0Z7P27i1a3htAWP2brRF3n9MSRssdwIVcisMII%252BS38wvV%252FxsmHMfXHTSaXJi%252BdshECFE5SzJls2UbOr8gtWL82JclixvRmNWVsVFvSiKipVNUVcku4eAaX5Kkj2ZEFtYWozCxiTlrBzkxSCvbtmIn1U8Lx5I1iQGZUXsXdsYPXJKjftUWouh20UxlM5Q4f1RlC74jRFWbBiF9x0bP%252B4fxy9v9eWnYiV7qiiiox0byWpnEbrVf0HKwxCXbQjpHSjjtZIqkmzhgoS%252B6yl5FhqhI7pOpag9fCvzY0fdstZAuIGwVxLu1qsTnhR3%252BA0VXqgBrZ2l3mFcA%252FouAplNutS8Ly3Mflsm9PR3cjiEq0SzbK5dCvzRxTXiH9hOUU%252BD536UxyAsqgSdMFKetzqAiAkthhYInR1W%252Fjy32Rc%253D%26RelayState%3Dhttps%253A%252F%252Fmana.mozilla.org%252Fwiki%252Fdisplay%252FSD%252FLDAP%252BPassword%252BReset%252BInstructions%26SigAlg%3Dhttp%253A%252F%252Fwww.w3.org%252F2000%252F09%252Fxmldsig%2523rsa-sha1%26Signature%3Dd7OenOqyYW7ymUhf2mMArzLMSGdKwmXew4pQVXwh80ZDoekQxBG5soNEP94ZdML358zJj9zdXCcPuINI%252BRQcaoNPriTyXmjdxPVsHK5OgnIuUCXajUwI%252F0lNBytcYs4Sttd67dxsgvtVXFHnZTZme1s%252B8MQnN2meAE72otBrupgIl2smnOot5vLDLMWb7%252F0ZSBhDcU3j9o7TpskGIODsLw%252F%252B8zS1y0GKSNNdTu7%252Ft0u0feJe%252FsVePRHIx8OUMdl0FdzfK5LptiZ1lMH5Tol5QZcy3wJAQsIqUkPdzUDHHp%252FjWHrbGcZ2AJCHyIrPR0OwUcCiZ%252B1bdVzg6pm8DzBguA%253D%253D
(OK, some of you working on a single-signon type of application
immediately notices
okta.com name, and think that this is a non issue.
But communication-wise, the current scheme sucks.)
The easy to reach web page which I mentioned in Issue 1 should state
very clearly that
this
okta.com site is used for mozilla log in to access (WHAT?) a
simple instruction to
change our LDAP passwords.
I wonder, though, if
https://passwordreset.mozilla.org/ can do the
password resetting, why can't a similarsite INSIDE mozilla's domain can
let us log into the wiki page (?).
It is a little difficult to fathom the logic of the workflow, especially
the requirement to log in before one can read the change procedure.
Maybe
okta.com usage and such is a widely shared knowledge WITHIN core
mozilla employees, but for volunteer patch submitters, it is not. Well
at least this volunteer does not know it. Thus the announcement web page
discussed in issue 1 above.
Anyway, unless a permanent web page that can be accessed without needing
to log in explains clearly the flow of LDAP password change in a few
sentences and that we need to access certain EXTERNAL authentication
service to read the instruction (!?), a receiver of the request is not
quite sure whether he/she should follow this almost phishing-like e-mail.
The web page discussed in Issue-1 should mention the name of the
external service and URL clearly.
Such additional information that allows one to cross-check the authenticity
goes a long way to trust such an e-mail request from
mozilla.org.
WELL, if the following is NOT a genuine request from
mozilla.org, I bet
someone is trying to collect the passwords for mozilla account holders :-)
(Just kidding, but are you sure?)
Of course, I checked that
okta.com seems to be in business since 2010,
but I have never met someone who uses this service myself. Most of the
cloud services I use engage other authentication services, AND MORE TO
THE POINT, such services EXPLAIN THE USE OF EXTERNAL AUTHENTICATION
GATEWAY IN ADVANCE and in publicly accessible web pages(!).
BTW, I noticed that the first URL, as far as my careful checking goes,
DOES come from
mozilla.org domain and so I should be OK (?).
In any case, requiring a login to access the instruction to change
password is a bad design IMHO.
I hope this comment can help someone to re-word the e-mail text and let
someone provide a single one web page for some paranoid account holder
like me to crosscheck the authenticity of the request e-mail to a better
degree.
TIA and thank you for offering the great software products and
infrastructure to work together.
PS: the use of PGP mail text with the PGP public key in a prominent web
page inside
mozilla.org domain might also add to the trust.
------- Forwarded Message --------
Subject: Second notice: LDAP password expiring.
Date: Fri, 8 Apr 2016 09:30:17 +0000 (UTC)
From:
no-r...@mozilla.org
To:
ishi...@yk.rim.or.jp
Hi,
Please change your LDAP password as soon as possible. The password
change form is available at
https://passwordreset.mozilla.org/.
Further instructions on changing your password are at
https://mana.mozilla.org/wiki/display/SD/LDAP+Password+Reset+Instructions. Please remember
to log-out of all your current applications, before you reset your
password. Your current password is set to expire on Thu Apr 14 19:00:00 2016 in 6 days.
Please note that you will be locked out of LDAP based services if you
do not change your password before this period.
Thank you,
Mozilla SysAdmins
p.s: This add-on can help you with changing all of your ldap passwords in
Firefox -
https://addons.mozilla.org/en-US/firefox/addon/9652/