audit the Web Authentication API

As of Firefox 60, Mozilla has enabled support for the Web Authentication API by default. We should audit it or at least understand it better, or we should disable it by setting security.webauth.webauthn to false. See: ​https://bugzilla.mozilla.org/show_bug.cgi?id=1432542

added TorBrowserTeam201809 in Legacy / Trac component::applications/tor browser in Legacy / Trac ff60-esr in Legacy / Trac owner::tbb-team in Legacy / Trac priority::high in Legacy / Trac severity::normal in Legacy / Trac status::reopened in Legacy / Trac type::defect in Legacy / Trac labels

Trac:
Cc: N/A to arthuredelstein

Bumping prio.

Trac:
Priority: Medium to Immediate

Trac:
Priority: Immediate to High

Move our tickets to August.

Trac:
Keywords: TorBrowserTeam201807 deleted, TorBrowserTeam201808 added

bug_26614 (https://gitweb.torproject.org/user/gk/tor-browser.git/commit/?h=bug_26614&id=4f1f0b24358519d784a775189fbf02e6f53ec5e4) in my public tor-browser repo disables the API for now.

Trac:
Keywords: TorBrowserTeam201808 deleted, TorBrowserTeam201808R added

r=mcs LGTM

Cherry-picked to tor-browser-60.1.0esr-8.0-1 (commit 6417fe35), thanks!

Trac:
Status: new to closed
Resolution: N/A to fixed

Let's use this ticket for the audit as well.

Trac:
Keywords: TorBrowserTeam201808R deleted, TorBrowserTeam201808 added
Status: closed to reopened
Summary: audit or disable the Web Authentication API to audit the Web Authentication API
Resolution: fixed to N/A

Moving our tickets to September 2018

Trac:
Keywords: TorBrowserTeam201808 deleted, TorBrowserTeam201809 added

mentioned in issue legacy/trac#34193 (moved)

moved from legacy/trac#26614 (moved)

mentioned in commit 6417fe35

added Bug label and removed 1 deleted label

removed 1 deleted label

mentioned in issue fenix#40107 (moved)

mentioned in issue #40223 (closed)

Note to us: if (or when) we enable webauthn, consider Android support as described in #40223 (closed).

marked #40403 (closed) as a duplicate of this issue

marked this issue as related to #40403 (closed)

mentioned in issue #40403 (closed)

mentioned in issue tpo/tpa/team#40183 (closed)

The com.google.android.gms:play-services-fido:18.1.0 artifact required by Fenix/GeckoView to enable WebAuthn support is a proprietary library and it seems to be the only proprietary lib in Tor Browser Android.

• https://maven.google.com/web/index.html?q=com.google.android.gms#com.google.android.gms:play-services-fido:18.1.0
• https://gitlab.com/fdroid/rfp/-/issues/235#note_916697389

IMHO webauthn support is not worth making Tor Browser Android binaries proprietary. This has a number of ramifications:

• its a mystery blob tied into Google Play Services (GMS)
• it can't be shipped on f-droid.org
• it probably also shouldn't be shipped in the Guardian Project repo, but at the very least needs to be marked with an Anti-Feature.

maybe https://github.com/cotechde/hwsecurity is a replacement

Created issue: #41162

added Feature label

added Fingerprinting Icebox Task labels

marked this issue as related to #41161

mentioned in issue #41162

closed

mentioned in issue #40783 (closed)

marked this issue as related to #41162

reopened

Reopening because we should actually audit this also for desktop.

removed Feature label

removed Bug label

mentioned in issue #41537

added All Platforms label

I've thought of a possible solution, if we find nasty things currently happen: we could force Firefox to report/consider the token not already connected until the user presses a button in the browser (e.g., a notification similar to the one already exists). But I fear users could find a double check annoying and make it useless.

Also, we should check whether the authorization to look for a token is persistent, and in case modify Firefox to always ask for it, even during a session. And we should normalize the behavior for all users (reporting that a user might possibly support hardware 2FA is okay, if it's the only thing that people could observe - doing that for 12.5 is a good idea to prevent fingerprinting changes between minor releases).

However, we should audit first in any case. I expect the implementation to be already okay (at least on desktop).

mentioned in issue #41496 (closed)

mentioned in issue #42345 (closed)

Firefox 121 introduced an about:webauthn page (except for Android and Windows; see Bug 1854618).

For my YubiKey I can read some interesting lines:

Authenticator options
MakeCredential without user verification	Not supported
User verification	Not supported
User presence	True

So, I quickly checked for these meaning in the specs and found, in particular, the test of user presence. It seems it's what we absolutely want, and the good news is that it's hardcoded to required for some operations (authenticatorMakeCredential and authenticatorGetAssertion), but I don't know if it's all the supported operations.

marked this issue as related to #40223 (closed)

mentioned in issue tpo/web/manual#99 (closed)

added Apps::Type::Audit label