Questions about using FirefoxAccount information

Ryan Kelly rfkelly at mozilla.com
Wed Nov 13 14:18:56 PST 2013


On 14/11/2013 9:14 AM, Ryan Kelly wrote:
> On 14/11/2013 6:51 AM, JR Conlin wrote:
>> How easy would it be for an unauthorized agent to spoof being a user if
>> they have the certificate?
> 
> They would need the corresponding private key, which doesn't leave the
> client device.

I realized this is not a complete answer.

Like vanilla BrowserID, if an adversary manages to intercept an identity
assertion in-flight from client to server, they can use that captured
assertion to impersonate the user.  It's mitigated by:

  * Assertions are timestamped and expire fairy aggressively

  * Assertions are scoped to a particular audience, so this attack
    can only target the original server

The server can also:

  * Cache recently-seen assertions and reject any that have
    been seen previously

So yes, some care is needed here, the identity assertion is basically a
session cookie.


   Ryan



More information about the Dev-fxacct mailing list