Questions about using FirefoxAccount information
Ryan Kelly
rfkelly at mozilla.com
Wed Nov 13 14:18:56 PST 2013
On 14/11/2013 9:14 AM, Ryan Kelly wrote:
> On 14/11/2013 6:51 AM, JR Conlin wrote:
>> How easy would it be for an unauthorized agent to spoof being a user if
>> they have the certificate?
>
> They would need the corresponding private key, which doesn't leave the
> client device.
I realized this is not a complete answer.
Like vanilla BrowserID, if an adversary manages to intercept an identity
assertion in-flight from client to server, they can use that captured
assertion to impersonate the user. It's mitigated by:
* Assertions are timestamped and expire fairy aggressively
* Assertions are scoped to a particular audience, so this attack
can only target the original server
The server can also:
* Cache recently-seen assertions and reject any that have
been seen previously
So yes, some care is needed here, the identity assertion is basically a
session cookie.
Ryan
More information about the Dev-fxacct
mailing list