Re: [Tails-dev] Security of postMessage between Tails Verifi…

Delete this message

Reply to this message
Autore: sajolida
Data:  
To: The Tails public development discussion list, Uzair Farooq
Oggetto: Re: [Tails-dev] Security of postMessage between Tails Verification and the download page
intrigeri:
> sajolida:
>> The work on Tails Verification (the replacement of DAVE) and the new
>> download page is almost done and it's work fine. Still, I got quite
>> scared reading about the security implications postMessage:
>
>> https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage
>
> Indeed.
>
>> Uzair wrote the code and u already reviewed it but I'd like to have
>> someone else telling me that this is fine and that only the extension
>> can send a "verification-success" message to the download page.
>
> I'm up to taking a good look at it; I'll probably need to ask help from more
> skilled people.
>
> But if I did this with the info I have currently, I would probably
> duplicate quite some work already done by Uzair and/or u. IMO it's the
> developers and/or reviewers' job to make such audits easy by
> documenting their reasoning, especially in highly sensitive code that
> uses features explicitly documented as dangerous. So:
>
>  - Uzair: please document your reasoning to explain why you think the
>    current code is safe;


Uzair: Ping on this. Can you explain us (we're quite profane in browser
and JavaScript security) how the security of the messaging between the
extension and the page is handled? (And of other security-sensitive
aspect of your code that might be relevant if they are not commented
enough in the code).

>  - u: please tell me how deep you have already looked into the safety
>    of this aspect of the code, and if you did, explain why you think
>    the current code is safe;

>
>  - sajolida: what timeline would be suitable for you to get an answer
>    to your question?


Firefox 57 has been released last Tuesday, and apart from this question
and a first general sanity check on security, we could do a first
release any time.

But on the other hand people don't seem to complain so much about the
lack of support for Firefox 57 until now :)