remote-help-assistant team mailing list archive

Thread
Date

Protocol changes, security issues

To: remote-help-assistant list <remote-help-assistant@xxxxxxxxxxxxxxxxxxx>
From: Andrew Sayers <andrew-bugs.launchpad.net@xxxxxxxxxxxxxxx>
Date: Wed, 01 Apr 2009 08:49:40 +0100
User-agent: Thunderbird 2.0.0.21 (X11/20090318)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey guys,

I'm now starting to make incompatible changes to the back-end code, so
I'd advise you to stick with revisions 131 and below until further notice.

I've been thinking about security and the key exchange process, and I
think there's a security issue in 0.1.  When you have shared a session
with someone, their SSH key is never checked again.  If you access
someone else's desktop, then they pretend to be someone else and ask to
access your desktop, the assistant will wave you through without
requiring you to check their key.  That's because you've trusted them to
provide access to their own desktop in the past.

To mitigate the above security problem, I suggest the following changes
in 0.2:

1. The assistant should log the start time, end time, and public key for
every session it runs

2. Page 6 ("check dates") should have three tick boxes:

I trust <username>@<host> to:
[] share this computer's screen
[] share this computer's keyboard and mouse
[] give me access to their desktop

You would not be allowed to pass page 6 until you've ticked the relevant
box for your session.

3. When you need to tick some boxes in page 6, page 5 ("identity check")
should include the following text:

Your history with <username>@<host>:
You have shared your screen <number> times
	(most recently: <date>)
You have shared your screen, keyboard and mouse <number> times
	(most recently: <date>)
You have accessed their computer <number> times
	(most recently: <date>)

4. Page 7 and the "you are currently sharing your desktop" window should
put the user's <username>@<host> somewhere prominent (like the top of
the window, or in the title bar)

The log I'm proposing in [1] would include a bit more information than
is presented in [3], so that we could be even more precise in future if
we wanted to be.

The <username>@<host> value would be whatever is presented in their
public key.  This information is already being sent in 0.1, but isn't
used for anything at the minute.

The changes seem large enough, and the threat small enough, that I'm
prepared to put this in 0.2 and not backport the fix into 0.1.  What do
you think?

	- Andrew
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJ0xyUGRQTxegE/G4RAtuwAJ9KVU/mGv8l51PG2qv3odclFUmIUwCdGTcP
doDWodQonJeNRFPVECnAvJo=
=4Tka
-----END PGP SIGNATURE-----