Galène videoconferencing server discussion list archives
 help / color / mirror / Atom feed
* [Galene] "This operation is insecure"
@ 2021-01-27 18:24 Michael Ströder
  2021-01-27 18:52 ` [Galene] " Michael Ströder
  0 siblings, 1 reply; 14+ messages in thread
From: Michael Ströder @ 2021-01-27 18:24 UTC (permalink / raw)
  To: galene

HI!

Running with latest git revision
9d9db1a92060a3e0ce15021234b8561a3e6bfc49 some users now get a red
message which says "This operation is insecure" when trying to enter a
group.

Does that ring a bell?

I currently don't have information which browsers were used but will try
to gather more info.

A simple grep did not reveal such a message in Galène's code. But there
were updates to some modules used. Where to look?

Ciao, Michael.

^ permalink raw reply	[flat|nested] 14+ messages in thread

* [Galene] Re: "This operation is insecure"
  2021-01-27 18:24 [Galene] "This operation is insecure" Michael Ströder
@ 2021-01-27 18:52 ` Michael Ströder
  2021-01-27 20:05   ` Juliusz Chroboczek
  0 siblings, 1 reply; 14+ messages in thread
From: Michael Ströder @ 2021-01-27 18:52 UTC (permalink / raw)
  To: galene

On 1/27/21 7:24 PM, Michael Ströder wrote:
> Running with latest git revision
> 9d9db1a92060a3e0ce15021234b8561a3e6bfc49 some users now get a red
> message which says "This operation is insecure" when trying to enter a
> group.
> 
> Does that ring a bell?
> 
> I currently don't have information which browsers were used but will try
> to gather more info.

Probably the affected users are using the Safari browser.

Ciao, Michael.

^ permalink raw reply	[flat|nested] 14+ messages in thread

* [Galene] Re: "This operation is insecure"
  2021-01-27 18:52 ` [Galene] " Michael Ströder
@ 2021-01-27 20:05   ` Juliusz Chroboczek
  2021-01-27 20:08     ` Juliusz Chroboczek
  0 siblings, 1 reply; 14+ messages in thread
From: Juliusz Chroboczek @ 2021-01-27 20:05 UTC (permalink / raw)
  To: Michael Ströder; +Cc: galene

>> 9d9db1a92060a3e0ce15021234b8561a3e6bfc49 some users now get a red
>> message which says "This operation is insecure" when trying to enter a
>> group.

>> Does that ring a bell?

> Probably the affected users are using the Safari browser.

It looks like some versions of Mobile Safari don't like our
Content-Security-Policy header.  It would be good to know what operation
exactly is disliked by Mobile Safari, and relax the CSP header to match.
This happens in the "mungeHeader" function in webserver.go.

-- Juliusz

^ permalink raw reply	[flat|nested] 14+ messages in thread

* [Galene] Re: "This operation is insecure"
  2021-01-27 20:05   ` Juliusz Chroboczek
@ 2021-01-27 20:08     ` Juliusz Chroboczek
  2021-01-27 20:17       ` Michael Ströder
  0 siblings, 1 reply; 14+ messages in thread
From: Juliusz Chroboczek @ 2021-01-27 20:08 UTC (permalink / raw)
  To: Michael Ströder; +Cc: galene

>> Probably the affected users are using the Safari browser.

> It looks like some versions of Mobile Safari don't like our
> Content-Security-Policy header.  It would be good to know what operation
> exactly is disliked by Mobile Safari, and relax the CSP header to match.
> This happens in the "mungeHeader" function in webserver.go.

Did the user try to enable a filter?

^ permalink raw reply	[flat|nested] 14+ messages in thread

* [Galene] Re: "This operation is insecure"
  2021-01-27 20:08     ` Juliusz Chroboczek
@ 2021-01-27 20:17       ` Michael Ströder
  2021-01-27 20:30         ` Juliusz Chroboczek
  0 siblings, 1 reply; 14+ messages in thread
From: Michael Ströder @ 2021-01-27 20:17 UTC (permalink / raw)
  To: galene

On 1/27/21 9:08 PM, Juliusz Chroboczek wrote:
>>> Probably the affected users are using the Safari browser.
> 
>> It looks like some versions of Mobile Safari don't like our
>> Content-Security-Policy header.  It would be good to know what operation
>> exactly is disliked by Mobile Safari, and relax the CSP header to match.
>> This happens in the "mungeHeader" function in webserver.go.
> 
> Did the user try to enable a filter?

Probably not.

Ciao, Michael.


^ permalink raw reply	[flat|nested] 14+ messages in thread

* [Galene] Re: "This operation is insecure"
  2021-01-27 20:17       ` Michael Ströder
@ 2021-01-27 20:30         ` Juliusz Chroboczek
  2021-01-27 21:09           ` Michael Ströder
  0 siblings, 1 reply; 14+ messages in thread
From: Juliusz Chroboczek @ 2021-01-27 20:30 UTC (permalink / raw)
  To: Michael Ströder; +Cc: galene

>>> It looks like some versions of Mobile Safari don't like our
>>> Content-Security-Policy header.
>> 
>> Did the user try to enable a filter?

> Probably not.

Hmm... are you running behind a reverse proxy?  Is the reverse proxy
modifying our CSP header?

We'd really need the exact way to reproduce the issue, the exact error
message, and, even better, whether there's a backtrace in the JS console.

^ permalink raw reply	[flat|nested] 14+ messages in thread

* [Galene] Re: "This operation is insecure"
  2021-01-27 20:30         ` Juliusz Chroboczek
@ 2021-01-27 21:09           ` Michael Ströder
  2021-01-27 21:12             ` Michael Ströder
  0 siblings, 1 reply; 14+ messages in thread
From: Michael Ströder @ 2021-01-27 21:09 UTC (permalink / raw)
  To: galene

On 1/27/21 9:30 PM, Juliusz Chroboczek wrote:
>>>> It looks like some versions of Mobile Safari don't like our
>>>> Content-Security-Policy header.
>>>
>>> Did the user try to enable a filter?
> 
>> Probably not.
> 
> Hmm... are you running behind a reverse proxy?  Is the reverse proxy
> modifying our CSP header?

Yes.

But even unsetting this did not help in a individual test with one user
with Safari running on an older laptop. Well, this particular user is a
non-technical person and I'm not 100% sure whether page was really
reloaded or whether it was read from browser cache.

Ciao, Michael.

^ permalink raw reply	[flat|nested] 14+ messages in thread

* [Galene] Re: "This operation is insecure"
  2021-01-27 21:09           ` Michael Ströder
@ 2021-01-27 21:12             ` Michael Ströder
  2021-01-27 21:42               ` Juliusz Chroboczek
  0 siblings, 1 reply; 14+ messages in thread
From: Michael Ströder @ 2021-01-27 21:12 UTC (permalink / raw)
  To: galene

On 1/27/21 10:09 PM, Michael Ströder wrote:
> On 1/27/21 9:30 PM, Juliusz Chroboczek wrote:
>>>>> It looks like some versions of Mobile Safari don't like our
>>>>> Content-Security-Policy header.
>>>>
>>>> Did the user try to enable a filter?
>>
>>> Probably not.
>>
>> Hmm... are you running behind a reverse proxy?  Is the reverse proxy
>> modifying our CSP header?
> 
> Yes.

FWIW the Apache httpd config settings:

  Header onsuccess unset Content-Security-Policy
  Header always set Content-Security-Policy "base-uri 'self'; child-src
'self'; connect-src 'self'; default-src 'self'; font-src 'self';
form-action 'self'; frame-ancestors 'none'; frame-src 'none'; img-src
'self' data:; media-src 'self'; object-src 'self'; script-src 'self';
style-src 'self';"

Note that this worked just fine until recent update.

Ciao, Michael.

^ permalink raw reply	[flat|nested] 14+ messages in thread

* [Galene] Re: "This operation is insecure"
  2021-01-27 21:12             ` Michael Ströder
@ 2021-01-27 21:42               ` Juliusz Chroboczek
  2021-01-27 22:15                 ` Michael Ströder
                                   ` (2 more replies)
  0 siblings, 3 replies; 14+ messages in thread
From: Juliusz Chroboczek @ 2021-01-27 21:42 UTC (permalink / raw)
  To: Michael Ströder; +Cc: galene

> FWIW the Apache httpd config settings:

>   Header onsuccess unset Content-Security-Policy
>   Header always set Content-Security-Policy "base-uri 'self'; child-src
> 'self'; connect-src 'self'; default-src 'self'; font-src 'self';
> form-action 'self'; frame-ancestors 'none'; frame-src 'none'; img-src
> 'self' data:; media-src 'self'; object-src 'self'; script-src 'self';
> style-src 'self';"

> Note that this worked just fine until recent update.

I find that suprising.  The "wss:" entry in connect-src was added back in
the spring of 2020 because without it Galène wouldn't work on iPads.  As
to "media-src blob:", streaming videos from disk won't work without it.

Perhaps you could explain why you are munging the headers in the frontend.
Is there an actual attack that you're concerned about?  If so, then we
should think together about avoiding the attack, rather than having each
user use their own idiosyncratic set of security-related headers.

-- Juliusz

^ permalink raw reply	[flat|nested] 14+ messages in thread

* [Galene] Re: "This operation is insecure"
  2021-01-27 21:42               ` Juliusz Chroboczek
@ 2021-01-27 22:15                 ` Michael Ströder
  2021-01-28 13:11                 ` Michael Ströder
  2021-01-28 16:16                 ` Michael Ströder
  2 siblings, 0 replies; 14+ messages in thread
From: Michael Ströder @ 2021-01-27 22:15 UTC (permalink / raw)
  To: galene

On 1/27/21 10:42 PM, Juliusz Chroboczek wrote:
>> FWIW the Apache httpd config settings:
> 
>>   Header onsuccess unset Content-Security-Policy
>>   Header always set Content-Security-Policy "base-uri 'self'; child-src
>> 'self'; connect-src 'self'; default-src 'self'; font-src 'self';
>> form-action 'self'; frame-ancestors 'none'; frame-src 'none'; img-src
>> 'self' data:; media-src 'self'; object-src 'self'; script-src 'self';
>> style-src 'self';"
> 
>> Note that this worked just fine until recent update.
> 
> I find that suprising.  The "wss:" entry in connect-src was added back in
> the spring of 2020 because without it Galène wouldn't work on iPads.  As
> to "media-src blob:", streaming videos from disk won't work without it.

Sorry for the confusion:
I was looking at configuration of the wrong virtual host in my reverse
proxy. The virtual host actually used does *not* modify any security
headers like Content-Security-Policy.

> Perhaps you could explain why you are munging the headers in the frontend.

Frankly I was not aware that Galène sets Content-Security-Policy. I will
look more closely into that. Nevertheless it's irrelevant for this
particular issue.

I definitely know that Safari users were successfully using the system
before upgrade to commit 9d9db1a92060a3e0ce15021234b8561a3e6bfc49.

Ciao, Michael.

^ permalink raw reply	[flat|nested] 14+ messages in thread

* [Galene] Re: "This operation is insecure"
  2021-01-27 21:42               ` Juliusz Chroboczek
  2021-01-27 22:15                 ` Michael Ströder
@ 2021-01-28 13:11                 ` Michael Ströder
  2021-01-28 16:16                 ` Michael Ströder
  2 siblings, 0 replies; 14+ messages in thread
From: Michael Ströder @ 2021-01-28 13:11 UTC (permalink / raw)
  To: galene

On 1/27/21 10:42 PM, Juliusz Chroboczek wrote:
> Perhaps you could explain why you are munging the headers in the frontend.
> Is there an actual attack that you're concerned about?

I remember various pen-testing talks about attacking even via rogue
frames, CSS files and fonts, depending on browser versions. So it's IMHO
good practice to disable everything not really needed (least-privilege).
Same spirit why I'm using systemd's sand-boxing options [1] and an
AppArmor profile [2].

What you could do to prevent some of the attacks is to use Subresource
Integrity Hashes in HTML source [3]. Yes, it requires you to commit the
correct hashes in galene.html when changing any CSS, JS, font files
included from there.

> If so, then we should think together about avoiding the attack, 
> rather than having each user use their own idiosyncratic set of 
> security-related headers.
Agreed. Avoiding attacks is a primary goal for you as a developer of a
network service. And I appreciate that you take care. But you cannot
influence the client side or fix issues yet unknown.

E.g. the AppArmor profile is IMHO definitely a good mitigation against
recent sudo attack vector or similar. Yes, I've already updated sudo on
my systems. But we all learned about this only two days ago. The
AppArmor profile was in place before.

I'm super-concerned of this whole video conferencing stuff. Bad people
can do really weird stuff with this great tool. We had some cases here
in Germany were *very* inappropriate content was sent to pupils of an
elementary school during an online lesson. :-(

So better safe, than sorry.

Ciao, Michael.

P.S.: Yes, of course one of the Safari users asked me: "Why don't you
use Zoom?" (sigh...).

[1]
https://build.opensuse.org/package/view_file/home:stroeder:network/galene/galene.service?expand=1

[2]
https://build.opensuse.org/package/view_file/home:stroeder:network/galene/apparmor-usr.sbin.galene?expand=1

[3]
https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity

^ permalink raw reply	[flat|nested] 14+ messages in thread

* [Galene] Re: "This operation is insecure"
  2021-01-27 21:42               ` Juliusz Chroboczek
  2021-01-27 22:15                 ` Michael Ströder
  2021-01-28 13:11                 ` Michael Ströder
@ 2021-01-28 16:16                 ` Michael Ströder
  2021-02-01  0:45                   ` Juliusz Chroboczek
  2 siblings, 1 reply; 14+ messages in thread
From: Michael Ströder @ 2021-01-28 16:16 UTC (permalink / raw)
  To: galene

On 1/27/21 10:42 PM, Juliusz Chroboczek wrote:
>> FWIW the Apache httpd config settings:
> 
>>   Header onsuccess unset Content-Security-Policy
>>   Header always set Content-Security-Policy "base-uri 'self'; child-src
>> 'self'; connect-src 'self'; default-src 'self'; font-src 'self';
>> form-action 'self'; frame-ancestors 'none'; frame-src 'none'; img-src
>> 'self' data:; media-src 'self'; object-src 'self'; script-src 'self';
>> style-src 'self';"
> 
>> Note that this worked just fine until recent update.
> 
> I find that suprising.  The "wss:" entry in connect-src was added back in
> the spring of 2020 because without it Galène wouldn't work on iPads.  As
> to "media-src blob:", streaming videos from disk won't work without it.

Ok, following your advice I've successfully tested normal video
conference with an Safari-on-iPad user and the following complete CSP
header:

Content-Security-Policy: base-uri 'self'; child-src 'self'; connect-src
wss: 'self'; default-src 'self'; font-src 'self'; form-action 'self';
frame-ancestors 'none'; frame-src 'none'; img-src 'self' data:;
media-src blob: 'self'; object-src 'self'; script-src 'self'; style-src
'self';

Mainly I want to
1. disable frames.
2. limit connect-src to wss: because all traffic must be TLS encrypted.
3. tighten resource loading some more just in case some browsers might
not obey default-src 'self'.
4. set a report-uri later.

Ciao, Michael.

^ permalink raw reply	[flat|nested] 14+ messages in thread

* [Galene] Re: "This operation is insecure"
  2021-01-28 16:16                 ` Michael Ströder
@ 2021-02-01  0:45                   ` Juliusz Chroboczek
  2021-02-01  9:10                     ` Michael Ströder
  0 siblings, 1 reply; 14+ messages in thread
From: Juliusz Chroboczek @ 2021-02-01  0:45 UTC (permalink / raw)
  To: Michael Ströder; +Cc: galene

> Ok, following your advice I've successfully tested normal video
> conference with an Safari-on-iPad user and the following complete CSP
> header:

I'm a little concerned that if you tweak Galène's defaults, your bug
reports will be somewhat less useful to me than they would be otherwise.

So would you please explain what kind of attacks you're trying to avoid,
so we can converge on a common header that suits everyone?

> 1. disable frames.

Galène doesn't create frames.  Galène's default CSP header forbids inline
Javascript, so even if an attacker somehow manages to get Galène to
include Javascript code in the DOM, it will be ignored.

> 2. limit connect-src to wss: because all traffic must be TLS encrypted.

Secure web pages are not allowed to connect to insecure WebSockets, even
when the CSP allows it.

> 3. tighten resource loading some more just in case some browsers might
> not obey default-src 'self'.

Are you aware of any such browsers?

-- Juliusz

^ permalink raw reply	[flat|nested] 14+ messages in thread

* [Galene] Re: "This operation is insecure"
  2021-02-01  0:45                   ` Juliusz Chroboczek
@ 2021-02-01  9:10                     ` Michael Ströder
  0 siblings, 0 replies; 14+ messages in thread
From: Michael Ströder @ 2021-02-01  9:10 UTC (permalink / raw)
  To: galene

On 2/1/21 1:45 AM, Juliusz Chroboczek wrote:
>> Ok, following your advice I've successfully tested normal video
>> conference with an Safari-on-iPad user and the following complete CSP
>> header:
> 
> I'm a little concerned that if you tweak Galène's defaults, your bug
> reports will be somewhat less useful to me than they would be otherwise.

Yes, I understand. Thus I will add a step to my test procedures to
remove customized HTTP headers before reporting something.

Ciao, Michael.

^ permalink raw reply	[flat|nested] 14+ messages in thread

end of thread, other threads:[~2021-02-01  9:10 UTC | newest]

Thread overview: 14+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-01-27 18:24 [Galene] "This operation is insecure" Michael Ströder
2021-01-27 18:52 ` [Galene] " Michael Ströder
2021-01-27 20:05   ` Juliusz Chroboczek
2021-01-27 20:08     ` Juliusz Chroboczek
2021-01-27 20:17       ` Michael Ströder
2021-01-27 20:30         ` Juliusz Chroboczek
2021-01-27 21:09           ` Michael Ströder
2021-01-27 21:12             ` Michael Ströder
2021-01-27 21:42               ` Juliusz Chroboczek
2021-01-27 22:15                 ` Michael Ströder
2021-01-28 13:11                 ` Michael Ströder
2021-01-28 16:16                 ` Michael Ströder
2021-02-01  0:45                   ` Juliusz Chroboczek
2021-02-01  9:10                     ` Michael Ströder

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox