PGP Reading Threat Model
This threat model focuses on the new threats exposed by extending the [Plain Post posting threat model](Plain Posts Posting Threat Model). For a complete picture of the threats introduced by PGP, you should also see the [PGP Post Reading Threat Model](PGP Post Reading Threat Model).
PGP is a Privly Application facilitating the injection of encrypted and authenticated content on any website. The application is loaded locally as part of a browser extension and plugin (available for Google Chrome and Mozilla Firefox) and communicates to an untrusted content server over HTTPS. An untrusted key server allows for seamless authenticated public key discovery. For a more detailed outline of the protocol, see the protocol document.
- Daniel Reichert, PGP App Developer.
Contributors welcome!
- Version 0.1DRAFT (Current): First draft.
- Security Objectives
- Application Overview
- Application Decomposition
- Threats
- Vulnerabilities
The security objectives are:
- Limit content access to those specified during content creation, identified by public keys.
- Prevent the host page from accessing the content.
- Allow users to destroy, update, and share content after emailing or sharing it on the internet.
- Authenticate identity from proof of ownership of an email.
It is worth noting that our security objectives do not include:
- Anonymizing the connections and identities of users.
- Protecting against key-loggers and other similar malware and backdoors on the client's machine.
- Providing transport level security beyond using HTTPS.
- Hiding metadata of signed messages
Encountering Content
This process is for injecting content directly into host pages.
- (a) The extension injects a content script into the host page.
- (b) The content script finds a Privly PGP link and injects it into the host page.
- (c) The PGP application requests the ciphertext from the content server.
- (d) The content server returns the content to the PGP application.
- (e) The PGP application tells the host page the height of the application's content.
________________________ Inject Content Script ______________________
\/ |
____________ ___________ ______|____
| | >--Inject App --> | | | |
| Host Page | | Inj.App | | Extension |
| | <--iframe size--< | | | |
|____________| |_________| |___________|
| /\
Content Req. Ciphertext
\/ |
____________
| |
| Content |
| Server |
|____________|
Extension scenarios are:
- Adding the content script to the host page (when the host page does not define it itself)
Injectable Application Scenarios are
- Request content from content server
- Display content within host pages
Content Server scenarios are
- Authenticate identity of person using the PGP application
- Authorize request for content
- Transmit content to PGP application
Host Page Scenarios are
- Inject the PGP application
- Extension: JavaScript, HTML, CSS.
- Injectable App: JavaScript, HTML, CSS, jQuery, openPGP.js, localforage.
- Content Server: Any server capable of serving files over SSL.
- Host Page: Any web standard application.
The most important application security mechanisms known at this time are:
- PGP application have a source domain other than the host page, which triggers the same origin policy.
This section describes the trust boundaries, entry points, exit points, and data flows.
- The content server trusts user identity authenticated via session cookies.
- The PGP application trusts metadata delivered from the content server over SSL.
- The host page trusts the height of the content URL
- Port 443 for HTTPS.
- User login. Users login to a content server using any form of authentication supported by the content server. The user then has an authentication cookie tied to the content server's domain and all requests can be authenticated from the injectable applications.
- Requesting content from the content server. The PGP application requests the content from the content server over SSL.
- iframe height. The same origin policy means the host page does not have access to the height of the injected application. The injected application messages this to the host page.
In the application overview, points a, b, c, d, and e delineate possible points of attack.
Attacks will be judged according to the DREAD model:
- Damage: How big would the damage be if the attack succeeded?
- Reproducibility: How easy is it to reproduce an attack?
- Exploitability: How much time, effort, and expertise is needed to exploit the threat?
- Affected Users: If a threat were exploited, what percentage of users would be affected?
- Discoverability: How easy is it for an attacker to discover this threat?
Each category has a minimum score of 0 and a maximum score of 10. The final DREAD score is the average of the category scores: (D + R + E + A + D) / 5.
Threat Description: Users with little technical knowledge may be fooled by a phishing website or plugin posing as legitimate content of the host page.
- Damage: A user could be deceived into taking actions inconsistent with their own interests. Score: 7
- Reproducibility: Users would have to change several default settings and run an unofficial PGP application version in their whitelist. A tooltip labels Privly content as being injected into the web page. Score: 1
- Exploitability: Exploitability depends on the user, not the effort of the adversary. This threat can be mitigated by effective user education and communication. Score: 2
- Affected Users: Users are affected individually only if they change many default settings. Score: 1
- Discoverability: Adversaries could place malicious links on a variety of high-traffic message boards to find users who could be targeted by this exploit. Score: 7
Threat Description: Any user with access to the link could re-share the link to another host page.
- Damage: If the content server strips identifying metadata from the content then the damage is no worse than copying and pasting the content directly. The posting user maintains control over the content, so they could update or destroy it in the future. Subsequently adding privileged information to the linked content could compound the threat. Score: 7
- Reproducibility: Anyone with access to the link will be able to copy and paste it elsewhere. Score: 7
- Exploitability: The server can place authorization restrictions on the linked content independent of the link's location. Score: 2
- Affected Users: Any host page or user with access to the host page can re-share the link. Score: 7
- Discoverability: Attacking a specific user requires access to a host page containing a privileged link. Score: 6
Threat Description: The host page can present content as injected Privly content. Note: future versions will eliminate this threat by adding a user secret glyph to the tooltip of the injected application.
- Damage: If the user believes the content came from the user and not the site, they may have a higher level of trust in the message and act inappropriately. Score: 6
- Reproducibility: Knowledge of the posting user's life and communications is required to convince the reading user of origin of the communication. Score: 3
- Exploitability: Most host pages would need to be compromised in order to exploit this threat. Users are unlikely to communicate with host pages prone to spoofing users. Users can click through to the content and view it on the content server's web application. Score: 2
- Affected Users: Users connecting to malicious or compromised sites could be threatened by this. Score: 5
- Discoverability: Discoverability is poorly defined for this threat. Score: N/A
Threat Description: The host page can present a URL from the content server other than the user posted content URL.
- Damage: If the host site has an account on the content server, then the content could potentially be anything the host page wants it to be. Score: 8
- Reproducibility: Knowledge of the posting user's life and communications is required to convince the reading user of origin of the communication. Score: 3
- Exploitability: Most host pages would need to be compromised in order to exploit this threat. Users are unlikely to communicate with host pages prone to spoofing users. Score: 2
- Affected Users: Users connecting to malicious or compromised sites could be threatened by this threat. Score: 5
- Discoverability: Discoverability is poorly defined for this threat. Score: N/A
Threat Description: The host page will be able to detect the injection of iframes by monitoring the page's DOM in JavaScript.
- Damage: The host page will be able to build a list of the user's trusted servers. Score: 3
- Reproducibility: The host page needs to deliver the user a list of domains. Score: 10
- Exploitability: The user will need to visit a host page wanting to learn the user's trusted domains. Score: 6
- Affected Users: Any user connecting to a malicious host page. Score: 6
- Discoverability: The user will need to visit a host page wanting to learn the user's trusted domains. Score: 6
Threat Description: The content server's SSL certificate, used for authentication, could be man-in-the-middled via a Certificate Authority compromise or other means.
- Damage: The attacker would be able to intercept, read and modify the stream of encrypted communications sent to and from the client. Since message content is encrypted and signed locally before being sent to the server, the damage is limited to metadata. Score: 5
- Reproducibility: Measures such as HSTS, responsible CA delegation and certificate pinning in browsers make this threat difficult to reproduce. Score: 3
- Exploitability: A highly considerable amount of time, effort and expertise is required for this threat to be pulled off remotely. Score: 3
- Affected Users: Depending on the malicious actor, a single user could be targeted (if the actor is a hacker connected to a LAN) or an entire nation (if the hacker is an ISP being controlled by a malicious government.) Score: 5
- Discoverability: Depending on the Certificate Authority's operational security, the ability to control the Certificate Authority to forge certificates may be extremely easy to very difficult. Cases such as DigiNotar and even VeriSign have made this a real threat, however, even with trusted Certificate Authorities. Score: 6
Threat Description: Links shared on specific host pages could be used to track the host pages viewed by a user if the link is automatically injected.
- Damage: Tracking damages user privacy by broadcasting their browsing habits, but it does not compromise their content. Score: 3
- Reproducibility: If the content server is default whitelisted, then it could track all Privly users across all websites. Score: 10
- Exploitability: All default whitelisted servers are required to not track their users. Score: 2
- Affected Users: Individual users are affected only if they change default settings or a default whitelisted server is compromised. Score: 2
- Discoverability: Content servers would need to distribute links on the sites the user visits. Score: 3
Threat Description: The content server storing the ciphertext is compromised by a third party.
- Damage: The attacker could delete all posts. If the user continues to use the content server connection information could also be compromised Score: 8
- Reproducibility: The possibility of a full remote compromise of a content server is unknown and ambiguous. Score: 5
- Exploitability: Breaking into a server requires significant knowledge and skill, including obtaining a security hole either in the server's software (SSHD, HTTPD, etc.) or in the human security factors governing the server. Score: 3
- Affected Users: Everyone connecting to the content server is under the realm of being possibly affected. Score: 9
- Discoverability: Threat requires extensive penetration testing in order to discover if it potentially exists. Score: 2
Same as Point (B).
Threat Description: The content injected into the page must tell the host page the height of the contained content, which is related to the length of the content.
- Damage: Knowing the length of content could provide information about the nature of the content: 4**
- Reproducibility: A site would need to show a link to a user who is authorized for its content: Score: 2
- Exploitability: Little expertise is required: Score: 10
- Affected Users: It would be difficult to apply this exploit to many different users: Score: 2
- Discoverability: Host pages could detect the height of any whitelisted content: Score: 7
[PGP Reading Threat Model](PGP Reading Threat Model)
No vulnerabilities have been formally identified. Please contribute to this section!
Adapted from Cryptocat's Threat Model
Foundation Home
Repository List
Development Mailing List
Testing Mailing List
Announcement Mailing List
Central Wiki
Submit a Bug
IRC
Download Extension
These documents are under active development and discussion.
Credit: This Google Summer of Code content is licensed under the CC Attribution-Noncommercial-Share Alike 3.0 Unported license furnished by the Sahana Software Foundation.