Make FoxBox discovery (more) secure

[michielbdejong]

Problem:

We are making good progress on FoxBox discovery inside a trusted local network, but if the local network is not trusted, an attacker inside your WiFi network could become a Man-in-the-Middle (MitM) between client and FoxBox, spying on your data, and possibly even replaying the commands sent.

Step 1: Trust on First Use (TOFU)

We assume no attacker is present during the setup phase, but once the app has discovered the FoxBox, comms should become TLS-protected, so that a MitM can only attack during the setup phase, and not at a later point in time.

Step 2: QR-code-base

To make the setup phase secure as well, the user should bring the client physically close to the FoxBox, and then somehow tell the client "this physical object is the one I want to connect to". I'm calling this QR-code-based because that provokes a clear mental image, but you could also use NFC, a USB cable, a PIN code, etc. to achieve the same.

To do:

• TOFU-based secure discovery
  • Use https server-side on the FoxBox (this is Self-signed cert foxbox#14)
  • Client-side implementation in Cordova
    • Look at ES5 problems in Cordova build (this is blocking the next point)
    • Add Cordova build target (this is Add Cordova build target #3)
    • Implement TOFU in https://github.com/michielbdejong/SecureHTTP/commits/master
  • Client-side implementation in WebExtension
• See if TOFU can be done at the OS level instead of at the application level
  • on Android
  • on Windows 10
  • etc ...
• QR-code-based
  • Work out the https://<fingerprint>.foxbox<i>.<special-tld> idea in more detail
  • Server-side implementation (just set the hostname based on the signing cert's fingerprint)
  • Remove reliance on [m]DNS - i.e. allow using an IP address instead of a domain name
  • Implementation in Cordova
  • Implementation in WebExtension
• Coordinate this work with FlyWeb - they have the exact same problem

[michielbdejong]

Conclusion about adding certs at the OS level from the Cordova app: not viable, because:

• As far as we can tell, OS-level certificate stores are indeed for trusting a cert for any host, not just for one host.
• Different browsers use different stores, for instance Firefox on Windows or Android would still not accept your Foxbox cert after you've downloaded it to the OS-level.
• If you're going to download "something" to install the cert, you might as well directly download the cert itself :)

[michielbdejong]

For the same reason, downloading a WebExtension that installs a cert is silly, you can just directly download the cert itself.

[michielbdejong]

So current conclusion for TOFU-based: the user will just need to open the app with their browser of choice, and add the security exception. There are a few options to try to improve on this, but looks like there's no silver bullet.

I'll continue to investigate the QR-code-based option, though.

[michielbdejong]

Implemented PoC of https://<sha256>.self-signed/ scheme in Cordova (replace '.michielbdejong.com' with '.self-signed' and add mDNS for that).

[michielbdejong]

Next step: make the Cordova app work with QR-code scanner and mDNS.

[michielbdejong]

Added QR-code and mDNS.

Next step: When discovering a service over mDNS, override URLStreamHandler#getHostAddress in CordovaHTTP to make service.server resolve to service.addresses[0].

[michielbdejong]

Continuing this analysis/exploration in https://public.etherpad-mozilla.org/p/project-link-discovery