Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FVP-02-002 WP1: Balrog does not verify certificate chain on macOS #797

Closed
bakulf opened this issue Apr 7, 2021 · 0 comments · Fixed by #993
Closed

FVP-02-002 WP1: Balrog does not verify certificate chain on macOS #797

bakulf opened this issue Apr 7, 2021 · 0 comments · Fixed by #993
Assignees
@birdsarah
Labels
p3 Low Criticality Issues
Projects
Mozilla VPN Product Board
Milestone
Release v2.3

Comments

@bakulf
Copy link
Collaborator

bakulf commented Apr 7, 2021
edited by data-sync-user
Loading

It was found that Balrog does not verify the whole certificate chain on macOS. This
allows attackers to supply a self-signed leaf certificate, effectively indicating a bypass of
Balrog. This could be abused by state-funded attackers who are in charge of a trusted
valid certificate authority. They could perform a Man-in-the-Middle attack and replace the
binary code provided by the Mozilla VPN update with malicious malware.

┆Issue is synchronized with this Jira Task
@bakulf bakulf added p3 Low Criticality Issues audit-issue labels Apr 7, 2021
@birdsarah birdsarah self-assigned this Apr 8, 2021
@bakulf bakulf modified the milestone: v2.2 Apr 9, 2021
@lesleyjanenorton lesleyjanenorton added this to Triage parking lot in Mozilla VPN Product Board Apr 14, 2021
@lesleyjanenorton lesleyjanenorton moved this from Triage parking lot to Backlog in Mozilla VPN Product Board Apr 14, 2021
@birdsarah birdsarah added this to the Release v2.3 milestone Apr 16, 2021
@rbillings rbillings moved this from Backlog to Next Up / To Do in Mozilla VPN Product Board Apr 16, 2021
@birdsarah birdsarah mentioned this issue Apr 29, 2021
Closed
@birdsarah birdsarah moved this from Next Up / To Do to In progress in Mozilla VPN Product Board Apr 29, 2021
@birdsarah birdsarah mentioned this issue May 7, 2021
Merged
Mozilla VPN Product Board automation moved this from In progress to Done/Merged May 10, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@birdsarah birdsarah

Labels
p3 Low Criticality Issues
Projects
Mozilla VPN Product Board
Done/Merged
Milestone
Release v2.3
2 participants
@bakulf @birdsarah