Add spoofing protection (MITM/NO-CPS detection) #180
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Closes #117.
Description:
This adds detection and mitigation for the following scenarios:
The server reports an IP address mismatch (TIF of
0x40
, "IPs matched" flag off)In this case, we show a warning message and fail hard (just like the GRC client).
The server fails to engage CPS
In this case, we show a warning message and give the user the choice of aborting the authentication or continuing on (just like the GRC client).
Additional changes:
Hardening of the
PathConf.LoadConfig()
method since I was seeing a NPE in one particular caseAs discussed in Detect No CPS/ MITM Mitigation according to Identity Specs #117, I've changed it so that we are now only sending the
cps
option if the server has already engaged a CPS session. What I was seeing when I reported that the GRC client sendscps
right from the start makes sense, since CPS is usually so quickly engaged, that it will come in well before the "sqrl://" invocation, and so CPS is already there when we start sending commands to the server.On the spoofing demo site however, one can see that the GRC client in fact does NOT send
cps
if the server fails to engage CPS. So that's what we're now doing as well.Preview: