Comments (10)
zacknewman
commented on May 22, 2024
14
There is a difference between "works" and "works correctly". It violates the spec in two ways, so it's unfortunate a fix won't be made since it's quite easy regardless if Bitwarden violates the spec. Vaultwarden does other things in the interest of "security" that Bitwarden does not, so doing something differently is clearly not an issue for Vaultwarden.
Also there are two issues here. Bitwarden correctly verifies the credential ID is not currently used. So regarding the second issue, Vaultwarden is not only reducing the security and violating the spec; but it is also not doing what Bitwarden is correctly doing and what the used crate even says you MUST do.
from vaultwarden.
zacknewman
commented on May 22, 2024
7
Any further updates regarding this?
It's important to keep in mind these WebAuthn violations are probably OK. The spec requires at least 100 bits of entropy to be associated with a non-encrypted credential ID, so the odds a credential ID is already used is as I said "less than 0.00000000000000000009%" after 50K registrations. Of course that's assuming accidental collision. I'm not aware of a malicious way that subverts this, but of course that doesn't mean there isn't one. That's why it's important to err on the side of caution and just adhere to the spec.
from vaultwarden.
BlackDex
commented on May 22, 2024
1
Any further updates regarding this?
Update in what sense? It works currently. And since both client and server communicate this in there way which works, and nothing uses this in any other way, it's not going to be a big issue as-is.
from vaultwarden.
tessus
commented on May 22, 2024
The vw devs usually keep in sync what Bitwarden does. Even, if it's questionable on bw's side.
I think it would be best to get this fixed in bw first.
from vaultwarden.
zacknewman
commented on May 22, 2024
On Dec 22, 2023, at 1:25 AM, Helmut K. C. Tessarek ***@***.***> wrote:
The vw devs usually keep in sync what Bitwarden does. Even, if it's questionable on bw's side.
I think it would be best to get this fixed in bw first.
Huh? The issue with Bitwarden is largely unrelated. CredentialD is not being verified to not already exist, and the JSON payload is being altered _including_ the values of the key-value pairs which violates the spec.
The Bitwarden issue only impacts _how_ to solve the latter problem. I solve the problem by not altering any of the payload which besides being correct is much easier since I can just derive Deserialize, and I don’t have to attempt to get the innards of RegisterPublicKeyCredential.
If one insists on not using a 2-line patch involving sed on the web-vault to alter the two incorrect key names, then that doesn’t excuse not solving both problems. The first problem is completely unrelated, and the second problem should be solved by _only_ altering the two problematic key names and leaving the rest of the payload alone _especially_ the values.
from vaultwarden.
HammyHavoc
commented on May 22, 2024
Any further updates regarding this?
from vaultwarden.
stefan0xC
commented on May 22, 2024
a fix won't be made
@zacknewman Since you already put in the work to upgrade the webauthn-rs crate can't you make a PR?
from vaultwarden.
BlackDex
commented on May 22, 2024
a fix won't be made
@zacknewman Since you already put in the work to upgrade the
webauthn-rscrate can't you make a PR?
That would be nice. But i think the implementation done by @zacknewman doesn't take into account a migration path of the old implementation to the new one reading the comments.
from vaultwarden.
zacknewman
commented on May 22, 2024
@zacknewman Since you already put in the work to upgrade the
webauthn-rscrate can't you make a PR?
@stefan0xC, I did this only on my personal fork which has diverged rather substantially from Vaultwarden; so it would require a little time to apply the change to Vaultwarden.
That would be nice. But i think the implementation done by @zacknewman doesn't take into account a migration path of the old implementation to the new one reading the comments.
@BlackDex, indeed; and that requires discussion on how best to handle that. At least initially it would seem the best way to handle that is by using CredentialV3, then eventually move away from that entirely.
Personally, I'm not interested in making a PR that doesn't assume compliant clients which unfortunately requires a very easy patch to the web-vault. As I explain in that comment, it seems like a no-brainer that that is the best way forward.
I might be amenable to the idea of creating a serde::de::Visitor that alters the JSON keys AttestationObject and clientDataJson but otherwise leaves the rest of the payload alone; as that at least allows one to avoid having to get into the internals of webauthn-rs which as explained here and in that comment only perpetuates the problem of not upgrading the crate in addition to making code audits and the like more complex. I still very much dislike that approach though for the reasons provided in that comment.
from vaultwarden.
zacknewman
commented on May 22, 2024
I should also add that fixing the second issue doesn't require a patch to the web-vault or upgrading webauthn-rs. That can be achieved most easily by creating a webauthn table as I explained and rely on the PRIMARY KEY to prevent duplicate credential IDs. A much less efficient way is to extract the credential ID from every security key associated with every user from twofactor and putting that into a HashSet and verifying the new credential ID is not in that.
from vaultwarden.
Related Issues (20)
- Port zuzugreifen
- Unable to create entry, You must select at least one collection HOT 1
- Edge 124 and above can't open vaultwarden website
- Vaultwarden 1.30.5 with Bitwarden Client 2024.3.0 - Client does not allow saving new entries due to collections not being available. HOT 1
- Icons missing after going from 1.26 -> 1.30.5 and cant create new logins/entries
- Failed to upload attachment
- SIGTERM and container exitting at least once a day HOT 5
- Build failure: redundant imports HOT 2
- MS Exchange On-Prem Self-Signed SMTP cert prevents 2FA Mails
- Vaultwarden times out for Android Clients
- Websocket connections not working with recommended apache2 proxy configuration
- Some variables from .env file being ignored i.e. ROCKET_PORT HOT 1
- Organizations
- Cannot login with extension anymore HOT 1
- Unable to fetch ServerConfig: Failed to decode access token: JWT must have 3 parts
- Moving logins from local folder to Organization collection forces logout HOT 4
- Expired Authorization after Duo Push HOT 5
- Master passwort requirements: Require existing members to change their passwords-setting
- organization does not show HOT 14
- [Postgresql/DB] Database URL changes not respected HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from vaultwarden.