Threat Model - Gordin/cryptocat GitHub Wiki

Contents

  • Application Name and Description
  • Owners, Authors, and Stakeholders
  • Revision History
  1. Security Objectives
  2. Application Overview
  3. Application Decomposition
  4. Threats
  5. Vulnerabilities

Application Name and Description

Cryptocat is a browser-based Instant Messaging application that offers client-side encryption. The client is loaded locally as a browser plugin (available for Google Chrome and Mozilla Firefox) and communicates to a XMPP-BOSH server over HTTPS. Cryptocat uses the OTR protocol for two-party encrypted conversations and the mpOTR protocol for multi-party encrypted conversations.

Authors

  • Nadim Kobeissi, Cryptocat Lead Developer.
    Contributors welcome!

Revision History

  • Version 0.1DRAFT (Current): First draft.

1. Security Objectives

The security objectives are:

  • Provide Instant Messaging capabilities where the messages are encrypted and inaccessible by any party that is not explicitly delineated by the conversational parties.
  • Provide means for parties to securely authenticate each other's identities.
  • Protect against message forgery.

It is worth noting that our security objectives do not include:

  • Anonymizing the connections and identities of users.
  • Protecting against key-loggers and other similar malware and backdoors on the client's machine.
  • The cryptographic property of deniability in a group conversation context. Deniability is only provided in private messages (which are carried over the OTR protocol.)

2. Application Overview

Connections Overview

Scenarios:

Client scenarios are:

  • Generating OTR and mpOTR key pairs.
  • Encrypting, sending, receiving and decrypting instant messages.
  • Sending and receiving OTR and mpOTR public keys.
  • Calculating public key fingerprints.

Server scenarios are:

  • Acting as a middle-man for the transfer of encrypted messages from the sender to their intended recipient(s).
  • Managing client connections.
  • Issuing challenges to the user to verify that they own the secret equivalent to the public key they claim to own.
  • Managing public key exchange.

Technologies:

Application Security Mechanisms:

The most important application security mechanisms known at this time are:

  • Clients do not at any point in time transmit messages that are not encrypted with either OTR or mpOTR.
  • XMPP-BOSH is served over an HTTPS proxy in order to provide SSL attributes to BOSH.
  • Servers verify client identities by issuing a challenge to verify if a client has the secret key to their public key.

3. Application Decomposition

This section describes the trust boundaries, entry points, exit points, and data flows.

Trust Boundaries:

  • The BOSH server trusts information relayed to it by the HTTPS proxy.
  • The XMPP server trusts information relayed to it by the BOSH server.

Server Entry and Exit Point:

  • Port 443 for HTTPS. Requests are proxied into an internal BOSH server which in turn relays them to the XMPP server.

Data Flows:

  • User login. Users can enter a particular conversation name in the client, which communicates to the server the conversation name and a public key.
  • Message transaction. Users send encrypted messages to the server which is then responsible of relaying the messages to their appropriate destinations.

4. Threats

In the above chart, points a, b, c, d, e and f (in red) delineate possible points of attack.

Attacks will be judged according to the DREAD model:

  • Damage: How big would the damage be if the attack succeeded?
  • Reproducibility: How easy is it to reproduce the attack?
  • Exploitability: How much time, effort, and expertise is needed to exploit the threat?
  • Affected Users: If a threat were exploited, what percentage of users would be affected?
  • Discoverability: How easy is it for an attacker to discover this threat?

Each category has a minimum score of 0 and a maximum score of 10. The final DREAD score is the average of the category scores: (D + R + E + A + D) / 5.

Attack point A (User -> Browser):

Phishing Web Application Posing as Cryptocat Plugin

Threat Description: Users with little technical knowledge may be fooled by a phishing website or plugin posing as a legitimate Cryptocat browser extension session.

  • Damage: A user could be compelled to use the phishing application to have conversations or to reveal their nickname/chat room preference. Score: 10
  • Reproducibility: Users with little technical expertise may be susceptible if convinced to visit a website that mimics the behaviour of a legitimate Cryptocat extension. Score: 6
  • Exploitability: Exploitability depends on the user. It is clear to users that Cryptocat operates exclusively as a browser plugin, making whether a user would trust a website posing as a Cryptocat tab dependent on the user's technical proficiency. Score: 5
  • Affected Users: Users are affected individually; however, information they reveal to the phishing website may endanger others. Score: 5
  • Discoverability: It's unknown how the notion of discoverability may be measured for this threat. Score: N/A

DREAD Score: 6.5

Attack Point B (Browser -> Client):

Cryptocat Malicious Client Code Delivery

Threat Description: The user could be made to download a malicious version of the Cryptocat Client instead of the legitimate version. The malicious version could contain backdoors and compromised encryption.

  • Damage: A compromised client could lead to the full decryption of all messages sent and received by the user, and allow for further monitoring of the user's behavior. Score: 10
  • Reproducibility: Due to Chrome's use of SSL with HSTS and certificate pinning, reproducing this on Chrome is unlikely. Under Firefox, integrity checks are also very feasible. Score: 3
  • Exploitability: A highly considerable amount of time, effort and expertise is required for this threat to be pulled off remotely. Score: 3
  • Affected Users: Depending on the malicious actor, a single user could be targeted (if the actor is a hacker connected to a LAN) or an entire nation (if the hacker is an ISP being controlled by a malicious government.) Score: 5
  • Discoverability: In the majority of cases, this threat requires extensive testing of the SSL and code delivery infrastructure. Score: 3

DREAD Score: 4.8

Cryptographic Break

Threat Description: An implementation error or protocol specification weakness leads to making message decryption possible for medium to highly advanced attackers.

  • Damage: In case of an SSL compromise, any ciphertext would be theoretically decryptable once obtained. In case of no SSL compromise, the Cryptocat XMPP server administrator(s) would still be able to decrypt. Score: 10
  • Reproducibility: A cryptographic break would be required, on top of a way to circumvent the SSL transport. Score: 3
  • Exploitability: Depending on the nature of the cryptographic break, exploitability can necessitate anything from a supercomputer cluster to a single Pentium 3 machine. Score: 5
  • Affected Users: Any user could be affected. Score: 10
  • Discoverability: Discovering this attack is unlikely, due to the open review and auditing model. Score: 2

DREAD Score: 6

Attack Point C (Client -> Network):

Unnoticed User Attack

Threat Description: An unwanted user could join a Cryptocat chat and listen into a conversation without being noticed by other users.

  • Damage: The public messages in the room up from the user's joining onward could be read by the user. Private messages and messages sent before the user joining are not affected. Nicknames would also be visible - a possible threat if a user used a nickname that could identify them. Score: 4
  • Reproducibility: The threat is easier to reproduce inside more busy group conversations, but extremely unlikely to reproduce in smaller groups. Score: 4
  • Exploitability: While no expertise is required to pull off this attack, it is highly unlikely that user joining would go unnoticed by other users. Score: 3
  • Affected Users: All users inside a chat that are using the group chat feature. Score: 6
  • Discoverability: The attacker only needs to learn the name of the chat. Score: 7

DREAD Score: 4.8

Unwanted User Attack

Threat Description: An unwanted user could join a Cryptocat chat and listen into a conversation. This is a denial of service attack.

  • Damage: The public messages in the room up from the user's joining onward could be read by the user. Therefore, the participants of the room could not continue a group conversation that they don't want to disclose to the newcomer. Nicknames would also be visible - a possible threat if a user used a nickname that could identify them. Score: 2
  • Reproducibility: This is only possible if the attacker knows the name of the conversation. Score: 5
  • Exploitability: Anybody can exploit this without any expertise. Score: 10
  • Affected Users: All users inside a chat that are using the group chat feature. Score: 6
  • Discoverability: The attacker only needs to learn the name of the chat. Score: 7

DREAD Score: 6

Attack Point D (Network -> HTTPS Proxy):

SSL Man-in-the-Middle

Threat Description: The HTTPS proxy's SSL certificate, used for authentication, could be man-in-the-middled via a Certificate Authority compromise or other means.

  • Damage: The attacker would be able to intercept, read and modify the stream of encrypted communications sent to and from the client. However, since the client already uses client-side encryption for messages, the messages should remain integral and undeciphered. Score: 6
  • Reproducibility: Measures such as HSTS, responsible CA delegation and certificate pinning in browsers make this threat difficult to reproduce. Score: 3
  • Exploitability: A highly considerable amount of time, effort and expertise is required for this threat to be pulled off remotely. Score: 3
  • Affected Users: Depending on the malicious actor, a single user could be targeted (if the actor is a hacker connected to a LAN) or an entire nation (if the hacker is an ISP being controlled by a malicious government.) Score: 5
  • Discoverability: Depending on the Certificate Authority's operational security, the ability to control the Certificate Authority to forge certificates may be extremely easy to very difficult. Cases such as DigiNotar and even VeriSign have made this a real threat, however, even with trusted Certificate Authorities. Score: 6

DREAD Score: 4.6

Server DDoS Attack

Threat Description: The XMPP server could face a DoS attack that would prevent users from having Cryptocat conversations using that specific XMPP server.

  • Damage: The XMPP service would be brought down and conversations would be impossible; however, Cryptocat supports connecting to any XMPP-BOSH server and thus the threat is on a per-server basis rather than global. While an outage may occur, user confidentiality, security and privacy are not compromised. Score: 3
  • Reproducibility: Most XMPP servers are unlikely to have any DDoS protection. Score: 7
  • Exploitability: DDoS attacks require little technical know-how, but do require significant resources in most cases. Score: 6
  • Affected Users: All users of the targeted XMPP server would be affected. Users connected to another XMPP server would not be affected. Score: 8
  • Discoverability: Threat requires no measures to be undertaken for discoverability. Score: 10

DREAD Score: 6.8

Attack Point E (HTTPS Proxy -> BOSH Server):

Web Server Compromise

Threat Description: Cryptocat's main server (which serves Cryptocat client downloads or similar sensitive links) is compromised and backdoored.

  • Damage: Download links could be changed to point to malicious browser plugins. However, plugin signatures and external hosting (such as on Google Chrome and Mozilla Firefox plugin download websites) likely makes this not so simple. Score: 8
  • Reproducibility: It is possible to secure Cryptocat's download servers against such attacks. Methods of server hardening are known and well-studied. Score: 5
  • Exploitability: Breaking into a server requires significant knowledge and skill, including obtaining a security hole either in the server's software (SSHD, HTTPD, etc.) or in the human security factors governing the server. Score: 3
  • Affected Users: Everyone attempting to download, use or learn more about Cryptocat is likely to be somehow affected. However, those who have already installed Cryptocat are not affected. Score: 9
  • Discoverability: Threat requires extensive penetration testing in order to discover if it potentially exists. Score: 2

DREAD Score: 5.4

Attack Point F (BOSH Server -> XMPP Server):

XMPP Server Compromise

Threat Description: Cryptocat's XMPP server (which relays XMPP messages and connections) is compromised by a third party.

  • Damage: The attacker could delay, drop any message of his choosing. The attacker could also delay and drop user connections. The attacker could also selectively transfer messages to a few instead of all members of a conversation. Unless the attacker is also a member of said conversation, the attacker cannot decrypt or read messages. Score: 8
  • Reproducibility: The possibility of a full remote compromise of an XMPP server is unknown and ambiguous. Score: 5
  • Exploitability: Breaking into a server requires significant knowledge and skill, including obtaining a security hole either in the server's software (SSHD, HTTPD, etc.) or in the human security factors governing the server. Score: 3
  • Affected Users: Everyone connected to the XMPP server is under the realm of being possibly affected. Score: 9
  • Discoverability: Threat requires extensive penetration testing in order to discover if it potentially exists. Score: 2

DREAD Score: 5.4

5. Vulnerabilities

No vulnerabilities have been formally identified. Please contribute to this section!