Opened 3 years ago

Last modified 8 months ago

#10944 new task

Audit Instantbird's security

Reported by: sukhbir Owned by:
Priority: Medium Milestone:
Component: Applications/Tor Messenger Version:
Severity: Normal Keywords:
Cc: gk, arlolra Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

We need a thorough security audit of Instantbird which checks for things like:

  • render attack surface (content window, XSS filter, etc.)
  • crypto in NSS and how JS uses it (if we use it?)
  • interface between the UI and OTR
  • Proxy by-pass issues

Child Tickets

Attachments (1)

audit_tor_messenger0.0.6 (3.6 KB) - added by gk 2 years ago.

Download all attachments as: .zip

Change History (17)

comment:1 Changed 3 years ago by sukhbir

  • Keywords SponsorO added

comment:2 Changed 3 years ago by gk

  • Cc gk added

comment:4 Changed 3 years ago by sukhbir

  • Keywords TorMessengerPublic added
  • Parent ID set to #14161

comment:5 Changed 3 years ago by sukhbir

  • Owner set to sukhbir
  • Status changed from new to assigned

comment:6 Changed 2 years ago by arlolra

  • Cc arlolra added

comment:7 Changed 2 years ago by gk

I talked to Florian today and he gave me some hints and useful information for auditing. I plan to work at some of the above points although I probably won't have the time to cover all things mentioned in the description.

comment:8 Changed 2 years ago by arlolra

That's great to hear. Thanks!

comment:9 Changed 2 years ago by arlolra

The twitter protocol uses a <browser> element to OAuth. There may be other uses. Noting to investigate.

comment:10 Changed 2 years ago by gk

Attached are the things I did and found while looking at Tor Messenger (essentially version 0.0.6, I guess). It contains some ToDos for the next audit as well.

Changed 2 years ago by gk

comment:11 Changed 2 years ago by arlolra

Thanks gk! That was very helpful. I reopened a few tickets and copied findings to their relevant tasks.

comment:12 Changed 2 years ago by sukhbir

  • Parent ID #14161 deleted

Removing parent (#14161) as blocker as we already have tickets for the tasks.

comment:13 Changed 21 months ago by arlolra

  • Keywords SponsorO removed

comment:14 Changed 21 months ago by arlolra

  • Keywords TorMessengerPublic removed

comment:15 Changed 8 months ago by arlolra

  • Owner sukhbir deleted
  • Severity set to Normal

comment:16 Changed 8 months ago by arlolra

  • Status changed from assigned to new
Note: See TracTickets for help on using tickets.