Opened 4 years ago

Last modified 11 months ago

#10944 new task

Audit Instantbird's security

Reported by: sukhbir Owned by:
Priority: Medium Milestone:
Component: Applications/Tor Messenger Version:
Severity: Normal Keywords:
Cc: gk, arlolra Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

We need a thorough security audit of Instantbird which checks for things like:

  • render attack surface (content window, XSS filter, etc.)
  • crypto in NSS and how JS uses it (if we use it?)
  • interface between the UI and OTR
  • Proxy by-pass issues

Child Tickets

Attachments (1)

audit_tor_messenger0.0.6 (3.6 KB) - added by gk 2 years ago.

Download all attachments as: .zip

Change History (17)

comment:1 Changed 4 years ago by sukhbir

Keywords: SponsorO added

comment:2 Changed 4 years ago by gk

Cc: gk added

comment:4 Changed 3 years ago by sukhbir

Keywords: TorMessengerPublic added
Parent ID: #14161

comment:5 Changed 3 years ago by sukhbir

Owner: set to sukhbir
Status: newassigned

comment:6 Changed 3 years ago by arlolra

Cc: arlolra added

comment:7 Changed 3 years ago by gk

I talked to Florian today and he gave me some hints and useful information for auditing. I plan to work at some of the above points although I probably won't have the time to cover all things mentioned in the description.

comment:8 Changed 3 years ago by arlolra

That's great to hear. Thanks!

comment:9 Changed 2 years ago by arlolra

The twitter protocol uses a <browser> element to OAuth. There may be other uses. Noting to investigate.

comment:10 Changed 2 years ago by gk

Attached are the things I did and found while looking at Tor Messenger (essentially version 0.0.6, I guess). It contains some ToDos for the next audit as well.

Changed 2 years ago by gk

Attachment: audit_tor_messenger0.0.6 added

comment:11 Changed 2 years ago by arlolra

Thanks gk! That was very helpful. I reopened a few tickets and copied findings to their relevant tasks.

comment:12 Changed 2 years ago by sukhbir

Parent ID: #14161

Removing parent (#14161) as blocker as we already have tickets for the tasks.

comment:13 Changed 2 years ago by arlolra

Keywords: SponsorO removed

comment:14 Changed 2 years ago by arlolra

Keywords: TorMessengerPublic removed

comment:15 Changed 11 months ago by arlolra

Owner: sukhbir deleted
Severity: Normal

comment:16 Changed 11 months ago by arlolra

Status: assignednew
Note: See TracTickets for help on using tickets.