blog.mirabellette.eu

A blog about digital independence and autonomy

I failed to install Firefox Accounts Server

Written by Mirabellette / 06 october 2018 / no comments

In order to continue to be more and more independent and because I trust less and less Mozilla Foundation, I decided to manage by myself the Firefox authentication system (without Docker). For those who do not know, Firefox divided the whole authentication system and the storage management system. You can manage your data (bookmarks, history, tabs, profile) with Firefox Sync. I deployed it previously and a tutorial is available here. After hosting the most important part of my datas that Firefox manages, I wanted to host the all thing. I worked on it during 21 hours and was still not able to run it properly. I decided to share my experience.

Criticism

Firefox Authentication Server is built in following a microservices architecture. For those who do not know it, it divides an application into little smaller applications. Each of them should have a specific role and perimeter. For example, a microservice dedicated to send email or another dedicated to manage the user interface. However, this architecture, if not well built and documented could have some disadvantages. You can find below a list from Wikipedia:

  • Services form information barriers
  • Inter-service calls over a network have a higher cost in terms of network latency and message processing time than in-process calls within a monolithic service process
  • Testing and deployment are more complicated
  • Moving responsibilities between services is more difficult. It may involve communication between different teams, rewriting the functionality in another language or fitting it into a different infrastructure
  • Viewing the size of services as the primary structuring mechanism can lead to too many services when the alternative of internal modularization may lead to a simpler design.

Unfortunately, I think the Firefox Accounts Server fall in most of them. They are improving it but there is so much work to do. Especially because it seems like Mozilla Foundation wants to maintain the compatibility with the past. You can find below the list of issues I found which made it really hard to deploy it and which demonstrates why it is obsolete.

  • Each microservice has his own structure. In some of them, you have configuration in config/index.js, another one has it in /server/config/local.json, in another one you have two files to configure
  • Each microservice has his own running process. For example, the running command could be different, in another case, you need to build the code to make it runnable.
  • The documentation is clearly missing (no system-d unit, no reverse proxy configuration). Anybody who tries to run it in following the process in the documentation will most of the time failed because some part of it is not documented or is obsolete

Regarding the Firefox Authentication Server in general. I am sorry to say it but it is clearly out of date and has vulnerabilities inside. About obsolescence, I could talk about the need to use mysql 5.6 and about vulnerabilities, the node modules vulnerabilities. It is not ready to be deployed by anybody else than someone who works in this project or in the Mozilla Firefox platform. I do not imagine one second a system administrator without development skill being able to deploy it in less than 3 days.

Just another example about the mess, I made an issue here about the difficulties I got. Two people from Mozilla answered, the first answer was pertinent and helped me in the process. The second one was clearly out of subjects, I am not even sure he read it, he just repeats one thing I said, thing which does not work and he closed the issue without giving a fuck. Yes, it closed it, without waiting for my answer. I just took three days trying to make it works before asking for help and my issue was closed like "OK, thank you".

My responsability

My lack of knowledge was, of course, a reason of my impossibility to succeed in this task. Even if I deployed dozens of applications, I am not used to deploy microservices applications. The only comfort I have is I am not the only who did not succeed.

Installation process

I took three days deploying and configuring Firefox Accounts Server. For those who are interested, you can find below the process I follow to be able to run them. I was able to run 5 services, maybe it required more to make it runnable, but some of them still have issues and it. The list of microservices I deployed:

  • fxa-auth-db-mysql
  • fxa-auth-server
  • fxa-content-server
  • fxa-oauth-server
  • fxa-profile-server

Global installation

In order to prepare the system, you need to to the following stuff:

adduser --system --shell /usr/sbin/nologin --group firefox
As npm needs to have a home directory, we will not add the --no-create-home option.

apt update && apt install -y git python sudo make gcc g++

In debian 9, you will need to install only mysql-server without mariadb

apt install lsb-release # necessary to install mysql
wget https://dev.mysql.com/get/mysql-apt-config_0.8.10-1_all.deb
dpkg -i mysql-apt-config_0.8.10-1_all.deb
apt update
apt install mysql-server

You have to choose mysql version 5.6, I tested with version 8 and mariadb and it doesn't work

cd /opt
# Get the last stable version of node
wget https://nodejs.org/dist/v8.12.0/node-v8.12.0-linux-x64.tar.xz -P /opt
tar xf node-v8.12.0-linux-x64.tar.xz
ln -s /opt/node-v8.12.0-linux-x64/bin/node /bin/
ln -s /opt/node-v8.12.0-linux-x64/bin/npm /bin/

Tips

In order to find the configuration file easily, I recommend you to use grep as much as possible and to read the packages.json file which could help you to find running command. You can find interesting stuff with:

grep -R 127.0.0.1 --exclude-dir=node_modules *
grep -R public_url -i --exclude-dir=node_modules *

Part of the installation process of Firefox Accounts database service

I still have issues with it. db.example.com

git clone https://github.com/mozilla/fxa-auth-db-mysql.git
chown firefox:firefox -R fxa-auth-db-mysql
cd /opt/fxa-auth-db-mysql
sudo -u firefox npm install
# found 28 vulnerabilities (21 low, 5 moderate, 1 high, 1 critical)

sudo -u firefox NODE_ENV=prod npm start

vim config/config.js

Firefox Accounts Server

I still have issues with it. auth.example.com

git clone git://github.com/mozilla/fxa-auth-server.git
chown firefox:firefox fxa-auth-server
cd /opt/fxa-auth-server
sudo -u firefox npm install --production
sudo -u firefox NODE_ENV=prod npm start

To change the listen address of the server, you have to modify the file config/index.js and replace it.

publicUrl: {
format: 'url',
default: 'http://127.0.0.1:9000',
env: 'PUBLIC_URL'
},

Firefox Accounts Content Server

account.example.com
#You will need to install openjdk
apt-cache search java | grep openjdk and then install the most recent version available for your distribution. For me, it was the openjdk-8-jre
apt update && apt install openjdk-8-jre

git clone https://github.com/mozilla/fxa-content-server.git
chown firefox:firefox -R fxa-content-server
cd /opt/fxa-content-server
sudo -u firefox npm install --production
sudo -u firefox npm install bluebird
sudo -u firefox npm run build-production
# found 7 vulnerabilities (6 low, 1 moderate)
sudo -u firefox NODE_ENV=production npm run start-production

All the configuration is in the file server/config/local.json-dist
Firefox Content Server loads his configuration from file we should create. It should be a copy of local.json-dist.

cd config/
sudo -u firefox cp local.json-dist config/local.js
# First of all, we have to replace the secret "YOU_MUST_CHANGE_ME":
head -c 20 /dev/urandom | sha1sum

vim server/lib/configuration.js

default: 'http://127.0.0.1:3030'

public_url: {
default: 'http://127.0.0.1:3030',
doc: 'The publically visible URL of the deployment',
env: 'PUBLIC_URL'
},

I recommend you to disable csp because they are completely obsolete. They still using x-content-security-policy even if it is obsolete since Firefox 23 !

vim server/config/production.json
# csp:false

Firefox Accounts OAuth Server

oauth.example.com

git clone https://github.com/mozilla/fxa-oauth-server.git
chown firefox:firefox -R fxa-oauth-server/
cd /opt/fxa-oauth-server/
sudo -u firefox npm install
# found 7 vulnerabilities (5 low, 1 high, 1 critical)
sudo -u firefox npm audit fix
sudo -u firefox npm start

Firefox Accounts Profile Service

profile.example.com

apt update && apt -y install graphicsmagick

git clone https://github.com/mozilla/fxa-profile-server.git
chown firefox:firefox -R fxa-profile-server
cd /opt/fxa-profile-server
sudo -u firefox npm install
# found 14 vulnerabilities (7 low, 6 moderate, 1 high)
sudo -u firefox NODE_ENV=prod npm start
vim lib/config.js

Sources

Conclusion

I hope it will motivate you NOT to try to install it and save your time. I hope they will improve it and make it easier to configure and deploy. Maybe one day, we will be able to use only the Mozilla Firefox Browser and be able to manage everything behind, maybe.

Social media

If you find this article useful, feel free to follow my RSS flux and to follow me on Mastodon. Don't hesitate to share it if you think it could interested someone.

Some news about the blog 5 : July-August 2018

Written by Mirabellette / 10 september 2018 / no comments

Hello Everyone

I decided to publish each month an article about the blog in general. Contrary to what I said, I decide to publish this article each two months. I think now it is not really relevant to publish it each two months. In this article, you will be able to know:

  • What I achieved during this period.
  • What I accomplished for the community.
  • How is the blog and services popular.
  • Balance sheet of the period.
  • Some words about what I think for the next period.

This article is about the month of July-August 2018.

Period achievements

Articles

Events

  • Nothing special.

The blog

  • Improve the accuracy of the statistic tool.
  • I added a count of the RSS request by day group by IP address. It helps me to know if the blog interests people.
  • I added a little text about personal data I store and how I manipulate them.

Give back to the community

  • As I based my filter from a Github repository of bot, I can now extract automatically bot which request my website and which are not in the Github repository. I will extract this list of bot each month and add it to the Github repository.
  • I published a little commit on Mastodon about the documentation.
  • A little donation as each month for an association or service I find useful.

Balance sheet of the period

Statistics for this period

Some charts about the month of July:

how_many_views_each_day_july how_many_views_by_page_july referer_july.jpg

Some charts about the month of August:

how_many_views_each_day_august how_many_views_by_page_august referer_august.jpg
  • Except the days around the publication in social media, visits are around 30 by days

My point of view

I got a little time off at the end of August. I did not really know what I can write about and I was questioning myself about the sense of it. Even if I know I primarily write for myself, I expected to bring something useful to the community. I begin to accept this blog will not change something and I begin to think about using my time in a better way.

For the next month

  • I do not know.

Classified in : Blog / Tags : none

Why and when install a custom Android distribution?

Written by Mirabellette / 04 september 2018 / no comments

Hello guys,

Sorry for the little delay but I was not sure about what I wanted to write for the month of September.

android_logo

Introduction

Today, I would like to talk about operating system for mobile and especially those based on Android. For those who do not know, Android is an open-source operating system and each manufacturer may customise it with features or tweaks. A customise Android operating system is called a distribution. I do not know the IOS environment that is why I will not talk about it here.

A little lexicon below:

  • IOS: Iphone operating system
  • FAD: Factory Android Distributions
  • CAD: Custom Android Distributions
  • Why and when install a custom Android distribution?

    The issues with the Factory Android Distribution (FAD)

    manufacturers make a lot of work to provide a good mobile phone. However, they are motivated by money contrary to the users who are motivated by good experience and good products.

    Firstly, the most important issue is about updates. Android mobile phone tends to be in general updated for only two years. After this period, your smartphone will not be updated anymore. That means it will contain known vulnerabilities without any possibility to fix it.

    As your phone has very sensitive features (GPS, microphone, camera, sensitive personal data). A mobile phone compromise could create a lot of issues. For example, the GPS could be used in an abusive way. An example with the recent vulnerability published the 29th of August.

    You can find below the list of Android system deploy on smartphones.

    android_version_distribution

    You can see in February 2018, there are:

    • Around 10% in Android 4.4 (published in October 31, 2013)
    • Around 25% in Android 5.0-51 (published in November 12, 2014)
    • Around 28% in Android 6.0 (published in October 5, 2015)
    • Around 25% in Android 7.0-7.1 (published in August 22, 2016)

    I do not know if you understand how bad it is. That just means around 90% of the FAD are not up to date and contain known vulnerabilities. Or, if we are less exigent, it is 65% which is obsolete. For me, that just means one thing. Never trust your Android smartphone or the Android smartphone of your friends. IOS (the operating system for Apple phone) is better but not perfect about security update. I do not find the chart but most of the devices are "up to date".

    Secondly, as they are interested mainly by benefits or have to follow government rules. It appears that some device tracks phone calls, contacts, data and phone usage.

    Pros

    • Custom Android Distribution (CAD) generally tends to provide a more recent Android version. That means better security, better performance, better features and better autonomy
    • CAD do not contain manufacturers features and improvements. You are also free not to install Google applications. That means no tracking features.
    • CAD generally add features which are able to improve the management of your cellular phone. That means, for example, have a better tool to manage backup, update or security. They often have features to manage privacy more precisely. Some applications are made by the maintainers and are free to install.
    • I do not know about the other distributions but LineageOS community provides a very good tutorial about how to install it on your smartphone. An example can be found here with the Galaxy S3.

    Cons

    • Replacing the Factory Android Distribution by one of your choices is not easy and required time. You need to understand the different steps of the process and how an Android operating system works in the main line. Contrary to what you could think, you will not develop at all. You also need to do a little analyse about what you will earn and lose and you need to make the required backup. It required me approximately 12 hours to do it and have a mobile phone which was fully operational whereas I had not a lot of knowledge about the process.
    • CAD do not contain manufacturer features and improvement. It could be positive but it could also be negative. You could lose manufacturer tweaks and have worse performance. You will never know before making a try.
    • Most of the time, unlocking the bootloader (which is a step required to replace your Android distribution) will stop the guaranty.
    • Some features may not work properly (high consumption energy, cameras which do not work or even crash sometimes). However, it could be fixed in the next release which is published each week on LineageOS. For example, I was for one month without a front camera and GPS.
    • Less stable than FAD, the mobile phone may crash and have a higher possibility to lose your data when update. Hopefully, you also have a better tool to get it back but it could not work all the time.

    When to replace the factory Android distribution?

    lineageos_logo replicant_logo

    For casual users or users who do not want a lot of issues,
    when your mobile phone is not updated anymore. When you are in this situation, that means your mobile phone is older than 2 years and the CAD should be quite stable. The tutorial should be quite complete. Issues should be known, fixed or with some work around available.

    For expert users and experimental users,
    some months after the manufacturer releases the new phone. It should let to the maintainers the time to develop enough stable version for your phone. In case of issues, you should be able to roll back to the previous release on your own.

    Advice and warning about a mobile phone with CAD

    • Choose a mobile phone quite popular. The most you have people who use it, the most it is probable than a custom Android distribution will support it well. Quite popular does not mean with a lot of hardware backdoors, you have some choices.
    • Do as little as possible with your phone. First of all, because the mobile phone environment is far more dangerous than the desktop environment. Proprietary applications can literally siphon your data, track your location, use your camera, heard around you.

      Even if you are up to date with a recent phone, your mobile phone could be exploited to hear what it is around you, to locate you, to film around you. Secondly, because you use a CAD, it means less stability, you should be ready for it.

    • Each custom Android distribution has his own purpose. Choose carefully the one you will install regarding stability, performance, security and maintainability.

    Conclusion

    You now have some arguments to make your decision.

    Sources

    Social media

    If you find this article interesting, feel free to subscribe to my RSS flux and to follow me on Mastodon. Don't hesitate to share it if you think he could interest someone else.

Important principles in cybersecurity - 2

Written by Mirabellette / 01 august 2018 / no comments

Introduction

Today, I would like to share the second part of the article about important principles in cybersecurity. You can find the first part of these articles about cybersecurity here.

No usability means no security

Probably one of the most important principles in cybersecurity. When you are a professional of security, you are concerned about the risk of leaks and passwords disclosure. That means you are ready to make to some effort to prevent this. However, even if you are aware of that, it is tiring and exigent.

Let's go with an example most of us know. Imagine you have hundreds of website you need to log in. Nowadays, websites ask for complex passwords with long size. People which are not concerns about security will choose a password and they will write it next to their keyboard or worst, easy thing to remember. That means, even if you force the user to use only very difficult passwords, if it is not easy for him to pass it, he will find a way to do it easily.

Speed is crucial

Each day, there are multiple vulnerabilities which are published and accessible by anybody. In an interview given by the NSA, they claimed to be able to transform a vulnerability into a usable exploit in 24 hours. That means, if you are targeted by them, you should be able to patch your services and systems before the exploit is ready. If an agency can do that in 24 hours, we could presume just another agency can fix and deploys with the same efficiency in 24 hours.

Come back to the real world, where we are just system administrator and developer which are maintaining systems and applications. Patches tend to be created before exploits are spread. It was the case for Petya and not Petya. That means, if you are fast enough, you can update your systems before they are attacking. But what can you do if you cannot?

layer

Multiple layers of Security is the answer to threats

You must admit that each of your security layers could be vulnerable and compromised. It is your responsibility as system administrator, software developer or cybersecurity expert to reduce the vulnerability of the layers you are responsible for to the minimum. An example of the effective layer could be the user management system in all operating system. There is a normal user with reduced right and a superuser or root who has more right. It is a basic advice on security but not everybody really follows it. Even in the cybersecurity field where the famous penetration distribution Kali Linux has only a user with all right by default.

Always be sure about the information before doing something

There is a lot of mythology and approximation in every field. Cybersecurity is not avoided by that. As an important position in a company, your words matter and could have important consequences. That means you must be sure about what you say. Oftenly, people speak without knowing enough. For cybersecurity, that means you should answer these 3 questions:

  • Is the vulnerability real?
  • Could some of our systems or application be threatened by them?
  • Should I or how can I mitigate it?

Most of the time, people will ask you about the vulnerability/threat before you have a clear idea of the situation. It is important not to make a presumption. The more just you will be about what you know, the more you will be able to well react to the situation.

Let's make a try with the shiny vulnerability Efail.

efail

We have a wonderful website, one public communication from EFF about what we should do BEFORE any information was publicly disclosed. The Electronic Frontier Foundation (EFF) is an international non-profit digital rights group based in San Francisco, California. EFF recommends to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email. They are very listened by all of the people and have a quite good reputation. However, if we do what they recommend, that means changing something based only on the trust we have in them. At this moment, your shiny warning should be ringing a lot and asked you to wait for a little in order to know more about that.

The day later, the vulnerability explanation was published. When we read it carefully, it appears it does not concern OpenPGP but only some products which manage emails. Please to find below the specific conditions which are necessary to let an opponent exploit it.

  • Your email manager must be vulnerable.
  • Your email manager must decrypt encrypted email automatically.
  • You must have the private key of the encrypted email loaded in your email manager.
  • You must have HTML rendering enabled.
  • You must open the email.
  • An attacker must have encrypted contents he wants to decrypt from you.

For me, if we listen to the noises made before the explanation was released, it was a very high critical vulnerability. But after the reading, it was sensitive but not so critical as the noise could let imagine. Mainly because there are a lot of things required to exploit the vulnerability. The NIST quite agrees with me; it gave to the two vulnerabilities behind Efail a complexity grade of high and a global grade of 5.9 (medium).

This was an example to wait and be sure to have enough information before doing something.

Conclusion

I hope you enjoy this second article about cybersecurity. The tone I used was a little bit more engaged than usual.
Feel free to comment if you want to add ideas or discuss it. If you find this article useful, you can subscribe the RSS flux of the blog or follow me on Mastodon. Don't hesitate to share it if you think it could interest someone.

Sources

Some news about the blog 4 : June 2018

Written by Mirabellette / 10 july 2018 / no comments

Hello everyone

I decided to publish each month an article about the blog in general. In this article, you will be able to know:

  • What I achieved during this period.
  • What I accomplished for the community.
  • How is the blog and services popular.
  • Balance sheet of the period.
  • Some words about what I think for the next period.

This article is about the month of June 2018.

Period achievements

Articles

01/06/2018

Events

  • Nothin special during the month of June.

The blog

  • Improve the accuracy of the statistic tool.

Give back to the community

  • A little donation as each month for an association or service I find useful.

Balance sheet of the period

Statistics for this period

I continued to improve the quality of the statistic tool. I think It currently filters 95% to 100% of bots or attacks. The data analyzed should since the middle of June be very close to the real human traffic.

The article of June was read by a really few numbers of people. As it wasn't about technology, I talked about it only in Mastodon. For me, it was an important article because philosophy and responsibility should be behind each of our action. It is not the truth, because it is very hard to do it but it should be.

More details about the statistic of the month:

view_this_monthdays_with_most_read most_article_read referer
  • Pages were viewed 400 times this month.
  • The article the most read this month was the translation of the hosting of Firefox bookmarks with 234 views.
  • The second article the most read was the orignal article of the hosting of Firefox bookmarks with 65 views.
  • The third article the most read was the article of the month of June, the knower oath with 25 views.
  • Once again, most visitors came from journalduhacker

Contrary to the month of May, I got "just" 450 views for the blog. I am not disappointed at all. Its still something huge for me. Even if only one reader finds my articles useful, it will be a success for me.

My point of view

I didn't do a lot of things during this period. I was quite busy and I didn't write the page about how I manage personal data. The only personal data I stored are ips address for one month and referer. This helps me to have better accurate statistics and to respect European law.

For the next month

  • I still have to publish a page about the data I manage here regarding to the GDPR. It will contains information about the statistic tool I build and why I collect data.

Classified in : Blog / Tags : none