Why would you open source?

ongov / OpenVerify

The open source Verify app by the Government of Ontario

Apache License 2.0

121 stars 34 forks source link

Why would you open source? #1

Closed PrinceFroggy closed 3 years ago

PrinceFroggy commented 3 years ago

isn’t that leaving a vulnerability to hackers to reverse the decryption and encrypt their own strings to make a QR code?

Anyone can use: https://github.com/EiNSTeiN-/chosen-plaintext

straxus commented 3 years ago

isn’t that leaving a vulnerability to hackers to reverse the decryption and encrypt their own strings to make a QR code?

Anyone can use: https://github.com/EiNSTeiN-/chosen-plaintext

SHCs are designed to make it practically impossible to do this - they use public-key crypto, which means that so long as GovON does not release their private key (and nobody is able to decipher or brute-force it, which is computationally infeasible) then having all of the code still does not allow you to create copies of their SHC codes. They will not validate correctly due to not being signed by the private key.

Also, open source is not a security risk - it is an intentional choice to open-source all of the code for transparency on how the site works in case anyone has any questions (and also so that anyone in other provinces or countries can borrow this code if they want). If the app has been designed such that having all of the source code available does not actually result in any security flaws, then providing software as open source is usually considered a much higher bar for security and trust in the software industry because then you know that there aren't glaring and obvious security holes that are being hidden from the public.

PrinceFroggy commented 3 years ago

isn’t that leaving a vulnerability to hackers to reverse the decryption and encrypt their own strings to make a QR code? Anyone can use: https://github.com/EiNSTeiN-/chosen-plaintext

SHCs are designed to make it practically impossible to do this - they use public-key crypto, which means that so long as GovON does not release their private key (and nobody is able to decipher or brute-force it, which is computationally infeasible) then having all of the code still does not allow you to create copies of their SHC codes. They will not validate correctly due to not being signed by the private key.

Also, open source is not a security risk - it is an intentional choice to open-source all of the code for transparency on how the site works in case anyone has any questions (and also so that anyone in other provinces or countries can borrow this code if they want). If the app has been designed such that having all of the source code available does not actually result in any security flaws, then providing software as open source is usually considered a much higher bar for security and trust in the software industry because then you know that there aren't glaring and obvious security holes that are being hidden from the public.

Oh, I know about the private key…just thought that in addition to the plaintext attack (if you reverse it till you need the private key), a Ciphertext-only attack would work as well considering you have multiple QR code barcode message examples which can be used for the attack.

straxus commented 3 years ago

isn’t that leaving a vulnerability to hackers to reverse the decryption and encrypt their own strings to make a QR code? Anyone can use: https://github.com/EiNSTeiN-/chosen-plaintext

SHCs are designed to make it practically impossible to do this - they use public-key crypto, which means that so long as GovON does not release their private key (and nobody is able to decipher or brute-force it, which is computationally infeasible) then having all of the code still does not allow you to create copies of their SHC codes. They will not validate correctly due to not being signed by the private key. Also, open source is not a security risk - it is an intentional choice to open-source all of the code for transparency on how the site works in case anyone has any questions (and also so that anyone in other provinces or countries can borrow this code if they want). If the app has been designed such that having all of the source code available does not actually result in any security flaws, then providing software as open source is usually considered a much higher bar for security and trust in the software industry because then you know that there aren't glaring and obvious security holes that are being hidden from the public.

Oh, I know about the private key…just thought that a Ciphertext-only attack would work as well considering you have multiple QR code barcode message examples which can be used for the attack.

Nope - you're thinking of symmetric-key encryption, the SHC which is received was signed with the private key at creation time, and you can hit it with the public key to verify the signature. The private key is never present and cannot be determined by the verifier. If public-key crypto algorithms were susceptible to this sort of attack, they never would have gained the popularity they have.

PrinceFroggy commented 3 years ago

isn’t that leaving a vulnerability to hackers to reverse the decryption and encrypt their own strings to make a QR code? Anyone can use: https://github.com/EiNSTeiN-/chosen-plaintext

SHCs are designed to make it practically impossible to do this - they use public-key crypto, which means that so long as GovON does not release their private key (and nobody is able to decipher or brute-force it, which is computationally infeasible) then having all of the code still does not allow you to create copies of their SHC codes. They will not validate correctly due to not being signed by the private key. Also, open source is not a security risk - it is an intentional choice to open-source all of the code for transparency on how the site works in case anyone has any questions (and also so that anyone in other provinces or countries can borrow this code if they want). If the app has been designed such that having all of the source code available does not actually result in any security flaws, then providing software as open source is usually considered a much higher bar for security and trust in the software industry because then you know that there aren't glaring and obvious security holes that are being hidden from the public.

Oh, I know about the private key…just thought that a Ciphertext-only attack would work as well considering you have multiple QR code barcode message examples which can be used for the attack.

Nope - you're thinking of symmetric-key encryption, the SHC which is received was signed with the private key at creation time, and you can hit it with the public key to verify the signature. The private key is never present and cannot be determined by the verifier. If public-key crypto algorithms were susceptible to this sort of attack, they never would have gained the popularity they have.

I briefly looked over the source, but do you provide the public key?

Isn’t this verifiable?

https://www.cs.clemson.edu/course/cpsc424/material/Cryptography/Attacks%20on%20Public%20Key.pdf

straxus commented 3 years ago

isn’t that leaving a vulnerability to hackers to reverse the decryption and encrypt their own strings to make a QR code? Anyone can use: https://github.com/EiNSTeiN-/chosen-plaintext

SHCs are designed to make it practically impossible to do this - they use public-key crypto, which means that so long as GovON does not release their private key (and nobody is able to decipher or brute-force it, which is computationally infeasible) then having all of the code still does not allow you to create copies of their SHC codes. They will not validate correctly due to not being signed by the private key. Also, open source is not a security risk - it is an intentional choice to open-source all of the code for transparency on how the site works in case anyone has any questions (and also so that anyone in other provinces or countries can borrow this code if they want). If the app has been designed such that having all of the source code available does not actually result in any security flaws, then providing software as open source is usually considered a much higher bar for security and trust in the software industry because then you know that there aren't glaring and obvious security holes that are being hidden from the public.

Oh, I know about the private key…just thought that a Ciphertext-only attack would work as well considering you have multiple QR code barcode message examples which can be used for the attack.

Nope - you're thinking of symmetric-key encryption, the SHC which is received was signed with the private key at creation time, and you can hit it with the public key to verify the signature. The private key is never present and cannot be determined by the verifier. If public-key crypto algorithms were susceptible to this sort of attack, they never would have gained the popularity they have.

I briefly looked over the source, but do you provide the public key?

Isn’t this verifiable?

https://www.cs.clemson.edu/course/cpsc424/material/Cryptography/Attacks%20on%20Public%20Key.pdf

If you believe an attack is possible against this app, I encourage you to create an exploit example and send it to GovON using their vulnerability disclosure process: https://covid-19.ontario.ca/verify-vulnerability-disclosure

As for the keys and verification rules, they are loaded in from https://files.ontario.ca/apps/verify/verifyRulesetON.json at runtime by the app

sheedy commented 3 years ago

Why would you open source?

Many reasons, one of the best being so the public can verify their government isn’t making an app that is doing shady things.

“Health passports” (for vaccine verification or other purposes) have the potential to carry very negative consequences. At first glance there seems to be no evidence of the potential for logging of identifiable data about the user (businesses) that could be used to log the whereabouts and activities of those being scanned (patrons of businesses).

We’ll done @ongov!

PrinceFroggy commented 3 years ago

Why would you open source?

Many reasons, one of the best being so the public can verify their government isn’t making an app that is doing shady things.

“Health passports” (for vaccine verification or other purposes) have the potential to carry very negative consequences. At first glance there seems to be no evidence of the potential for logging of identifiable data about the user (businesses) that could be used to log the whereabouts and activities of those being scanned (patrons of businesses).

We’ll done @ongov!

Oh that’s common knowledge… :P

I still believe by open sourcing they are opening a can of worms for attacks.

When I got time from my busy schedule I will attempt to create an exploit.

SilverMarten commented 3 years ago

When I got time from my busy schedule I will attempt to create an exploit.

Lol. I'm here to have a look at whether there are any vulnerabilities too. That right there is why open source works. If one of us can find a flaw, we can point it out. "Many hands make light work."

As for the verifyRulesetON.json... I could see the potential for intercepting it and modifying the publicKeys to insert your own; but that would require the target app to be running in online mode (likely) and the attacker to have the ability to intercept their https request and modify it (unlikely).

I'm particularly curious what data can be collected from the QR code by a secondary app. My concern is that people may not realise how easy it is for a program to read their code and log the data somewhere.

gabrielgrant commented 3 years ago

I still believe by open sourcing they are opening a can of worms for attacks.

The widely-held view (consensus?) in the software community is precisely the opposite: “given enough eyeballs, all bugs are shallow” (known as "Linus’s law", studies seem to confirm it empirically )

In order for any issues to be addressed, though, there does need to be time for the code to be reviewed, tested, and (potentially) fixed. So it would have been nice if the development would have been done in the open, rather than the code being "thrown over the wall" after the app was published. But having the code available now is certainly better than not at all, so we can all look for, report and fix any remaining issues (as it sounds like you're also going to try to do!)

PrinceFroggy commented 3 years ago

When I got time from my busy schedule I will attempt to create an exploit.

Lol. I'm here to have a look at whether there are any vulnerabilities too. That right there is why open source works. If one of us can find a flaw, we can point it out. "Many hands make light work."

As for the verifyRulesetON.json... I could see the potential for intercepting it and modifying the publicKeys to insert your own; but that would require the target app to be running in online mode (likely) and the attacker to have the ability to intercept their https request and modify it (unlikely).

I'm particularly curious what data can be collected from the QR code by a secondary app. My concern is that people may not realise how easy it is for a program to read their code and log the data somewhere.

Well, they gave us the decryption method's so you can collect the same amount of data they check for when compiling your own scanning app.

When grassroots made their vaccine passport before official one, on the same day as release I released to semi public how to "hack" it (hack is a broad term cause really no hacking involved) where some news sites such as global news released pictures of the QR codes, so I got the URL and replicated it in my own pkpass, which scanned and verified every time without public information shown.

With the link I provided from the university, it should shed light on how to approach an exploit...it just matters if executed correctly.

I am closing this issue now.