No way to distinguish if `webauthn` is available on the Windows client (via UA sniffing or web API)
Categories
(Core :: DOM: Web Authentication, defect)
Tracking
()
Tracking | Status | |
---|---|---|
firefox65 | --- | unaffected |
firefox66 | --- | fixed |
firefox67 | --- | fixed |
People
(Reporter: akshay.sonu, Assigned: jcj)
References
(Blocks 1 open bug)
Details
(Whiteboard: [webauthn])
Attachments
(1 file)
(deleted),
text/x-phabricator-request
|
lizzard
:
approval-mozilla-beta+
|
Details |
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.18324
Steps to reproduce:
We(Microsoft) released a feature(webuathn) in latest windows release. That is not applicable to older windows 10 releases or earlier windows releases for that matter.
We worked with Firefox to integrate webauthn feature with firefox which works for all the scenarios on latest windows builds.
However, for an RP who wants to enable the feature on firefox, there is no way to distinguish between older windows 10 releases and newer windows 10 releases.
We were looking at user agent string to figure this out.
Issue is that the minor version of windows 10 is the same for all the windows 10 releases for many years now. So every windows 10 release has the same major version and minor version.
One way to solve this is to add build number to the user agent string. Otherwise there is no way we can enable firefox for this feature from the RP's side.
Actual results:
Not able to distinguish between various windows 10 releases which is required to figure out where webauthn feature works with windows native APIs and where it doesn't.
Expected results:
Hoping that user agent can include build number also.
Reporter | ||
Comment 1•6 years ago
|
||
https://bugzilla.mozilla.org/show_bug.cgi?id=1508115 is where firefox integrated with native windows webauthn APIs.
Assignee | ||
Comment 2•6 years ago
|
||
This would be a change to https://searchfox.org/mozilla-central/source/netwerk/protocol/http/nsHttpHandler.cpp#1039 so marking for Core::Networking::HTTP.
There's obviously a fingerprinting issue here, but we already increment for OSX and Linux versions. Exact build numbers for Windows will be a strong identifier for Windows Insider builds, but that's pretty much unavoidable.
Perhaps we could take info.dwBuildNumber and take it modulus 100?
Assignee | ||
Comment 3•6 years ago
|
||
(In reply to J.C. Jones [:jcj] (he/him) from comment #2)
Perhaps we could take info.dwBuildNumber and take it modulus 100?
Upon further reflection[1], it'd be better to take info.dwBuildNumber / 1000 * 1000
and have build numbers like 16000, 17000, and 18000. That makes the UA for Windows 10 broadly similar to that of macOS.
An alternative to this would be to add a new fragmentation surface to PublicKeyCredential
like PublicKeyCredential.isMicrosoftHelloEnabled
. I don't like that because :
- UA is already a known fingerprinting surface, and there exist tools for privacy-focused users to fudge it. A new attribute would be new surface, without tools.
- UA is used by websites to differentiate experiences already.
- Something like
PublicKeyCredential.isMicrosoftHelloEnabled
really should be standardized between browsers, and the WebAuthn WG rejected such platform-inspection fingerprinting.
[1] https://en.wikipedia.org/wiki/Windows_10_version_history
Reporter | ||
Comment 4•6 years ago
|
||
Issue is not really with whether windows hello is enabled or not. RP can distinguish that with PublicKeyCredential.IsUserVerifyingPlatformAuthenticatorAvailable
API. Issue is that with external security keys FIDO2 support. With this integration, FIDO2 security keys with all PIN/built in user verification support is enabled on latest 19H1 builds but same functionality is not there for non 19H1 builds on Windows.
Alternatively, if we have an API which says PublicKeyCredential.IsExternalFIDO2SecurityKeysSupported
, we may have a solution. For 19H1, it will return true and for older 19H1 it will return false for now (till firefox has support for external FIDO2 keys and then you can turn that to true).
Reporter | ||
Comment 5•6 years ago
|
||
Having said that support for FIDO2 keys is a broad definition and probably a Boolean is not the right detail. Build numbers is the best solution, IMO, at the moment.
Reporter | ||
Comment 6•6 years ago
|
||
Also, getting new capabilities support approved in newer version of webauthn will take years. Hence, I would request to allow getting us build numbers (in some obfuscated manner).
Comment 7•6 years ago
|
||
Moving to Core:DOM based on comment 3. I don't think we want to add more stuff to UA, but that is definitely for a broader discussion. Some more folks added.
Comment 8•6 years ago
|
||
Note that putting the information in the UA string is a source of passive fingerprinting data, whereas having it available via a Web API is only a source of active fingerprinting data, which is not as big a deal.
We normally try to expose what capabilities are available through web APIs, whereas we tend to try avoiding adding new information to the UA string. So if it's sufficient, it seems preferable in this case to expose the information through an API available via JavaScript rather than in the UA string. (If it's needed at the HTTP level, Client-Hints might be a better longer-run solution to that.)
Assignee | ||
Comment 9•6 years ago
|
||
So the preference would be a non-standard PublicKeyCredential.IsExternalFIDO2SecurityKeySupported
attribute?
Updated•6 years ago
|
Assignee | ||
Updated•6 years ago
|
Assignee | ||
Updated•6 years ago
|
Assignee | ||
Comment 10•6 years ago
|
||
We support CTAP2 devices on one specific platform, making it hard for RPs to
decide whether or not Firefox will support the tokens they're asking for. This
adds a non-standard method to divine that information while Firefox moves toward
CTAP2 support.
Comment 11•6 years ago
|
||
Comment 12•6 years ago
|
||
bugherder |
Updated•6 years ago
|
Assignee | ||
Comment 13•6 years ago
|
||
Comment on attachment 9043959 [details]
Bug 1526023 - Web Authentication - add isExternalCTAP2SecurityKeySupported
Beta/Release Uplift Approval Request
- Feature/Bug causing the regression: Bug 1508115
- User impact if declined: WebAuthn in Firefox 66 won't be usable with Microsoft Accounts, requiring a wait for 67.
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: No
- If yes, steps to reproduce: From a console, ensure
await PublicKeyCredential.isExternalCTAP2SecurityKeySupported()
returns false on all platforms except Windows 10 Insider builds.
It's low risk, I don't think we need to verify that with QE.
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): This adds a small function that has almost no coupling to anything else, and it has a test.
- String changes made/needed: None
Comment on attachment 9043959 [details]
Bug 1526023 - Web Authentication - add isExternalCTAP2SecurityKeySupported
Fix for auth issues with new Windows versions.
Adds new tests. OK for beta 13 uplift.
Akshay, can you verify this works for you some time mid-next week (once we release beta 13?) Thanks!
Comment 16•6 years ago
|
||
bugherder uplift |
Comment 17•6 years ago
|
||
It also seems like it's worth bringing this use case to the working group to get a solution standardized.
Assignee | ||
Comment 18•6 years ago
|
||
Working group closed it no-action, saying that Firefox's implementation of this solves the problem. Other user agents expect to roll-out FIDO2 support across all platforms simultaneously, rather than piecemeal like we must.
Description
•