Re: webauthn support?

[Chris Marusich]

Hi Jack,

Jack Hill <address@hidden> writes:

> Thanks Mark and Chris for you replies,

It's good to know I'm not alone!

> On Mon, 28 Oct 2019, Mark H Weaver wrote:

>
>> It might be a bug, or possibly a side effect of IceCat's changes to
>> the default settings compared with upstream Firefox.  Here are those
>> changes:
>>
>>  https://git.savannah.gnu.org/cgit/gnuzilla.git/tree/data/settings.js?h=68
>>
>> As a first step, I would suggest fiddling with those settings that
>> IceCat changed, starting with the ones that seem most likely to be
>> related.
>
> I didn't see anything obvious in those settings.

Sometimes, a non-obvious setting can cause problems.  For example, some
websites don't behave correctly if you've set
privacy.resistFingerprinting to true.  I've also had problems logging
into some websites when network.http.referer.spoofSource is set to true.
But I've experienced my U2F (the relation to WebAuthn is a bit confusing
to me, and I should probably learn more) problem even when these are set
to false.

>> You might also try bringing up the "Web Console" immediately after the
>> failure, either by typing Ctrl-Shift-K or via the "Web Developer"
>> submenu of the "Tools" menu.  (Press and release 'Alt' by itself to show
>> the menu bar).  Any errors shown here may give you hints about which
>> settings above to fiddle with.
>
> I haven't had a chance to investigate more yet, and I wouldn't have
> known where to start, but now I do, so thanks!

When my U2F problem occurs, I've checked the "Web Console".  I looked at
the messages, mainly.  Using the latest IceCat "preview" available in
Guix (so, ESR 68), nothing of note is emitted here, unfortunately.

> On Sun, 3 Nov 2019, Chris Marusich wrote:
>
>> I noticed a similar problem a few months ago.  It's still an issue.  I
>> looked into it at the time, but I never found a smoking gun.  I may very
>> well have missed something.  My hope is that by upgrading IceCat to a
>> later ESR release, the issue will go away.
>
> I'm glad it's not just me :) I, too, had hoped that the new ESR would
> have solved the problem.
>
>> If you have a simple set of steps to reproduce the behavior, that would
>> be helpful.  I never found the time to create a simple reproduction case
>> for the issue I observed, which is why I never reported it.
>
> Unfortunately, I don't have a minimal reproducer now, but did want to
> confirm that it was supposed to work before investigating.

To reiterate, the specific problem I see is this.  I go to a website
that uses two-factor authentication.  I know it works - with my specific
YubiKey token - because the website works fine in Firefox on other
systems.  But in IceCat 68, when I try to log in, I get a pop-up (modal?
not sure what the proper term is) with this error:

"Unknown U2F Error"

I'm typing that from memory, so it might actually be "Unknown U2F
Exception"; I'm not 100% sure.  But it's definitely a little window that
appears, which says something along those lines, with no additional
information.  Is this the same problem you see, Jack?

I have double checked a lot of things.  For example, I double checked
the following on my Guix system:

- The udev rules from libu2f-host are installed.

- My YubiKey token is usable via other mechanisms:

     - I can load the SSH key stored within it via "ssh-add -s", using
       the OpenSC PKCS11 library, and I can SSH into machines using it.

     - I can access the YubiKey via tools such as "ykinfo" and
       "yubico-piv-tool".

- In about:config, security.webauth.u2f is set to true.

The big issue for me is that I have no idea how to investigate further.
I really wish I could figure out how to extract more information from
IceCat, so I could figure out precisely where the problem is occurring,
and follow the trail of bread crumbs from there.  I have even tried
grepping the IceCat source (from "guix build -S icecat") for the string
"Unknown U2F Error", but it yields no results.  If anyone here can
provide advice on how to collect more information about what direction
the problem is coming from, I'd really appreciate it.

Since I can't find references to that error message in the IceCat 68
source, I'm thinking the error probably comes from something else.
Maybe a dependency that IceCat is calling out to, or perhaps even a
JavaScript library.  Judging by the URLs IceCat loads, I think it might
be using some version of the following file to do the U2F logic (IceCat
loaded a file named "fidou2f.js", which is why I think this):

https://github.com/rcdevs/openotp_authentication_owncloud/blob/master/js/fidou2f.js

Any tips to debug this would be welcome, even if it's just a link to
some tutorial on how to debug JavaScript that you find useful.  I'm a
total newbie when it comes to debugging JavaScript in IceCat (Firefox).
I'm not even sure the error is coming from this JavaScript, anyway.
Tips on how to debugging the non-JS portions of my problem seem more
helpful at this point in time, honestly, but any tips would be great.

Finally, I have a non-Guix GNU/Linux machine with Firefox, on which this
problem does not occur, and I am able to log in correctly using my token
(in Firefox).  I will try building IceCat 68 from source manually on
that distribution.  If IceCat works there and I can log successfully,
then that would suggest that my Guix system's configuration is somehow
incorrect, and the problem is not within IceCat.  This may take days or
even weeks to complete, since it takes a very long time (hours to days)
for me to build IceCat, and I do not have much free time to work on
this.  But I will try and report back.

-- 
Chris

signature.asc
Description: PGP signature