Security Alert: Incorrect Quorum with low number of notaries and/or low quorum percentage

A critical security bug has been found that can lead to an incorrect quorum duration being calculated.

Summary: If your ((Quorum Percentage) * (Quorum Size)) is less than 0.5, any site will report a quorum duration equal to the longest length of all certificates returned by any notary, regardless of whether the key for any result matches the current certificate.

Temporary Workaround: Set your Preferences to use a high enough number of notaries and quorum percentage (i.e. default 10 notaries and at least a 10% quorum threshold). Using the default notaries (checking the checkbox) and 10% quorum will be enough to avoid this. Using any of the ‘High Security’, ‘Medium Security’, and ‘High Availability’ settings for Security Level will successfully avoid this bug.

Who is Affected: This issue only affects Perspectives clients who use a ‘Manual’ Security Level, and who have a ((Quorum Percentage) * (Quorum Size)) that is less than 0.5. For example, using only one notary with a quorum percentage of 10% would trigger this bug.

This currently affects all known versions of Perspectives clients.

What’s being done: We are actively working on a fix and will patch Perspectives as soon as possible. Bug details have been added to GitHub and will be updated as we make progress.

——-

Update: This bug has now been fixed. A new release of Perspectives has been uploaded, and will be automatically published once it has been reviewed by the Mozilla Addons team. You can also download it directly via this link.

Advertisements

, ,

  1. Leave a comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: