Penn Computing

Penn Computing

Computing Menu Computing A-Z
Computing Home Information Systems & Computing Penn
ISC Networking & Telecommunications

Penn WebLogin
Help
Application Development
WebLogin Management Console
Screen Guidance
Documentation
Sign up for Announcements
Quick Links
Initiate a session
Terminate a session
Related topics
WebLogin vs Shibboleth

User Guide
About WebLogin
WebLogin screens
Logout posters
Verify WebLogin Page

Two-Step Verification
Two-Step Home
FAQ
Authenticator Apps
Video Guides
Information for LSPs

Changes in CoSign 3

CoSign 3 fixes a critical vulnerability in the CoSign 2 protocol which allows for fairly simple phishing attacks. The vulnerability announcement can be found at http://weblogin.org/cosign-vuln-2009-002.txt

Protocol changes

In order to fix the protocol, the behavior (and configuration) of the filters has changed. Of note:

  • Certificate CNs must match the service cookies being deployed. (CoSign 2 was lax about this check.) This may impact existing CoSign 2 installations that were accidentally misconfigured; if you see looping errors during a CoSign 2 to 3 conversion, this is a likely cause.
  • A new "validation filter", acting from within your application's web server, is the only URL to which your application will forward from the central Weblogin servers.
  • Cosign requires exactly one validation filter for each CN. Each validation filter must have its own URL on your web server (e.g. https://yourserver.example.com/cosign/valid).

Local Patches

In addition, the CoSign filters being distributed from the WMC are *not* the stock versions from weblogin.org; they have been patched to address additional issues that are currently in the pipeline for the CoSign project-at-large.

Specifically, these changes have been made to the Apache (1 and 2) filters:

  • Allow CosignService and CosignCrypto from within .htaccess, Directory, and Location blocks;
  • Removed improper DNS cache, which could cause increased downtime during a campus failover event;
  • Implements a rekey mechanism that prevents URL hijacking from shared workstations.

And these new bugs have been introduced to those same filters:

  • Validation filter-specific keywords CosignValidReference and CosignValidationErrorRedirect must exist from within the validation Location block.

Upgrading from CoSign 2 to CoSign 3

Please follow these steps to upgrade your existing WebLogin application to use CoSign 3. Please note that this upgrade process requires an outage for your application.
  1. Choose a public validation URL that your service will use.
    Apache:
    This URL is fully configurable.  See Apache configuration instructions.
    
    IIS6, IIS7
    The URL is always 
    https://<your.hostname.upenn.edu>/cosign/valid
    


  2. Log in to the WebLogin Management Console (WMC)

  3. Select the appropriate registration to be upgraded from the list of current registrations.

  4. At the bottom of the View Service Registration panel you will see Download config bundle. To download choose from the v3 Protocol options for your operating system. Follow the appropriate instructions for installation of the software.
    Apache: http://www.upenn.edu/computing/weblogin/docs/apache_installation.html
    IIS6: http://www.upenn.edu/computing/weblogin/docs/iis6_installation.html
    IIS7: http://www.upenn.edu/computing/weblogin/docs/iis7_installation.html - Start at step #7
    
    When you have reached a point in testing where you are being redirected to our configuration error page, https://weblogin.pennkey.upenn.edu/config_error.html, you are ready to move to the next step.

  5. Go back to the WMC to now modify your existing registration. Assuming that you are still in the View Service Registration panel, choose the Modify tab in the upper right-hand corner of the panel.

  6. In the Modify Existing Service Registration panel, update the Protocol Version from v2 to v3.

  7. After selecting v3 as your new protocol version, you will see a new Service Registration option, CoSign 3 Settings. Type in the selected Validation Handler URL as specified in the first step and used in your web server configuration.

  8. Save the updates to the registration.

  9. Test that your service is working correctly.
    NOTE: If the browser used for testing is still caching the CoSign 2 cookie, that cookie might still be valid and might continue to allow access even if your upgrade to CoSign 3 has failed. To fully test your new service and avoid false positivies, please be sure to close your browser to kill any exisiting cookies and test fresh.
top

Information Systems and Computing
University of Pennsylvania
Comments & Questions


Penn Computing University of Pennsylvania
Information Systems and Computing, University of Pennsylvania