Changes in CoSign 3
CoSign 3 fixes a critical vulnerability in the CoSign 2 protocol which allows for fairly simple phishing attacks. The vulnerability announcement can be found at http://weblogin.org/cosign-vuln-2009-002.txt
In order to fix the protocol, the behavior (and configuration) of the filters has changed. Of note:
- Certificate CNs must match the service cookies being deployed. (CoSign 2 was lax about this check.) This may impact existing CoSign 2 installations that were accidentally misconfigured; if you see looping errors during a CoSign 2 to 3 conversion, this is a likely cause.
- A new "validation filter", acting from within your application's web server, is the only URL to which your application will forward from the central Weblogin servers.
- Cosign requires exactly one validation filter for each CN. Each validation filter must have its own URL on your web server (e.g. https://yourserver.example.com/cosign/valid).
In addition, the CoSign filters being distributed from the WMC are *not* the stock versions from weblogin.org; they have been patched to address additional issues that are currently in the pipeline for the CoSign project-at-large.
Specifically, these changes have been made to the Apache (1 and 2) filters:
- Allow CosignService and CosignCrypto from within .htaccess, Directory, and Location blocks;
- Removed improper DNS cache, which could cause increased downtime during a campus failover event;
- Implements a rekey mechanism that prevents URL hijacking from shared workstations.
And these new bugs have been introduced to those same filters:
- Validation filter-specific keywords CosignValidReference and CosignValidationErrorRedirect must exist from within the validation Location block.
Upgrading from CoSign 2 to CoSign 3Please follow these steps to upgrade your existing WebLogin application to use CoSign 3. Please note that this upgrade process requires an outage for your application.
- Choose a public validation URL that your service will use.
Apache: This URL is fully configurable. See Apache configuration instructions. IIS6, IIS7 The URL is always https://<your.hostname.upenn.edu>/cosign/valid
- Log in to the WebLogin Management Console (WMC)
- Select the appropriate registration to be upgraded from the list of current registrations.
- At the bottom of the View Service Registration panel you will see Download config bundle. To download choose from the v3 Protocol options for your operating system. Follow the appropriate instructions for installation of the software.
Apache: http://www.upenn.edu/computing/weblogin/docs/apache_installation.html IIS6: http://www.upenn.edu/computing/weblogin/docs/iis6_installation.html IIS7: http://www.upenn.edu/computing/weblogin/docs/iis7_installation.html - Start at step #7When you have reached a point in testing where you are being redirected to our configuration error page, https://weblogin.pennkey.upenn.edu/config_error.html, you are ready to move to the next step.
- Go back to the WMC to now modify your existing registration. Assuming that you are still in the View Service Registration panel, choose the Modify tab in the upper right-hand corner of the panel.
- In the Modify Existing Service Registration panel, update the Protocol Version from v2 to v3.
- After selecting v3 as your new protocol version, you will see a new Service Registration option, CoSign 3 Settings. Type in the selected Validation Handler URL as specified in the first step and used in your web server configuration.
- Save the updates to the registration.
- Test that your service is working correctly.
NOTE: If the browser used for testing is still caching the CoSign 2 cookie, that cookie might still be valid and might continue to allow access even if your upgrade to CoSign 3 has failed. To fully test your new service and avoid false positivies, please be sure to close your browser to kill any exisiting cookies and test fresh.