Chandler Security - April 2005

SMTP and IMAP traffic can be optionally protected with SSL/TLS by users. SSLv2 is disabled for security reasons, as are certain cryptographic primitives.

The certificate list that Chandler ships with is the same that Mozilla uses (see Mozilla draft CA policy). Changing the certificate list is a matter of manually editing a file - there is no UI yet.

SMTP and IMAP code, including SSL, has been tested against u.washington.edu, uchicago.edu, berkeley.edu and mit.edu email servers (among others).

There is low level support for WebDAV over SSL, but due to a bug this is not yet usable in Chandler.

There is also low level WebDAV ACL support, but it is not yet used by Chandler.

Code reviews done more frequently, but still not for all checkins. After feature freeze (near a release) all checkins require code reviews. Before that code reviews happen if somebody thinks a piece of code should be reviewed, for example new feature, security sensitive piece, or it was written in specification.

Use best practices and lessons learned from other projects, like Mozilla.

UI design aiming for simplicity, understandability, and secure defaults where possible.

Future Directions

Adding limited ability to manage certificates, like accepting a new certificate, with UI. Chandler 0.6.

Storing certificates in Chandler repository instead of flat file, Chandler 0.6.

Making WebDAV ACL higher level, and using it, Chandler 0.6.

WebDAV over SSL, either using a new WebDAV client package under development ("zanshin"), or fixing/working around the current bug.

M2Crypto

Cryptographic operations are done with M2Crypto, which is the most complete wrapper of OpenSSL for Python.

M2Crypto has been improved at OSAF to enable CA operations, and to work with Twisted, the networking library used by Chandler. OSAF is providing limited hosting for M2Crypto project.

M2Crypto sprint in Europython, July 2005. Fix memory leaks, consistent API, "full API", samples, more pythonic.

Wishlist

Use mutual authentication over SSL when connecting to WebDAV servers - currently no known WebDAV server that would support that.

Encrypt shared data before sending it to WebDAV server, so that it will be readable only by people to whom it was shared to.

CSG Comments

Platform specific certificate store, use what is already available. This is a big usability issue.

• Would mean platform specific implementations. Could perhaps be limited to extracting/storing certificates, while the rest could be handled in the normal manner. Maybe treat Chandler's copy of the certificates as cache. Might not be practical, though.

S/MIME is important as soon as email becomes usable.

• M2Crypto has support for S/MIME.

WebDAV/CalDAV sucks from security perspective 'cos it does not play along with other security systems universities already use