Security/Reviews/SimplePushSrv

From MozillaWiki
Jump to: navigation, search
Please use "Edit with form" above to edit this page.

Item Reviewed

Simple Push Server
Target
   
     Full Query    
ID Summary Priority Status
897454 SecReview: Simple Push Server -- RESOLVED

1 Total; 0 Open (0%); 1 Resolved (100%); 0 Verified (0%);


principal document: https://wiki.mozilla.org/WebAPI/SimplePush

protocol spec: https://wiki.mozilla.org/WebAPI/SimplePush/Protocol

Review of system and wire protocol changes.

The given value "
   
     Full Query    
ID Summary Priority Status
897454 SecReview: Simple Push Server -- RESOLVED

1 Total; 0 Open (0%); 1 Resolved (100%); 0 Verified (0%);


principal document: https://wiki.mozilla.org/WebAPI/SimplePush

protocol spec: https://wiki.mozilla.org/WebAPI/SimplePush/Protocol

Review of system and wire protocol changes.

Introduce the Feature

Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)

  • SimplePush is a near data free method to remotely wake an application. This server is a means by which the client application can connect using secure websockets, and receive updates from the trusted third party server.

What solutions/approaches were considered other than the proposed solution?

  • XMPP - (too heavyweight for current requirements)
  • Thialfi - requires too much pre-existing backend storage

Why was this solution chosen?

  • This solution provides the absolute minimum of useful information exchange in a method that is blind to the server.

Any security threats already considered in the design and why?

  • PUT URLs require no authorization to send triggering events.
    • not considered a threat both because of the very large id space (an endpoint consists of 2 UUIDs lightly encypted with AES and convered to a base64 string) and the fact that endpoints are effectively disposable from the client point of view. (compromised endpoints can be easily discarded and a new endpoint can be created with minimal impact to the system.)

Threat Brainstorming

  • use up data usage limit on a phone by sending bogus push notification for an app the user does not have
    • yes if you can break the AES and guess the UUID for that device
  • Property "SecReview feature goal" (as page type) with input value "* https://wiki.mozilla.org/WebAPI/SimplePush
    • SimplePush is a near data free method to remotely wake an application. This server is a means by which the client application can connect using secure websockets, and receive updates from the trusted third party server." contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.
    • Property "SecReview alt solutions" (as page type) with input value "* XMPP - (too heavyweight for current requirements)
    • Thialfi - requires too much pre-existing backend storage" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.
    • Property "SecReview threats considered" (as page type) with input value "* PUT URLs require no authorization to send triggering events.
      • not considered a threat both because of the very large id space (an endpoint consists of 2 UUIDs lightly encypted with AES and convered to a base64 string) and the fact that endpoints are effectively disposable from the client point of view. (compromised endpoints can be easily discarded and a new endpoint can be created with minimal impact to the system.)" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.
      • Property "SecReview threat brainstorming" (as page type) with input value "* use up data usage limit on a phone by sending bogus push notification for an app the user does not have
      • yes if you can break the AES and guess the UUID for that device" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.

Action Items

Action Item Status Complete
Release Target `
Action Items
'