Security/Reviews/BZBrowserID

From MozillaWiki

< Security‎ | Reviews

Jump to: navigation, search

Please use "Edit with form" above to edit this page.

Item Reviewed

Bugzilla Extension for BrowserID
Target	http://bzr.mozilla.org/bugzilla/extensions/browserid/trunk/files Login interface: http://www.bugzilla.org/docs/4.0/en/html/api/Bugzilla/Auth/Login.html bug 698808

Introduce the Feature

Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)

extension to Bugzilla for BrowserID logins
- this is an alternative, can still use the old ways
- will only work if you have no more than basic permissions
  - "editbugs" and/or "canconfirm", plus "everyone" (obviously)
  - answer: http://bzr.mozilla.org/bugzilla/extensions/browserid/trunk/annotate/head:/lib/Login.pm#L92

What solutions/approaches were considered other than the proposed solution?

the current way to login

Why was this solution chosen?

want to extend the use of BrowserID
easier to login with BrowserID

Any security threats already considered in the design and why?

higher rights users can not use this
easy to disable if we find a problem
same as the set of threats to BrowserID/Persona

Threat Brainstorming

'

Property "SecReview feature goal" (as page type) with input value "* extension to Bugzilla for BrowserID logins
- - this is an alternative, can still use the old ways
  - will only work if you have no more than basic permissions
    - "editbugs" and/or "canconfirm", plus "everyone" (obviously)
    - answer: http://bzr.mozilla.org/bugzilla/extensions/browserid/trunk/annotate/head:/lib/Login.pm#L92" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.
    - Property "SecReview solution chosen" (as page type) with input value "* want to extend the use of BrowserID
- easier to login with BrowserID" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.
- Property "SecReview threats considered" (as page type) with input value "* higher rights users can not use this
- easy to disable if we find a problem
- same as the set of threats to BrowserID/Persona" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.

Action Items

Action Item Status

Complete

Release Target

`

Action Items

Who	Action	By When	Completed date [NEW] new [DONE] Done [MISSED] Miss
Gerv	Update code to check for absence of "nobrowserid" group		[DONE] Done (http://bzr.mozilla.org/bugzilla/extensions/browserid/trunk/revision/8)
Gerv	File bug on full verifier support (non blocker)		[DONE] Done - bug 737480
Gerv	At appropriate moment, rename any UI elements to new branding		not needed
Gerv	Create nobrowserid group and put relevant groups in it - all security, HR, legal		[DONE] Done

Retrieved from "https://wiki.mozilla.org/index.php?title=Security/Reviews/BZBrowserID&oldid=410581"

SecReview