Security/Reviews/BrowserIDProfiles

From MozillaWiki
Jump to: navigation, search
Please use "Edit with form" above to edit this page.

Item Reviewed

Profile feature of Mozilla Persona/BrowserID
Target
   
     Full Query    
ID Summary Priority Status
756431 Security Review for Profile feature of Mozilla Persona/BrowserID P3 RESOLVED

1 Total; 0 Open (0%); 1 Resolved (100%); 0 Verified (0%);

https://wiki.mozilla.org/Identity/Profile/Proposal

https://github.com/mozilla/browserid/issues/880
The given value "
   
     Full Query    
ID Summary Priority Status
756431 Security Review for Profile feature of Mozilla Persona/BrowserID P3 RESOLVED

1 Total; 0 Open (0%); 1 Resolved (100%); 0 Verified (0%);

https://wiki.mozilla.org/Identity/Profile/Proposal

https://github.com/mozilla/browserid/issues/880" contains strip markers and therefore it cannot be parsed sufficiently.

Introduce the Feature

Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)

  • add basic profile information to BrowserID
    • name, avatar photo (the kind of things when you post a comment to a blog) [initial phase & opt in]
    • will be from client side initially until we can solve key wrapping
      • when solved, we may provide more data and provide it server side (encrypted on client side)
  • provider would have to make an explicit request (for what not sure yet, expanded data set for sure)
  • the future goal is to have a "contact card" style of information that is associated with a given persona email address

What solutions/approaches were considered other than the proposed solution?

  • automatically sending email, name and "photo" (avatar)
    • we may want even this to be optional and controlled by users

Why was this solution chosen?

  • ability to have an online profile and data that is associated with a given account for a given site

Any security threats already considered in the design and why?

  • all those inherent with browserID
  • privacy with regards to user choice on what is sent

Threat Brainstorming

  • if the user and the site don't agree on what info is required who cancels the transaction?
    • we want the user to be able to control this and make decisions
  • Concern for photo privacy: embedded EXIF Data, such as thumbnail being an entire photo, while what is displayed as the image cropped, GPS data, etc.
  • If we point to external image URLs, we may make site owners angry, as many users will point to photos hosted on sites they don't control or own. Also, site owners could replace an image with a nasty one.
  • Property "SecReview feature goal" (as page type) with input value "* add basic profile information to BrowserID
      • name, avatar photo (the kind of things when you post a comment to a blog) [initial phase & opt in]
      • will be from client side initially until we can solve key wrapping
        • when solved, we may provide more data and provide it server side (encrypted on client side)
    • provider would have to make an explicit request (for what not sure yet, expanded data set for sure)
    • the future goal is to have a "contact card" style of information that is associated with a given persona email address" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.
    • Property "SecReview alt solutions" (as page type) with input value "* automatically sending email, name and "photo" (avatar)
      • we may want even this to be optional and controlled by users" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.
      • Property "SecReview threats considered" (as page type) with input value "* all those inherent with browserID
    • privacy with regards to user choice on what is sent" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.
    • Property "SecReview threat brainstorming" (as page type) with input value "* if the user and the site don't agree on what info is required who cancels the transaction?
      • we want the user to be able to control this and make decisions
    • Concern for photo privacy: embedded EXIF Data, such as thumbnail being an entire photo, while what is displayed as the image cropped, GPS data, etc.
    • If we point to external image URLs, we may make site owners angry, as many users will point to photos hosted on sites they don't control or own. Also, site owners could replace an image with a nasty one." contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.

Action Items

Action Item Status In Progress
Release Target `
Action Items
* Who :: What :: By when (Keep in mind all these things will be bugs that block the reivew bug, that blocks the feature bug)
  • Yvan Boily :: code review :: before launch
  • identity team :: What are each of the milestones, how can these steps be broken down, specify when there is an increase in data collected.