Security/Reviews/Firefox4/Deferred Session Restore Security Review

From MozillaWiki
Jump to: navigation, search

Security Review Pre-Work

Please fill our the short section below prior to the review, and make sure you contact security@mozilla.org to schedule your actual review.

Overview

The goal here was part of the process towards removing dialogs when quitting Firefox. We wanted to make it possible to restore your previous session at startup instead of being forced to decide when your quitting Firefox.

Background links

Threats

Please list the top 3 security threats you have considered during the design and implementation of this feature. Consider attack points as well as code that feels fragile.

I think this falls under privacy more than security, but since we save cookies by default and we're saving the session without an explicit action of the user, there's a chance login information could be compromised.

What mitigations have you implemented?

There are new preferences for privacy levels that are used instead of the ones used when it's an explicit user action to save the session when quitting.

Topics To Discuss During The Review

Privacy

  • Does the feature cache or store data that could strengthen super-cookies?

Yes? Like I mentioned, we're saving session cookies for open pages. bug 424872 changed the preference levels to save session cookies for HTTPS pages.

  • How are transitions in/out of Private Browsing mode handled?

While in PB mode, you can't restore your previous session.

  • How is "Clear Recent History" handled?

It's not... That should probably be fixed...

Review comments

Notes and bug numbers will be recorded here. Let's try not to spend too much time on any one topic during the meeting.

  • session store has changed the privacy level to store SSL data.
  • deferred storage means this is always saved even on a clean quit.
  • we are not honoring "cache-control: no-store" for these data
  • with deferred restore we might be asking a completely different person "do you want to restore state" than the one who walked away -- a real privacy downside.
  • file bug xxxx to set deferred privacy level back to 1
    • possibly split form data into another pref, and use 0?