canmove, Confirmed users
1,537
edits
Privacy/Reviews/F1A: Difference between revisions
→Follow-up Tasks and tracking
| (27 intermediate revisions by 2 users not shown) | |||
| Line 12: | Line 12: | ||
|'''Security Contact:''' || Curtis Koenig | |'''Security Contact:''' || Curtis Koenig | ||
|- | |- | ||
|'''Document State:''' || <section begin='status'/>{{ | |'''Document State:''' || <section begin='status'/>{{resolved|(18-Oct-2011) complete}}<section end='status'/> | ||
|} | |} | ||
| Line 21: | Line 21: | ||
|'''Architectural Overview:''' || Done 7-Oct-2011 | |'''Architectural Overview:''' || Done 7-Oct-2011 | ||
|- | |- | ||
|'''Recommendation Meeting:''' || | |'''Recommendation Meeting:''' || Async via email | ||
|- | |- | ||
|'''Wrap-up Meeting:''' || ( | |'''Wrap-up Meeting:''' || (not necessary) | ||
|} | |} | ||
| Line 324: | Line 324: | ||
The mediator class stores no data. | The mediator class stores no data. | ||
'''Communication with 3rd Party Oauth Providers''' | |||
The Share Mediator Component, via the [https://github.com/mozilla/oauthorizer oauthorizer library] communicates on behalf of the 3rd party webapp components to obtain oauth tokens. The authentication is performed by the third party site (e.g., facebook.com) in a popup window, which calls back to a special URI that is controlled locally by the Mediator Component. | |||
{| class="wikitable" | |||
|- | |||
! Direction | |||
! Message | |||
! Data | |||
! Notes | |||
|- | |||
| ''Out:'' | |||
| permission request | |||
| app_id | |||
| | |||
|- | |||
| ''In:'' | |||
| return from permission request | |||
| oauth token | |||
| token is stored in 3rd party webapp's localstorage (in browser) | |||
|} | |||
'''Communication with 3rd Party Email Servers (via SMTP)''' | |||
To send messages, the Share Mediator Component employs SMTP communication with 3rd party email servers (google mail for starters). The component obtains oauth tokens via the oauth protocol (previous section) and uses those and SMTP to send messages. | |||
{| class="wikitable" | |||
|- | |||
! Direction | |||
! Message | |||
! Data | |||
! Notes | |||
|- | |||
| ''Out:'' | |||
| EHLO | |||
| hostname ("localhost") | |||
| | |||
|- | |||
| | |||
| STARTTLS | |||
| | |||
| Triggers TLS/secure communication with mail server | |||
|- | |||
| | |||
| AUTH | |||
| "xoauth" and token | |||
| Authenticates the user to the SMTP server | |||
|- | |||
| | |||
| MAIL FROM | |||
| email address | |||
| | |||
|- | |||
| | |||
| RCPT TO | |||
| sharing targets | |||
| | |||
|- | |||
| | |||
| DATA | |||
| URL, etc | |||
| Contents of the share message | |||
|- | |||
| ''In:'' | |||
| return from various SMTP commands | |||
| return codes | |||
| either error or success | |||
|} | |||
| Line 391: | Line 461: | ||
== Credentials == | == Credentials == | ||
There are various credentials employed in this system ( | There are various credentials employed in this system (oauth tokens) that are used via OWA and the 3rd party webapp components to share information. Additionally, other users of the system could potentially have access to a user's sharing credentials. The OAuth tokens are stored in the apps localStorage. | ||
''The Risk'' is that these credentials might be leaked across third parties or to other users of the system. | ''The Risk'' is that these credentials might be leaked across third parties or to other users of the system. | ||
| Line 397: | Line 467: | ||
''Requirement:'' These credentials are stored by the 3rd party webapp components who use them and only those components (and the browser, extended by the Share Mediator Component) should be able to touch them. Any non-oauth credentials should be stored in the password database (not localstorage) and, when possible, encrypted using the browser's master password. | ''Requirement:'' These credentials are stored by the 3rd party webapp components who use them and only those components (and the browser, extended by the Share Mediator Component) should be able to touch them. Any non-oauth credentials should be stored in the password database (not localstorage) and, when possible, encrypted using the browser's master password. | ||
{{ResolutionBox|{{ | {{ResolutionBox|{{resolved|This software only ships with 3rd party webapps that use oauth and store the tokens in localstorage so there is no threat of password leak. When we open F1A to allow users to install additional apps, we will make clear in the documentation how to store different types of credentials properly.}}}} | ||
== Clearing Private Data == | == Clearing Private Data == | ||
| Line 404: | Line 474: | ||
''The Risk'' is that, while the user may think he is "resetting" credentials stored in his browser, this may not be the case if the 3rd party webapps don't store data in the right place or erase it at the right time. | ''The Risk'' is that, while the user may think he is "resetting" credentials stored in his browser, this may not be the case if the 3rd party webapps don't store data in the right place or erase it at the right time. | ||
''Requirement:'' when stored passwords in the browser are cleared, the webapps should delete passwords. Oauth tokens should be deleted when users clear | ''Requirement:'' when stored passwords in the browser are cleared, the webapps should delete passwords. Oauth tokens should be deleted when users clear "active logins". Contacts and other account data should be erased when the user clears localstorage. | ||
''Recommendation:'' if a user has not set up Firefox to remember passwords, no passwords should be stored in localstorage by the share add-on or its webapp components (they can be retained in memory, but lost when Firefox is closed). | ''Recommendation:'' if a user has not set up Firefox to remember passwords, no passwords should be stored in localstorage by the share add-on or its webapp components (they can be retained in memory, but lost when Firefox is closed). | ||
{{ResolutionBox|{{ | {{ResolutionBox|{{resolved|oauth tokens are stored in localStorage and are cleared when users click logout or clear browser's localStorage. Oauth tokens stored by this addon's apps are purged when users clear "active logins".}}}} | ||
== Browsing History == | == Browsing History == | ||
| Line 415: | Line 485: | ||
''The Risk:'' the user will knowingly provide third parties with insight into what sites they've visited in the past. Browsing history is generally considered to be private, and the disclosure of such data should be calculated. This is a very tiny risk since the whole point of this feature is to share URLs. Nonetheless, the risk is there and unless the user is always at the helm when data sharing happens, it could be leaked without consent. | ''The Risk:'' the user will knowingly provide third parties with insight into what sites they've visited in the past. Browsing history is generally considered to be private, and the disclosure of such data should be calculated. This is a very tiny risk since the whole point of this feature is to share URLs. Nonetheless, the risk is there and unless the user is always at the helm when data sharing happens, it could be leaked without consent. | ||
URLs shortened through a URL shortening service are disclosed to that service. If URL shortening services are used, it must be clear what is happening. | URLs shortened through a URL shortening service are disclosed to that service. If third-party URL shortening services are used (shorteners not part of the service used for sharing), it must be clear what is happening. | ||
''Requirement:'' The UI must clearly show each URL being shared and with which parties the URL will be shared before it is transmitted. If URL shortening is used, there must be user intervention before the URL is sent to the service for shortening. (UI can be used to "remember" the user's preference to shorten URLs, but that must be opt-in). | ''Requirement:'' The UI must clearly show each URL being shared and with which parties the URL will be shared before it is transmitted. If an additional URL shortening service is used, there must be user intervention before the URL is sent to the service for shortening. (UI can be used to "remember" the user's preference to shorten URLs, but that must be opt-in). | ||
{{ResolutionBox|{{resolved|UI is clear about with whom users are sharing URLs. Twitter uses its own in-house shortening on the server-side (their end).}}}} | |||
=Conformity to Private Browsing Mode (If Applicable)= | =Conformity to Private Browsing Mode (If Applicable)= | ||
| Line 427: | Line 496: | ||
''Recommendation'': During a private browsing session, any data automatically obtained (and stored in the webapp components' localstorage) should be retained in volatile memory only. This is data that the user doesn't explicitly ask for, such as automatically synced contacts. New account setup data and other data explicitly "installed" by the user to be stored can be kept (as we do with sync). The data stored in volatile memory during private mode should be "rolled back" or erased when private mode is exited. | ''Recommendation'': During a private browsing session, any data automatically obtained (and stored in the webapp components' localstorage) should be retained in volatile memory only. This is data that the user doesn't explicitly ask for, such as automatically synced contacts. New account setup data and other data explicitly "installed" by the user to be stored can be kept (as we do with sync). The data stored in volatile memory during private mode should be "rolled back" or erased when private mode is exited. | ||
{{ResolutionBox|{{ | {{ResolutionBox|{{resolved|since the 3rd party webapps use the usual HTML cookies and localstorage, these will be managed by the private browsing service automatically.}}}} | ||
= Alignment with Privacy Operating Principles = | = Alignment with Privacy Operating Principles = | ||
| Line 443: | Line 512: | ||
This product doesn't retain data not explicitly provided by the users. It's off by default, and does nothing until users authenticate to their services. | This product doesn't retain data not explicitly provided by the users. It's off by default, and does nothing until users authenticate to their services. | ||
''Requirement'': Provide a way to "forget" or disconnect from a service that has been used for sharing. | ''Requirement'': Provide a way to "forget" or disconnect from a service that has been used for sharing. -mixedpuppy: there is a logout button under the profile picture for each service which clears localstorage (including oauth tokens) for that service. | ||
====Principle: Sensible Defaults==== | ====Principle: Sensible Defaults==== | ||
| Line 455: | Line 524: | ||
''Recommendations'': none. | ''Recommendations'': none. | ||
{{ResolutionBox|{{ | {{ResolutionBox|{{resolved|there is a logout button in the Share Mediator Panel}}}} | ||
= Follow-up Tasks and tracking = | = Follow-up Tasks and tracking = | ||
| Line 470: | Line 539: | ||
| Various meetings and iterations. Completed 7-Oct-2011. | | Various meetings and iterations. Completed 7-Oct-2011. | ||
|- | |- | ||
| {{ | | {{done|Discuss Recommendations}} | ||
| Sid & Shane | | Sid & Shane | ||
| | | | ||
| | | Async via email | ||
|- | |||
| {{done|verify data flow with [[#Share_Mediator_Component|SMTP and Oauth servers]]}} | |||
| Mark Hammond | |||
| | |||
| | |||
|- | |||
| {{done|update add-on to purge oauth tokens (via logout() call) when user clears "active logins" via browser's "clear recent history" dialog}} | |||
| Shane | |||
| {{bug|695259}} | |||
| | |||
|- | |||
| {{drop|<strike>disclose URL shortening in Twitter share UI, perhaps "about url shortening" linking to [http://support.twitter.com/entries/109623]</strike>}} | |||
| Shane | |||
| | |||
| Unnecessary, Twitter uses their own shortener. | |||
|} | |} | ||
[[Category:Privacy/Reviews| | [[Category:Privacy/Reviews|F1A]] | ||