Crypto Proxy

Introduction

This is a proposal for the 'Crypto Proxy'. It is a server-side component in the Sync Services infrastructure that makes it possible for third party applications to get access to unencrypted sync data.

Problems the Sync Proxy tries to solve

Sharing of Credentials

Sync clients need to use Basic Auth to connect to the Sync Service. This means that a third party application needs to know the user's username and plain text password to be able to access sync data. This is obviously not the right way to do things.

The Crypto Proxy solves this problem by working with a username/access token pair instead of a username/password pair.

The access token is a randomly generated identifier that a third party application can use to access sync data.

These tokens are maintained by the Sync Proxy, which means that the Sync Proxy can also easily deny a specific application or user access through this method.

Sync Key Management

To decrypt records, a Sync Client either needs the Sync Key or the Bulk Key for a specific collection.

Ideally these keys are not shared with third party applications at all because they give you a carte blanche to access sync.

Permissions Management

Because the Sync Proxy is the only way to access sync data for a third party application, it can also implement restrictions like:

• Access from specific IP ranges - In case of Firefox Home, the app is hosted on our own infrastructure. Which means an extra security barrier: no outside app could access data, even if tokens are compromised.
• Enforce read-only data or give partial write access
• Enable/disable access based on a username or even a specific application
• Fine tune access to specific collections - Applications can get access to a specific list of collections. This can be a simple configuration file that says 'Firefox Home is allowed to read bookmarks/history/tabs and nothing else'

Operation

Obtaining an Access Token

...

Accessing Sync Data

...