Confirmed users
400
edits
Services/Sync/Features/MigrateToDigestAuth: Difference between revisions
Services/Sync/Features/MigrateToDigestAuth (view source)
Revision as of 21:54, 30 August 2011
, 30 August 2011no edit summary
No edit summary |
No edit summary |
||
| Line 7: | Line 7: | ||
{{FeatureTeam}} | {{FeatureTeam}} | ||
{{FeaturePageBody | {{FeaturePageBody | ||
|Feature open issues and risks=Cleartext username/pass sent through BasicAuth will put sync-keys (and therefore sync data) at risk when we start storing sync-keys on a sync-key server. | |||
|Feature overview=Sync web servers receive username/pass in cleartext (BasicAuth) before using them in LDAP/mySQL. Will be a problem when we store sync-keys protected by username/pass, because access to Sync web servers will be point of vulnerability. | |||
|Feature users and use cases=When sync-keys are stored on a sync-key server, if attackers gain control of Sync web servers they will have access to username/pass in cleartext, use credentials to access sync-key, and then unencrypt user data stored on Sync web servers. | |||
|Feature implementation notes=* https://bugzilla.mozilla.org/show_bug.cgi?id=445757 | |Feature implementation notes=* https://bugzilla.mozilla.org/show_bug.cgi?id=445757 | ||
}} | }} | ||