MozillaWiki

CloudServices/Roadmaps/SimplePush-Server/SecCodeReview: Difference between revisions

Page Discussion

CloudServices/Roadmaps/SimplePush-Server/SecCodeReview (view source)

Revision as of 17:14, 3 June 2013

1,023 bytes removed ,  3 June 2013
→‎Accounts and Passwords
(Created page with "=Access Information= == How is the application accessed? == Application is accessed in two ways. The client accesses via a WebSock connection. Third party servers access via a...")
 
Line 37: Line 37:
=Accounts and Passwords=
=Accounts and Passwords=
While there are technically "accounts" no password is maintained for these. UAIDs are generated by the client and used solely to identify itself to the server.   
While there are technically "accounts" no password is maintained for these. UAIDs are generated by the client and used solely to identify itself to the server.   
==If the mechanism to prevent general access is a password, how is the signup process handled?==
N/A


==How is account information stored?==
Update Information associated with a given client is stored as a pair of UUID4 values. A User Agent ID (UAID) and a ChannelID. There is an option for REST endpoint hashing which uses a simple,reversible AES hash to prevent third party sites from potentially gaining unwarranted information about the connecting clients.
Update Information associated with a given client is stored as a pair of UUID4 values. A User Agent ID (UAID) and a ChannelID. There is an option for REST endpoint hashing which uses a simple,reversible AES hash to prevent third party sites from potentially gaining unwarranted information about the connecting clients.


==Are passwords properly stored within databases if applicable?==
=Session Management=
N/A
 
==Is a password policy in place?==
N/A
 
==Are accounts locked-out after a number of invalid logins?==
N/A
 
==Are passwords 8 characters or greater?==
N/A
 
==Do passwords use both numbers and letters (and possibly symbols)?==
N/A
 
==Is there a blacklist of common passwords?==
N/A
 
==Do passwords expire after X days and require a reset?==
N/A
 
==Are invalid logins logged?==
N/A
 
==Is there a lockout after X invalid attempts?==
N/A
 
==Is the error message for lockout generic (does not include if user/pass is valid)?==
N/A
 
==How are password resets handled (i.e. email, security question, etc.)?==
N/A
 
==Do emails sent after signup/reset contain a session link? (should not)==
N/A
 
==Do email verification codes expire after one use or 8 hours?==
N/A
 
==Is password reuse limited/prevented?==
N/A
 
==Session Management==
No Session cookies are used.
No Session cookies are used.


==Third-Party Resources==
=Third-Party Resources=
Only third party resources are source libraries included in the binary application.
Only third party resources are source libraries included in the binary application.


This code has been reviewed both by the golang community at large and by the local engineer.
This code has been reviewed both by the golang community at large and by the local engineer.


====Data Handling====
=Data Handling=
== What kind of data is transferred between the user and the application? ==
== What kind of data is transferred between the user and the application? ==
Client sends identifying UAID, and known channels (channels are ignored)
Client sends identifying UAID, and known channels (channels are ignored)
Jrconlin
Confirmed users
1,021

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/662556"