Closed Bug 886679 Opened 11 years ago Closed 8 years ago

Privacy-Technical Review: Shumway SWF Runtime

Categories

(mozilla.org :: Security Assurance: Review Request, task)

Product:
mozilla.org
Component:
Security Assurance: Review Request
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INCOMPLETE

People

(Reporter: elan, Assigned: cpeterson)

References

Details

(Keywords: privacy-review-needed, Whiteboard: [Fx] u= c= p=1 s=sprint 6 [score:low] [shumway:fb2?]) 

Initial Questions:

Project/Feature Name: Shumway SWF Runtime
Tracking  ID:
Description:
(taken from sec bug verbiage) 

Shumway is an experimental web-native runtime implementation of the SWF file format. It is developed as a free and open source project sponsored by Mozilla Research. The project was started with two goals:

1. Advance the open web platform to process rich media formats, like SWF, that were previously only available in closed and proprietary implementations.
2. Offer a runtime processor for SWF and other rich media formats on platforms for which runtime implementations are not available.
Additional Information:
- https://github.com/mozilla/shumway/wiki/Intro
- https://github.com/mozilla/shumway/wiki
- https://wiki.mozilla.org/Shumway/Roadmap

Key Initiative: Firefox Platform
Release Date: 2013-12-10
Project Status: development
Mozilla Data: Yes
Mozilla Related: Firefox Desktop, Firefox for Android
Separate Party: No
We had a user create a ticket on github about this:
https://github.com/mozilla/shumway/issues/399

My thoughts on the issues they brought up:

Both pieces of information (version number and font list) are available by other means, already. Since we plan on bundling Shumway, a specific version of Firefox will correspond to a specific version of Shumway. The font list is available for inspection via js, and we aren't using any privileged APIs within Shumway to get at it.

One concern is, however, that we might still effectively cause users to be identified more easily. The fonts case could be an example for that: we're using readily available APIs that can already be used for thumbprinting, but we're exposing them in a way that existing tracking mechanisms consume right now, making them pick up on the information where they might not have, before.
Assignee: nobody → curtisk
Whiteboard: [Fx]
Are we any closer to having something we might run some tests on to see what we can get out of this?
Blocks: 886680
Flags: needinfo?(elancaster)
needs at least a score
Whiteboard: [Fx] → [Fx] u= c= p=1 s=ready
Group: mozilla-corporation-confidential
Whiteboard: [Fx] u= c= p=1 s=ready → [Fx] u= c= p=1 s=ready [score:low]
I believe a great deal of this is still in flux so it's not ready for a formal review yet, but the bug at least has a risk rating for completion of this sprint
Due Date: 2013-11-22
Whiteboard: [Fx] u= c= p=1 s=ready [score:low] → [Fx] u= c= p=1 s=sprint 2 [score:low]
Whiteboard: [Fx] u= c= p=1 s=sprint 2 [score:low] → [Fx] u= c= p=1 s=sprint 4 [score:low]
Whiteboard: [Fx] u= c= p=1 s=sprint 4 [score:low] → [Fx] u= c= p=1 s=sprint 5 [score:low]
Whiteboard: [Fx] u= c= p=1 s=sprint 5 [score:low] → [Fx] u= c= p=1 s=sprint 6 [score:low]
Blocks: 886675
Blocks: shumway-m4
Flags: needinfo?(elancaster)
Assignee: curtisk → nobody
Whiteboard: [Fx] u= c= p=1 s=sprint 6 [score:low] → [Fx] u= c= p=1 s=sprint 6 [score:low] [shumway:fb2?]
Make bugs with "[shumway-fb2]" whiteboard tag block shumway-fb2 meta bug 1110300.
Blocks: shumway-fb2
Blocks: shumway-jw2
No longer blocks: shumway-fb2
No longer blocks: shumway-jw2
Blocks: shumway-jw2
Assignee: nobody → cpeterson
This Shumway bug is no longer relevant.
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.