Closed Bug 1004625 Opened 11 years ago Closed 9 years ago

Infrasec review for d2g 1.0 planning

Categories

(mozilla.org :: Security Assurance: Review Request, task)

Product:
mozilla.org
Component:
Security Assurance: Review Request
Platform:
x86_64
Linux
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: ozten, Assigned: pauljt)

References

Details

Attachments

(1 file)

deployment_architecture.png
77.16 KB, image/png
Details
We need a kick-off meeting and review our plans for d2g Bug#1004611
Blocks: 1004611
Please include me if possible.
Proposed Architecture 50,000 ft diagram
Assignee: nobody → ptheriault
Flags: sec-review?(ptheriault)
My notes from the d2g prototype's use of crypto https://github.com/ozten/betafox-addon/blob/master/doc/CRYPTO.md
Captured infrasec related details at https://github.com/mozilla/betafox/blob/master/docs/OPERATIONS.md Note: These assume our new direction with App Manager will work, moving all nss-tools work server side as documented in https://github.com/mozilla/betafox/issues/14
As noted in OPERATIONS.md, we'd like to have one shared signing certificate across all developers. This opens up the door to the following attack: * Developer A uploads "foobar" app * Evil developer B uploads an app that looks like "foobar" but does bad stuff * Evil developer B tricks developer A's beta testers into installing his app instead Benefits on a single certificate: * Greatly simplified provisioning instructions * Greatly simplified App Manager or Firefox Addon UI * Lower operational cost for key management Likelihood of attack: * For enterprise deployments - extremely low. Only trusted developers and testers will have access to apps * For Mozilla hosted "BetaFox" deployment - low. Evil developer needs to discover a communication channel to developer A's testers. This app distribution system is not a marketplace and doesn't facilitate easy discovery, browsing and installation of random apps.
:ozten and I discussed the Mozilla hosted version of Betafox today. I captured my notes in the Rapid Risk Assessment spreadsheet: https://docs.google.com/a/mozilla.com/spreadsheets/d/1ROwJps65HXa2gP67EPnMqDRXQQddRs5NuB3BB3Kp_jw/edit#gid=496217998 Betafox hosted by us is medium risk. The biggest concern is leaking the beta/confidential app of a partner, which could upset them a lot, but shouldn't have financial & legal repercutions if the terms of service are properly worded (action item for :ozten). From an opsec standpoint, this is r+. The standard AWS stack will suffice (it should map to medium service policy level, when the policy is ready).
Leaving open for :pauljt . Feel free to close when you're done.
Flags: sec-review?(ptheriault)
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: