Closed
Bug 1013944
Opened 6 years ago
Closed 5 years ago
FindMyDevice should use HTTPS to talk to the service endpoint
Categories
(Firefox OS Graveyard :: FindMyDevice, defect)
Firefox OS Graveyard
FindMyDevice
Not set
Tracking
(firefox-esr31 unaffected)
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| firefox-esr31 | --- | unaffected |
People
(Reporter: freddyb, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: sec-high)
I guess the current setup isn't production ready, but I wanted this captured somewhere. I would love the code (e.g. in build.js?) to contain a check that the api_url starts with "https:" and break otherwise. AFAIU this wouldn't be runtime which is quite fine here.
|
Reporter | |
Comment 1•6 years ago
|
||
I'd rate this as high, considering the capabilities that come with it.
Keywords: sec-high
Find my device uses hawk for authenticating commands doesn't it? Does this provide any mitigation do this issue?
|
||
Comment 3•6 years ago
|
||
I think it does, but at the very least we still want HTTPS for when the device is registering with the server, since that establishes the shared HAWK secret.
|
||
Comment 4•6 years ago
|
||
What release is this shipping in? This seems like a feature request more than a current security bug.
|
|
||
Comment 5•6 years ago
|
||
We switched to HTTPS when we started using a staging server on bug 1027487. I believe we still have one more URL switch to make before 2.0, but we're definitely not going back to plain HTTP, so I believe we can resolve this bug.
|
|
Reporter | |
Comment 6•6 years ago
|
||
For the feature to be complete and live up to its promises (i.e. confidentiality, privacy, protection from request forgeries), it has to use HTTP. I see this as a feature-completion criterion rather than as a request for additional features.
|
||
Comment 7•5 years ago
|
||
From comment 5, it sounds like maybe this is already done? Can you confirm that this is fixed, Frederik?
Flags: needinfo?(fbraun)
|
|
Reporter | |
Comment 8•5 years ago
|
||
Yep, fixed.
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
|
|
Reporter | |
Comment 9•5 years ago
|
||
This should have been more wordy: I have verified that in gaia/apps/findmydevice, there is no pointer to a non-HTTPS endpoint:
> ./build/build.js:11: 'api_url': 'https://find.firefox.com',Flags: needinfo?(fbraun)
|
||
Updated•5 years ago
|
Group: b2g-core-security → core-security
|
|
||
Updated•5 years ago
|
status-firefox-esr31:
--- → unaffected
|
||
Updated•4 years ago
|
Group: core-security → core-security-release
|
|
||
Updated•4 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•