Closed Bug 1013944 Opened 6 years ago Closed 5 years ago

FindMyDevice should use HTTPS to talk to the service endpoint


(Firefox OS Graveyard :: FindMyDevice, defect)

Not set


(firefox-esr31 unaffected)

Tracking Status
firefox-esr31 --- unaffected


(Reporter: freddyb, Unassigned)


(Blocks 1 open bug)


(Keywords: sec-high)

I guess the current setup isn't production ready, but I wanted this captured somewhere.

I would love the code (e.g. in build.js?) to contain a check that the api_url starts with "https:" and break otherwise. AFAIU this wouldn't be runtime which is quite fine here.
Depends on: 1013946
I'd rate this as high, considering the capabilities that come with it.
Keywords: sec-high
Blocks: 937618
Find my device uses hawk for authenticating commands doesn't it? Does this provide any mitigation do this issue?
I think it does, but at the very least we still want HTTPS for when the device is registering with the server, since that establishes the shared HAWK secret.
What release is this shipping in? This seems like a feature request more than a current security bug.
We switched to HTTPS when we started using a staging server on bug 1027487. I believe we still have one more URL switch to make before 2.0, but we're definitely not going back to plain HTTP, so I believe we can resolve this bug.
For the feature to be complete and live up to its promises (i.e. confidentiality, privacy, protection from request forgeries), it has to use HTTP. I see this as a feature-completion criterion rather than as a request for additional features.
From comment 5, it sounds like maybe this is already done?  Can you confirm that this is fixed, Frederik?
Flags: needinfo?(fbraun)
Yep, fixed.
Closed: 5 years ago
Resolution: --- → FIXED
This should have been more wordy: I have verified that in gaia/apps/findmydevice, there is no pointer to a non-HTTPS endpoint:
> ./build/build.js:11:    'api_url': '',
Flags: needinfo?(fbraun)
Group: b2g-core-security → core-security
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.