Closed
Bug 1150824
Opened 10 years ago
Closed 10 years ago
SSL Certificate: wildcard for *.bzlite.com
Categories
(Infrastructure & Operations :: SSL Certificates, task)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: daleharvey, Assigned: Atoll)
References
Details
(Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/883] )
Attachments
(3 files)
No description provided.
|
||
Comment 1•10 years ago
|
||
New wildcard cert request, requesting sec-review from opsec.
Flags: sec-review?(jvehent)
|
||
Comment 2•10 years ago
|
||
I don't know what bzlite is. Dale: looks like this is a domain you registered yourself and is self-hosted on linode. Could you share more context? Will this store non-public data owned by Mozilla? Anything sensitive?
|
Reporter | |
Comment 3•10 years ago
|
||
Hey Julien
bzlite is Bugzilla Lite, its a mobile UI for Bugzilla to be used on Firefox OS. There will be no data stored on the server it only communicates with bugzilla.mozilla.org (including user credentials) over its REST API (https).
I registered the domain and am currently in the process of moving the hosting from my personal linode to the Mozilla Heroku account, can transfer the domain but not entirely sure how to handle that.
Cheers
Dale
Flags: needinfo?(jvehent)
|
|
||
Comment 4•10 years ago
|
||
Thanks for the context. Let's chat next week, I'd like to go through our risk review with you to understand how we can keep this application safe. We typically are very careful to anything that transits data with bugzilla, because of security bugs.
Should I invite anyone else? Maybe Mark Côté as the bmo project manager?
Flags: needinfo?(jvehent)
|
|
Reporter | |
Comment 5•10 years ago
|
||
Byron Jones (glob) has been helping me out on the API side of things so it may be useful to hear from him although Mark may be able to speak for that side of things. Sounds good thanks.
|
|
||
Comment 6•10 years ago
|
||
Ran RRA today with Dale, Mark and Byron. Turns out this is potentially a risky service, so I'm going to r- this request for now while we discuss hosting options.
https://docs.google.com/a/mozilla.com/spreadsheets/d/1qdkssndd7pgJRCgDmh9pcUQiIvGuWoBKPWYJ8Gtx9dw/edit#gid=0
RRA recommendation is to host bzlite in BMO to match the security levels provided by BMO. The BMO cert could add a SAN record for bzlite.mozilla.org or something similar.
Flags: sec-review?(jvehent) → sec-review-
|
|
Reporter | |
Comment 7•10 years ago
|
||
I dont think it makes sense for BMO to host this as its likely we are going to need a secure hosting environment for all v3 gaia applications and having BMO handle all gaias infrastructure doesnt sound right + adds burden.
Will wait for the 'strategy from Firefox OS execs and kick that off once the process starts
|
|
||
Comment 8•10 years ago
|
||
Ok. I'm going to push that over to Mark Cote to make a call on proper hosting. The RRA clearly showed that bzlite has the potential to impact the security of bugzilla users, so it seems fair that the manager of bugzilla should make the call on what is an appropriate hosting platform.
I'm happy to help review the security of whatever hosting platform you go with. Internal, Heroku or something else.
As far as the certificate goes, I'd recommend going with a SAN certificate, and using one cert for production and a separate one for staging, as is the best practice for web applications.
Flags: needinfo?(mcote)
|
||
Comment 9•10 years ago
|
||
fubar, is this something we could host on the bmo web heads? It's going to be very useful for Firefox OS.
Flags: needinfo?(mcote) → needinfo?(klibby)
|
||
Comment 10•10 years ago
|
||
Comment 7 seems to indicate that bzlite and all v3 gaia apps need to be hosted together, but the RRA looks like it's just a vhost pushing JS to a client. The bugzilla cluster and deploy process also isn't hugely flexible, so I'm disinclined to put it directly on the BMO web heads, even if it is just a vhost. New VMs within the BMO vlan(s) may be ok, but :glob may have religion on that.
Flags: needinfo?(klibby)
|
|
||
Comment 11•10 years ago
|
||
Yes, it is largely static; however, the concern was that, should it be compromised, an attacker could change the JS to take advantage of an existing session. I have no idea how glob feels about new vlans; let's find out.
Flags: needinfo?(glob)
|
||
Comment 12•10 years ago
|
||
(In reply to Kendall Libby [:fubar] from comment #10)
> I'm disinclined to put it directly on the BMO web heads, even if it is just a vhost.
+1
(In reply to Mark Côté [:mcote] from comment #11)
> Yes, it is largely static.
is it _largely_ static or completely static?
> I have no idea how glob feels about new vlans; let's find out.
if the content is 100% static then i don't see any issues with hosting it within the bugzilla vlan, on a separate webhead with dynamic features disabled in the web server (ie. without any ability to execute code within our vlan).
if there's a requirement for _any_ server-side dynamic code i'd prefer a separate vlan to segregate it from the bmo database.
Flags: needinfo?(glob)
|
|
||
Comment 13•10 years ago
|
||
Another viable option would be to use the PaaS https://mana.mozilla.org/wiki/pages/viewpage.action?pageId=30081453
|
|
||
Comment 14•10 years ago
|
||
(In reply to Byron Jones ‹:glob› from comment #12)
> (In reply to Mark Côté [:mcote] from comment #11)
> > Yes, it is largely static.
>
> is it _largely_ static or completely static?
IIRC Dale said it is largely static at the moment, with plans to make it fully static. Dale, is that the current situation? Could you move to fully static soon, so we can make hosting easier?
Flags: needinfo?(dale)
|
|
||
Comment 15•10 years ago
|
||
(In reply to Dale Harvey (:daleharvey) from comment #3)
> I registered the domain and am currently in the process of moving the
> hosting from my personal linode to the Mozilla Heroku account, can transfer
> the domain but not entirely sure how to handle that.
Dale,
Once we decide direction here, Webops can help with Domain transfers as well. Let's sync up once the rest of this has been sorted out. Thanks!
|
|
Reporter | |
Comment 16•10 years ago
|
||
> is it _largely_ static or completely static?
Its largely static, its possible to remove the dynamic elements but its a bit of a hassle and is less flexible for the future.
I think paas or heroku is a good place for this, so I will try out paas and if that works get ssl sorted, otherwise ask for heroku to become a real security verified thing.
Cheers
Flags: needinfo?(dale)
|
|
||
Comment 17•10 years ago
|
||
Meanwhile I learned that PaaS will be EOLed soon, so don't use that.
We've reviewed the security of Heroku in [1] and it's good for low/medium risk applications. However, BZLite is HIGH risks because it can impact those critical security bugs in Bugzilla. So I'd say use Heroku for now while you don't impact security bugs, but move it to secure hosting when those features come in.
[1] https://mana.mozilla.org/wiki/display/SECURITY/Heroku
|
Assignee | |
Comment 18•10 years ago
|
||
I've requested the wildcard certificate from Digicert.
Dale, two requests for you -
1. You have an email asking you to approve Digicert to issue SSL certificates on behalf of Mozilla Foundation for the domain BZLITE.COM - please approve the request using the link in the email so that we may proceed.
2. I need your GPG key so I can securely provide you the private key for this wildcard SSL certificate, to be installed on Heroku (as per above discussion).
Flags: needinfo?(dale)
|
|
Reporter | |
Comment 19•10 years ago
|
||
Hey Richard, I have confirmed the request, my public key is @ https://github.com/daleharvey.keys
Cheers
Flags: needinfo?(dale)
|
|
Assignee | |
Comment 20•10 years ago
|
||
(In reply to Dale Harvey (:daleharvey) from comment #19)
> Hey Richard, I have confirmed the request, my public key is @
> https://github.com/daleharvey.keys
>
> Cheers
Unfortunately, that appears to be an SSH key; I'll need a GnuPG (GPG, PGP) key to proceed.
Flags: needinfo?(dale)
|
|
Assignee | |
Comment 21•10 years ago
|
||
This is the intermediate (chained root) certificate, that must be deployed alongside the signed server certificate, or else it will not work correctly.
|
|
Assignee | |
Comment 22•10 years ago
|
||
This is the signed SSL server certificate as requested, prepared for use with *.bzlite.com (and bzlite.com). It must be deployed alongside the intermediate (chained root) certificate in attachment 8610979 [details] or it will not function correctly.
|
|
Reporter | |
Comment 23•10 years ago
|
||
Flags: needinfo?(dale)
|
|
Reporter | |
Comment 24•10 years ago
|
||
Apologies, heres my public GPG key
|
|
Reporter | |
Comment 25•10 years ago
|
||
err PGP
|
|
Reporter | |
Comment 26•10 years ago
|
||
Hey Richard, ss there anything more needed on my end for this? Thanks
Flags: needinfo?(rsoderberg)
|
|
Assignee | |
Comment 28•10 years ago
|
||
(In reply to Dale Harvey (:daleharvey) from comment #26)
> Hey Richard, ss there anything more needed on my end for this? Thanks
Nope, that's perfect. Sent via GPG to you. Let us know if you have any issues with this certificate.
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(rsoderberg)
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•