Closed Bug 1210200 Opened 9 years ago Closed 9 years ago

Risk Summary: SyncTo Server

Categories

(Security Assurance :: Risk Record, task)

Product:
Security Assurance
Component:
Risk Record
Platform:
x86_64
Linux
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: jvehent, Assigned: tarek)

References

Details

(Whiteboard: RISK=MEDIUM IMPACT=HIGH LIKELIHOOD=LOW DATA=RESTRICTED)

Risk Assessment: https://docs.google.com/spreadsheets/d/1fFxVSpdkO77iBo8o9nTPkLUzyPJrrlLFwccSe08wCUY/edit#gid=0 Summary ------- Data handled: CONFIDENTIAL-RESTRICTED Risk: MEDIUM Impact: HIGH Syncto is a layer that provides the Kinto API to Firefox OS devices in order to integrate with Firefox Sync. It allows Firefox OS devices to use the Sync1.5 service without speaking its protocol. Sync acts as a proxy between FxOS and Sync, but it never has access to sync data. Users authenticate against syncto using their FxA signed assertions. Syncto converts the assertion into a token that is used to access the sync server. The user token is cached in a database local to Syncto, but encrypted, and deleted only a few minutes after the user session expires. From a risk point of view, the fact that Syncto never sees cleartext user data greatly reduces the risk. Syncto still carries some amount of risk because the token can be used to purge the sync database of a given user, but that attack is limited to one user at a time. A database leak would also lead to bad press, but the encryption performed on sync data protects us from leaking truly sensitive information. Note that the Firefox OS client "kinto.js" is out of the scope of this risk assessment. Recommendations --------------- 1) The production Syncto service should be operated at the same security level as the rest of the Sync infrastructure. 2) Encryption of user tokens in the cache should be implemented using a key that is not stored in Syncto (eg. a hash of the user's kB), 3) The redis cache should delete keys shortly after expiration of the user session. 5 minutes appears to be a reasonable delay. Source: https://github.com/mozilla-services/syncto Wiki: https://wiki.mozilla.org/Firefox_OS/Syncto
See Also: → 1212834
Recommendation 1 is addressed by hosting Syncto in Cloud Services Production AWS, using the same security controls as Sync 1.5. :natim - Now that implementation is well under way, could you comment on recommendations 2 & 3 above and indicate how they are being addressed?
Flags: needinfo?(rhubscher)
Hello, Thank you for asking. 2) Has been done using a HMAC of the BID Assertion provided by the user (https://github.com/mozilla-services/syncto/blob/master/syncto/authentication.py#L71-L72) 3) This assertion is changing for each sync so we configured the default cache ttl to 5 minutes. (https://github.com/mozilla-services/syncto/blob/master/syncto/__init__.py#L27)
Flags: needinfo?(rhubscher)
Great! Then I think we're good to close this review.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Group: mozilla-employee-confidential
You need to log in before you can comment on or make changes to this bug.