Perform a security audit of autograph 2.0

RESOLVED FIXED

Status

Cloud Services
Security
RESOLVED FIXED
a year ago
7 months ago

People

(Reporter: ulfr, Assigned: g)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

a year ago
Both the autograph service and the pkcs7 library should go through a security audit / code review to make sure it handles key material securely.
(Reporter)

Comment 1

10 months ago
Assigning to Greg for first pass in Q3. Will likely hire a 3rd party for a more in-depth review of the Go code of autograph, pkcs7 and hawk packages.
Assignee: jvehent → gguthe
(Assignee)

Comment 2

9 months ago
I haven't reviewed much go or crypto. Are there specific attacks I should look for about handling key material securely?
Flags: needinfo?(jvehent)
(Reporter)

Comment 3

9 months ago
it's not so much the crypto I'm concerned about. Autograph implements access controls that grant users permissions request signatures using specific keys. That access control is what, if broken, could put the entire service at risk.
Flags: needinfo?(jvehent)
(Assignee)

Comment 4

7 months ago
Recommendations in the github issue: https://github.com/mozilla-services/foxsec/issues/359 and will open issues against the autograph repo.
Status: NEW → RESOLVED
Last Resolved: 7 months ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.