Closed
Bug 1462101
Opened 7 years ago
Closed 7 years ago
Please CNAME protocol.mozilla.org to protocol.moz.works
Categories
(Infrastructure & Operations :: SSL Certificates, task)
Infrastructure & Operations
SSL Certificates
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: jgmize, Assigned: ericz)
Details
(Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/6609])
No description provided.
|
Reporter | |
Comment 1•7 years ago
|
||
|
||
Comment 2•7 years ago
|
||
This will need an RRA before we can make the change (as it's a mozilla.org subdomain). Can you please link the RRA in here once that's complete and we'll be happy to add the entry. Thanks!
Flags: needinfo?(jmize)
|
|
Reporter | |
Comment 3•7 years ago
|
||
(In reply to Shyam Mani [:fox2mike] from comment #2)
> This will need an RRA before we can make the change (as it's a mozilla.org
> subdomain). Can you please link the RRA in here once that's complete and
> we'll be happy to add the entry. Thanks!
The MEAO team is requesting to use protocol.mozilla.org as the official URL for the documentation of a new design system for Mozilla branded websites. This URL would be hosting a static site, not a service, so I believe the guidelines in https://infosec.mozilla.org/guidelines/risk/rapid_risk_assessment.html#when-not-to-run-an-rra would likely apply here. :gene do you agree, or should I file a bug requesting an RRA?
Flags: needinfo?(jmize) → needinfo?(gene)
|
||
Comment 4•7 years ago
|
||
:jgmize is all of the data on this static site public? Is the impact of an attacker modifying the data on the static site not a problem? If it's public data and an attacker modifying it doesn't have an impact then yes, skip the RRA, otherwise run it.
Flags: needinfo?(gene) → needinfo?(jmize)
|
|
Reporter | |
Comment 5•7 years ago
|
||
(In reply to Gene Wood [:gene] from comment #4)
> :jgmize is all of the data on this static site public? Is the impact of an
> attacker modifying the data on the static site not a problem? If it's public
> data and an attacker modifying it doesn't have an impact then yes, skip the
> RRA, otherwise run it.
All data for the static site is public on https://github.com/mozilla/protocol/ and we are aware of and accept the risks that all *.mozilla.org subdomains have in that an attacker that was able to modify the page would be able to read and write cookies for .mozilla.org.
Flags: needinfo?(jmize)
|
|
||
Comment 6•7 years ago
|
||
> Is the impact of an attacker modifying the data on the static site not a problem?
|
|
Reporter | |
Comment 7•7 years ago
|
||
(In reply to Gene Wood [:gene] from comment #6)
> > Is the impact of an attacker modifying the data on the static site not a problem?
The impact of an attacker modifying the data on the site would be low as it is not directly associated with any Mozilla product or service, nor will it be promoted to end users, only designers and front-end developers implementing Mozilla websites.
|
|
||
Comment 8•7 years ago
|
||
Sounds like no need for an RRA then if the availability, integrity and confidentiality of the data on the site don't matter.
Flags: needinfo?(smani)
|
Assignee | |
Updated•7 years ago
|
Assignee: server-ops-webops → eziegenhorn
|
|
Assignee | |
Comment 9•7 years ago
|
||
Thanks Gene. CNAME created.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
|
|
||
Updated•7 years ago
|
Flags: needinfo?(smani)
You need to log in
before you can comment on or make changes to this bug.
Description
•