Verify authenticity of records when reading recipes from Remote Settings
Categories
(Firefox :: Normandy Client, enhancement, P1)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox68 | --- | fixed |
People
(Reporter: leplatrem, Assigned: leplatrem)
References
Details
Attachments
(1 file)
The current security model of Normandy over Remote Settings is not strong enough.
By adding an additional signature on each record, we could make sure that the records published on Remote Settings had really been published by the Normandy server.
|
Assignee | |
Comment 1•6 years ago
|
||
Verify authenticity of Remote Settings records for Normandy
|
|
Assignee | |
Comment 2•6 years ago
|
||
The current patch is a draft, but it seems to work locally.
I changed the structure of Remote Settings records to simplify the signature verification code (a record now has two fields: recipe and signature).
This mean the old client code that reads recipes from RS won't work. I thought this would be acceptable since we wouldn't have enabled it anyway.
Mike, do you think it makes sense?
Also should I rename the Feature gate pref so that we don't activate the feature on clients < 68 by accident? (eg. "features.normandy-recipes-remote-settings.enabled")
|
|
Assignee | |
Updated•6 years ago
|
|
|
Assignee | |
Comment 3•6 years ago
|
||
|
|
Assignee | |
Comment 4•6 years ago
|
||
|
||
Comment 5•6 years ago
|
||
I think this change makes sense. I think it's ok that we don't keep compatibility with the version we never turned on.
Also should I rename the Feature gate pref so that we don't activate the feature on clients < 68 by accident? (eg. "features.normandy-recipes-remote-settings.enabled")
I think doing this would cause more confusion in the long run. I think we should keep the preference the same.
|
||
Comment 7•6 years ago
|
||
| bugherder | ||
Description
•