Verify authenticity of records when reading recipes from Remote Settings

RESOLVED FIXED in Firefox 68

Status

()

enhancement
P1
normal
RESOLVED FIXED
4 months ago
3 months ago

People

(Reporter: leplatrem, Assigned: leplatrem)

Tracking

(Regressed 1 bug)

unspecified
Firefox 68
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox68 fixed)

Details

Attachments

(1 attachment)

The current security model of Normandy over Remote Settings is not strong enough.

By adding an additional signature on each record, we could make sure that the records published on Remote Settings had really been published by the Normandy server.

Verify authenticity of Remote Settings records for Normandy

The current patch is a draft, but it seems to work locally.

I changed the structure of Remote Settings records to simplify the signature verification code (a record now has two fields: recipe and signature).
This mean the old client code that reads recipes from RS won't work. I thought this would be acceptable since we wouldn't have enabled it anyway.
Mike, do you think it makes sense?
Also should I rename the Feature gate pref so that we don't activate the feature on clients < 68 by accident? (eg. "features.normandy-recipes-remote-settings.enabled")

Flags: needinfo?(mcooper)

I think this change makes sense. I think it's ok that we don't keep compatibility with the version we never turned on.

Also should I rename the Feature gate pref so that we don't activate the feature on clients < 68 by accident? (eg. "features.normandy-recipes-remote-settings.enabled")

I think doing this would cause more confusion in the long run. I think we should keep the preference the same.

Flags: needinfo?(mcooper)
See Also: → 1540642
Pushed by mleplatre@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/7c95672d5215
Verify authenticity of Remote Settings records for Normandy r=mythmon,Gijs
Status: NEW → RESOLVED
Closed: 4 months ago
Resolution: --- → FIXED
Blocks: 1506175
Regressions: 1543403
You need to log in before you can comment on or make changes to this bug.