Use a sufficiently secure encryption scheme
Categories
(Core :: Storage: IndexedDB, enhancement, P2)
Tracking
()
Tracking | Status | |
---|---|---|
firefox88 | --- | fixed |
People
(Reporter: sg, Assigned: sg)
References
Details
Attachments
(1 file, 1 obsolete file)
The dummy encryption should be replaced by a real NSS-based encryption scheme using a proper symmetric cipher, message authentication, keys per database, and some measures to ensure IV uniqueness.
This will not be sufficient for non-private browsing encryption.
Assignee | ||
Comment 1•4 years ago
|
||
Updated•4 years ago
|
Assignee | ||
Comment 2•4 years ago
|
||
Depends on D73290
Updated•4 years ago
|
Comment 3•4 years ago
|
||
Comment on attachment 9152030 [details]
Bug 1641178 - Generate keys per database. r=#dom-workers-and-storage
Revision D77020 was moved to bug 1638396. Setting attachment 9152030 [details] to obsolete.
Pushed by sgiesecke@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/8f7c25b71590 Add NSSCipherStrategy. r=dom-workers-and-storage-reviewers,jcj,janv
Comment 5•3 years ago
|
||
Backed out for causing GTest failures.
Backout link: https://hg.mozilla.org/integration/autoland/rev/e67223422319316b3e8cc0f36672cdda3f41ca3a
Failure log: https://treeherder.mozilla.org/logviewer?job_id=331025955&repo=autoland&lineNumber=372686
Assignee | ||
Comment 6•3 years ago
|
||
I can't reproduce this locally. It seems to be related to passing nullptr
as aad
to PK11_AEADOp
from NSSCipherStrategy::Cipher
. Benjamin, can you check if this use is wrong, or if there's an issue within NSS?
Comment 7•3 years ago
|
||
I think that might actually be an NSS bug, I'll try to have a look ASAP...
Comment 8•3 years ago
|
||
I think we might have identified the issue, we are working it.
Comment 9•3 years ago
|
||
Simon, if the fix I had in mind is enough, it has landed in NSS. So it should be in Mozilla central next time I uplift, probably tomorrow.
You can already try it, by copy pasting a copy of NSS master into security/nss
and rebuilding.
Comment 10•3 years ago
|
||
Pushed by sgiesecke@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/3b3b6706f48f Add NSSCipherStrategy. r=dom-workers-and-storage-reviewers,jcj,janv
Comment 11•3 years ago
|
||
bugherder |
Assignee | ||
Comment 12•3 years ago
|
||
(In reply to Benjamin Beurdouche [:beurdouche] from comment #9)
Simon, if the fix I had in mind is enough, it has landed in NSS. So it should be in Mozilla central next time I uplift, probably tomorrow.
You can already try it, by copy pasting a copy of NSS master intosecurity/nss
and rebuilding.
I try'd again, and that worked, and it landed now, so everything looks good. Thanks for taking care of this!
Updated•9 months ago
|
Description
•