Open Bug 604070 Opened 14 years ago Updated 2 years ago

Sync stores encryption keys in JavaScript strings

Tracking

()

Status:

NEW

People

(Reporter: briansmith, Unassigned)

References

(Depends on 1 open bug)

Details

Brian Smith (:briansmith, :bsmith, use NEEDINFO?)

Reporter

Description

•

14 years ago

The NSS code is careful to zeroize all the buffers that hold keys when the keys are no longer needed, in order to minimize the impact of reads of freed memory and similar errors. The JavaScript interpreter doesn't have the same mechanism for its Strings and the JavaScript interpreter has a particularly large attack surface, so we should avoid storing encryption keys in JavaScript strings to minimize the risk of their disclosure.

Gregory Szorc [:gps]

Updated

•

12 years ago

Depends on: 743070

Nobody; OK to take it and work on it

Assignee

Updated

•

6 years ago

Component: Firefox Sync: Crypto → Sync

Product: Cloud Services → Firefox

BMO Automation

Updated

•

2 years ago

Severity: normal → S3

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

Sync stores encryption keys in JavaScript strings

Categories

(Firefox :: Sync, defect)

Tracking

()

People

(Reporter: briansmith, Unassigned)

References

(Depends on 1 open bug)

Details

Crash Data

Security

(public)

User Story

Description

Updated

Updated

Updated