Closed Bug 742809 Opened 12 years ago Closed 12 years ago

Security review for new Identity Project BigTent

Categories

(mozilla.org :: Security Assurance: Review Request, task)

Product:
mozilla.org
Component:
Security Assurance: Review Request
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: ozten, Assigned: dchanm+bugzilla)

References

(
URL
)

Details

(Whiteboard: [completed secreview][action items pending]) 

1. Who is/are the point of contact(s) for this review?

ozten

secondary: callahad or benadida in #identity

2. Please provide a short description of the feature / application (e.g. problem solved, use cases, etc.):

For the top three web email providers (gmail.com, yahoo.com, hotmail.com) we want to proxy their IdP to BrowserID.

Today, BrowserID is a "secondary" for these email addresses. They all offer a native IdP solution such as OpenID or OAuth for websites (RP) to implement. We'll reuse this mechanism from a new service called BigTent, which will give users a Primary-like experience when using BrowserID, but without having to wait for Google, Yahoo, or Microsoft to implement the BrowserID protocol. 

3. Please provide links to additional information (e.g. feature page, wiki) if available and not yet included in feature description:

https://wiki.mozilla.org/Identity/BrowserID/BigTent
Early codebase: https://github.com/ozten/bigtent

4. Does this request block another bug? If so, please indicate the bug number

Not currently.

5. This review will be scheduled amongst other requested reviews. What is the urgency or needed completion date of this review?

We'd like to get the architecture reviewed soon. BigTent is a Q2 goal for the Identity team.

6. Please answer the following few questions: (Note: If you are asked to describe anything, 1-2 sentences shall suffice.)
6.1 Does this feature or code change affect Firefox, Thunderbird or any product or service the Mozilla ships to end users?

Yes, this affects the web based shim for BrowserID.

6.2 Are there any portions of the project that interact with 3rd party services?

Yes, the goal of BigTent is to bridge Google Accounts, Yahoo, and Microsoft Live to BrowserID.

6.3 Will your application/service collect user data? If so, please describe 

No. Some of these mechanisms offer profile information in their callback and user's are advised as to what they are disclosing to BrowserID (in the 3rd party dialog), but *we will not collect PII* in version 1 of BigTent.

7. If you feel something is missing here or you would like to provide other kind of feedback, feel free to do so here (no limits on size):

I haven't had donuts in weeks. Weeks!

8. Desired Date of review (if known from https://mail.mozilla.com/home/ckoenig@mozilla.com/Security%20Review.html) and whom to invite. 

4/19
(In reply to Austin King [:ozten] from comment #0)

> 8. Desired Date of review (if known from
> https://mail.mozilla.com/home/ckoenig@mozilla.com/Security%20Review.html)
> and whom to invite. 
> 
> 4/19

Should anyone besides yourself be invited?
Assignee: nobody → curtisk
Status: NEW → ASSIGNED
I'd appreciate sitting in on the review. My LDAP name is dcallahan.
:dchan has been assigned as lead for this review to get required reading setup and be present for review
Whiteboard: [pending secreview] → [pending secreview][review lead:dchan]
=============================
Item to be reiviewed: Identity BigTent
Link to calendar entry: https://mail.mozilla.com/home/ckoenig@mozilla.com/Security%20Review.html?view=month&action=view&invId=110484-110483&pstat=AC&exInvId=110484-164915&useInstance=1&instStartTime=1334854800000&instDuration=3600000
SecReview Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=742809
Security Lead: David Chan
Required Reading List:
* source - https://github.com/ozten/browserid-bigtent
* feature page - https://wiki.mozilla.org/Identity/BrowserID/BigTent
* Persona Primary vs Secondary - http://mozilla.github.com/browserid-field-guide/bootstrapping_browserid.html
(If possible prefill this area for copying to the notes section of the review)
Introduce Feature (5-10 minutes) [can be answered ahead of time to save meeting time]
- Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)
* bridge Persona adoption gap for primary
* allows users to have a primary like experience on whitelisted sites that are not primaries
- What solutions/approaches were considered other than the proposed solution?
- Why was this solution chosen?
- Any security threats already considered in the design and why?
* pseudo-primary support is only for whitelist of domains
* domain match is eTLD + 1
** whitelist with gmail.com will only match foo@gmail.com and not foo@bar.gmail.com
* workflow risks if whiteisted domain supports primary workflow
** code checks whether domain has primary support or not
** only proceed with BigTent workflow if no primary support
* Threat Brainstorming (30-40 minutes)
** Compromise of openid / OAuth / other identity services tokens
*** BigTent should request minimal privileges / information for each service
*** The resulting service token is only needed to verify successful login, it is not needed afterwards
*** BID assertion is generated after successful login
* Conclusions / Action Items (10-20 minutes)
=============================
review removed from calendar as dchan recommends we don't need a big team review. 
Notes from background and required reading copied above.
There were a couple open questions from the email exchange

1. How long are the openid/oauth tokens kept around for (session, forever, other)? What information do we get from these tokens?
2. How are we going to handle Persona accounts which contain emails for primaries? e.g. if my account has foo@gmail.com, and gmail becomes a primary, what is the end result of that Persona account?

Austin mentioned that bigtent will always check the primary status of an email before offering the pseudo primary workflow.

I don't believe the above are blockers for the feature, but we should get them documented.
(In reply to David Chan [:dchan] from comment #7)
> 1. How long are the openid/oauth tokens kept around for (session, forever, other)?

Tokens are not saved.
 
> What information do we get from these tokens?

No user information is recorded, except the user's email in their session.

We detect an active session by the existence of a session. We ensure they are claiming the active email by comparing the email from the session to the claimed email.

> 2. How are we going to handle Persona accounts which contain emails for primaries? 
> e.g. if my account has foo@gmail.com, and gmail becomes a primary, what is the end 
> result of that Persona account?

Theoretically... Primary will transparently take over and Persona account it unchanged. Code to be written/testing to be done but it looks like this is seamless and there is no data to migrate. Our BigTent session would expire and no trace of BigTent for that email address would remain.

This is because we'll use 'type=primary' for primary and proxyidp types.

If we do store Persona account as 'type=proxyidp', then there would be a data migration step on first login once gmail becomes a primary.
Thanks for the update Austin.

I'm going to mark this review as complete. Please contact our team when it is appropriate to perform some testing.
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Keywords: sec-review-neededsec-review-complete
Resolution: --- → FIXED
Whiteboard: [secreview sched] → [secr:dchan]
Blocks: 754926
Whiteboard: [secr:dchan] → [secr:dchan][qa-]
Hi dchan, we'd like to get back on the calendar again for some review and testing. What do we need to do to make that happen?
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Whiteboard: [secr:dchan][qa-] → [secr:dchan]
:callahad - If you are asking for a full team review we can do it this week (week of 6-Aug) on Wed at 1pm PST or Thu/Fri at 10am PST. Next week the team is in London for a workweek. But if this week does not work we can shoot for week of 20-Aug. Let me know what is appropriate for you all.
Whiteboard: [secr:dchan] → [sec-assigned:dchan]
:curtisk / :dchan Let's get on the calendar for early the week of 20-Aug.
What day of the week would you like?
Mon/Wed - 1PM PST
Thu/Fri - 10AM PST
All of those work for me. I'll leave it to :ozten to pick a date and time that work well for him.
Specifically, how about Tuesday 1pm?

Any of Mon/Wed @ 1pm sounds great.
Sorry there are no reviews on Tues (too many other meetings conflict to be able to get people in a review) I will sched for Mon 20-Aug at 1pm PST.

Dchan will have to run the review as I will be traveling that day.
Flags: sec-review+
Depends on: 784543
URL: https://wiki.mozilla.org/Security/Rev...
Whiteboard: [sec-assigned:dchan] → [completed secreview]
resolved-fixed as review is done, when dependent bugs are done this can go to verified-fixed
Status: REOPENED → RESOLVED
Closed: 12 years ago12 years ago
Resolution: --- → FIXED
Whiteboard: [completed secreview] → [completed secreview][action items pending]
You need to log in before you can comment on or make changes to this bug.