Security review for new identity box design

RESOLVED FIXED

Status

task
RESOLVED FIXED
7 years ago
7 years ago

People

(Reporter: jaws, Assigned: dveditz)

Tracking

Details

(Whiteboard: [secreview complete][action items][start mm/dd/yyyy][target mm/dd/yyyy])

> Who is/are the point of contact(s) for this review?
Jared Wein, Stephen Horlander
> Please provide a short description of the feature / application (e.g. problem solved, use cases, etc.):
We will remove the favicon from the Firefox address bar and replace it with a generic icon in http and mixed content scenarios. Use a grey lock in https, and a green lock in https+ev. The verified domain will be hidden in https. The verified identity will be visible in https+ev.
> Please provide links to additional information (e.g. feature page, wiki) if available and not yet included in feature description:
See bug 742419 and the attached mockup in the bug.
> Does this request block another bug? If so, please indicate the bug number
Just bug 742419.
> This review will be scheduled amongst other requested reviews. What is the urgency or needed completion date of this review?
This request does not need to be expedited.
> Please answer the following few questions: (Note: If you are asked to describe anything, 1-2 sentences shall suffice.)
>     Does this feature or code change affect Firefox, Thunderbird or any product or service the Mozilla ships to end users?
Firefox.
>     Are there any portions of the project that interact with 3rd party services?
No.
>     Will your application/service collect user data? If so, please describe 
No.
> If you feel something is missing here or you would like to provide other kind of feedback, feel free to do so here (no limits on size):
> Desired Date of review (if known from https://mail.mozilla.com/home/ckoenig@mozilla.com/Security%20Review.html) and whom to invite. 
Wednesday, April 18th at 1pm would be nice.
https://bugzilla.mozilla.org/show_bug.cgi?id=742419#c11 states that a formal review may be unnecessary, so this bug exists so we can track the necessity of a formal review.

Please close this bug if a formal review is not needed.
we will need UX representation for this, as we are not so concerned with implementation but more with design.

:dveditz will act as lead for this
Assignee: nobody → curtisk
Status: NEW → ASSIGNED
Whiteboard: [pending secreview] → [pending secreview][sec lead:dveditz]
I invited Limi for this to represent UX let me know if we need to get others.

Calendar entry:
https://mail.mozilla.com/home/ckoenig@mozilla.com/Security%20Review.html?view=month&action=view&invId=110473-110472&pstat=AC&exInvId=110473-164957&useInstance=1&instStartTime=1334779200000&instDuration=3600000

:dveditz
Update the required reading list for this review please
https://etherpad.mozilla.org/requiredreading
Assignee: curtisk → dveditz
Whiteboard: [pending secreview][sec lead:dveditz] → [secreview sched]
============================
https://bugzilla.mozilla.org/show_bug.cgi?id=744304=
Item to be reiviewed: New Identity Box Design
Link to calendar entry: https://mail.mozilla.com/home/ckoenig@mozilla.com/Security%20Review.html?view=month&action=view&invId=110473-110472&pstat=AC&exInvId=110473-164957&useInstance=1&instStartTime=1334779200000&instDuration=3600000
SecReview Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=744304
Security Lead: Dan Veditz
Required Reading List:
* https://bugzilla.mozilla.org/show_bug.cgi?id=742419
* https://bug742419.bugzilla.mozilla.org/attachment.cgi?id=612253
(If possible prefill this area for copying to the notes section of the review)
Introduce Feature (5-10 minutes) [can be answered ahead of time to save meeting time]
- Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)
- What solutions/approaches were considered other than the proposed solution?
- Why was this solution chosen?
- Any security threats already considered in the design and why?
* Threat Brainstorming (30-40 minutes)
* Conclusions / Action Items (10-20 minutes)
=============================
I've moved the list of dependent bugs to bug 742419 since that bug covers the implementation of the feature. I think we can mark this bug as resolved now.
Status: ASSIGNED → RESOLVED
Last Resolved: 7 years ago
No longer depends on: 747083, 747085, 747087, 747088, 747090, 747093
Resolution: --- → FIXED
this bug should not be closed or resolved until the the follow on bugs are also resolved. And those bugs block this bug from being closed out. We don't consider a review complete until all the action item bugs from said review are complete. I don't mind you changing the product and component of the bugs but they should continue to block resolution of this bug.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Whiteboard: [secreview sched] → [secreview complete][action items]
Do [secreview complete] and the sec-review-complete keyword mean different things?
At the moment yes, the whiteboard tag is to let me know that the meeting is done (I should come up with something better) and the keyword is the whole thing is done (action items etc).
Whiteboard: [secreview complete][action items] → [secreview complete][action items][start mm/dd/yyyy][target mm/dd/yyyy]
All dependencies on this security review have now been resolved. I'm marking this as resolved based on comment #7.
Status: REOPENED → RESOLVED
Last Resolved: 7 years ago7 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.