Shared Password Management Web Application

RESOLVED INVALID

Status

RESOLVED INVALID
6 years ago
20 days ago

People

(Reporter: ygjb, Unassigned, Mentored)

Tracking

Details

(Whiteboard: [mentorship][lang=python])

(Reporter)

Description

6 years ago
Description: Build a secure web application for managing access to passwords that must be shared across individuals and teams.

Mentor: Joe Stevensen

Duration: 200 hours

Requirements: Python web application development skills, understanding of gpg and data encryption

Goals:
Build a web application that allows secure storage of passwords. The application would grant a password owner(s) to grant/revoke per user access to various passwords. Passwords must be encrypted using gpg. Server should (almost) never see the passwords.
(Reporter)

Updated

6 years ago
Whiteboard: [mentorship] → [mentorship][mentor=jstevensen@mozilla.com][lang=python]

Comment 1

6 years ago
Hi,

I am interested in working on this, however I did not know python and gpg. Can I learn them on the go? I have fixed some bugs on bugzilla and know how to learn things on my own.
(Reporter)

Comment 2

6 years ago
Hi Zeyu, I sent you an email to follow up on this!
Hi Yvan, I am also interested in this project and I've sent you the application :)
IIRC, there are javascript libraries for GPG, so it's possible that the (almost)  in "(almost) never" could be removed, and some form of clientside storage used for the GPG keys, leaving the serverside application with no means at all to decrypt.
I don't mean to offend, but there are quite a few reasons why (as with the current state of browsers) crypto in the DOM is a really, really bad idea. This blog post lists a few of the concerns: http://www.matasano.com/articles/javascript-cryptography/ 

Although it is indeed a nice idea to do something on the client and only work with ciphertexts on the webserver, the web is not quite there yet. This setup would be great, if it was used in something else than browsers ;)
I think the article :freddyb posted makes a lot of sense.
And most of the concerns pointed out are valid.
To make the crypto system secure, one would probably have build the entire system as part of the core browser code itself so that it is not susceptible the pitfalls pointed out in the article.
(Reporter)

Comment 7

6 years ago
The initial pass for the app would likely leverage existing JS crypto libraries, but with input from our security engineering team on how to structure things to leverage the upcoming html5 crypto apis.

Bottom line, js crypto has weaknesses, but that becomes a discussion of risk acceptance and risk management before we make a go/no-go decision.

Comment 8

6 years ago
Hi,
I have no prior experience working but I am good at Java. I am interested in working on this, however I don't know python, but I am willing to learn.
Or can you suggest something to work on to newbie. I tried looking at the bugs for beginner but couldn't find anything to work on.
This project screams FirefoxOS to me, or rather a Password Management Web App that runs on all WebRT platforms. Just a thought. Actually mobile in general really, where security of data at rest at increased risk.
Interesting and very relevant paper (what not to do!): http://moscova.inria.fr/~karthik/pubs/host_proof_woot12.pdf
Saw this on hacker news -- https://yithlibrary.herokuapp.com/
"""Yith Library is an online password manager. It will help you to keep your secrets under control in a secure and easy way. Your online data is too valuable to avoid protecting it seriously."""

Might be useful to check out?
Hi Yvan,
The Mentee assigned to this project is Chen Zeyu. Could you assign it to him ?
Azzeddine

Comment 13

6 years ago
is this a [good first bug]. I am willing to take it up if someone can mentor. Disclaimer: Newbie, self taught Python enthusiast from India. No experience developing web apps so this is going to be a first (if not already assigned).
(In reply to Rahul Nair from comment #13)
> is this a [good first bug]. I am willing to take it up if someone can
> mentor. Disclaimer: Newbie, self taught Python enthusiast from India. No
> experience developing web apps so this is going to be a first (if not
> already assigned).

This is not a bug for first bug, this is part of our mentorship program (https://wiki.mozilla.org/Security/Mentorship). We appreciate your interest but a mentee has been assigned for this bug already (comment 12). If you have an interest in our mentorship program please check out the wiki and submit an application.
Mentor: jstevensen
Whiteboard: [mentorship][mentor=jstevensen@mozilla.com][lang=python] → [mentorship][lang=python]
Can I make this in angular js and node js?
Just curious

Comment 16

21 days ago
Hi, I would like to work on this
(In reply to Hariom Verma from comment #16)
> Hi, I would like to work on this

This bug is really old, and no longer relevant - it probably should have been closed a long time ago. If you want to find out more about Mozilla's current infosec activities (and potentially find ways to contribute) I'd suggest starting with https://infosec.mozilla.org/. Another good place to find places to contribute is https://github.com/mozilla - lots of projects there, where you might ask where to contribute. 

If you specifically want to work on password related features, I'd suggest taking  a look at Lockbox (https://lockbox.firefox.com/). There are contribution guides available for the iOS app and Android app (which are the two actively developed features as of the time of writing) : 
 - https://mozilla-lockbox.github.io/lockbox-ios/contributing/
 - https://mozilla-lockbox.github.io/lockbox-android/contributing/
Status: NEW → RESOLVED
Last Resolved: 21 days ago
Resolution: --- → INVALID

Comment 18

20 days ago
(In reply to Paul Theriault [:pauljt] from comment #17)

Thank you.
You need to log in before you can comment on or make changes to this bug.