Closed Bug 831833 Opened 9 years ago Closed 9 years ago

Security Review for Simple Push Notification

Categories

(mozilla.org :: Security Assurance: Review Request, task)

task
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: curtisk, Assigned: curtisk)

References

()

Details

(Whiteboard: [pending secreview][start yyyy-mm-dd][target yyyy-mm-dd][FxOS])

Initial Questions:

Project/Feature Name: Push Notification
Tracking  ID:
Description:
We are building a internet scale, easy to use, notification service based on Thialfi.  The Push Requirements include:

1) Easy-to-use content API
2) Guaranteed delivery of notifications
3) Data privacy / No disclosure of personal identifiable info to application
4) Push system internet scalability
 
Additional Information:
Thialfi:  http://research.google.com/pubs/pub37474.html
Mozilla's Spec:  https://wiki.mozilla.org/WebAPI/SimplePush
Urgency: 2-4 weeks
Key Initiative: Firefox OS
Release Date: 2013-06-30
Project Status: development
Mozilla Data: No
New or Change: New
Mozilla Project: none
Mozilla Related: FxOS, WebRTC
Separate Party: No

Security Review Questions:

Affects Products:
Review Due Date: 
Review Invitees: 
Extra Information:
need this info 
(In reply to Curtis Koenig [:curtisk] from comment #0)
> Security Review Questions:
> 
> Affects Products:
> Review Due Date: 
(date you all would like to do the review, (if known from https://mail.mozilla.com/home/ckoenig@mozilla.com/Security%20Review.html) 
> Review Invitees: 
who from you all needs to be there
> Extra Information: 
anything else?
Flags: needinfo?(jrconlin)
> who from you all needs to be there

we should also invite jlebar
so jlebar, dougt and jrconclin, now what date works for you all?
I'm free anytime except Mondays 2p Pacific and every other Tuesday at 2p Pacific (1/22 is an on day).

I'm on Eastern time, but I don't mind a late-ish meeting if that's what works for everyone else.
We have Mon/Wed at 1pm PST/4PM EST or Thu/Fri 10am PST/ 1PM PST....I think a Mon or Wed would be best to get all the "mobile" guys from our team
How does Wed 6th 1PM PST work for everyone ?

It would also be really helpful for me to talk to someone prior to the security review, as I am struggling to gain a complete picture of data flows from the existing documentation.

What I have currently, with questions is here: https://etherpad.mozilla.org/n1f1znLCQh . Please correct/answer questions if you can. Or ping me (pauljt) if its easier to explain in person.
dougt and I will be in London that week; 1 PST is late in the evening over there.  I don't necessarily have a problem with the lateness, but I've had really bad experiences in the past trying to connect to meetings over hotel networks.
(In reply to Paul Theriault [:pauljt] from comment #6)
> 
> What I have currently, with questions is here:
> https://etherpad.mozilla.org/n1f1znLCQh . Please correct/answer questions if
> you can. Or ping me (pauljt) if its easier to explain in person.

I've tried to answer the questions and provide as much insight as I can. 

Thanks!
Flags: needinfo?(jrconlin)
(In reply to Justin Lebar [:jlebar] from comment #7)
> dougt and I will be in London that week; 1 PST is late in the evening over
> there.  I don't necessarily have a problem with the lateness, but I've had
> really bad experiences in the past trying to connect to meetings over hotel
> networks.

This feature seems less urgent to review than basecamp stuff, so maybe we can leave it till the week afterwards. (getting Europe, Australia & US at the same time is really only possible in the evening europe time, unless I get at 3am) (Or I can get someone from the sec team in the US if it is urgent)

So how about 13th at 1pm PST? 

PS JR, thanks for the info, I'll review and come back to you if I need more.
> So how about 13th at 1pm PST? 

WFM.
WFM.
Meeting Details: 
* Wed 13-Feb 2013, 13:00 PST 
* Where: 
- MTV: 3V - Very Good Very Mighty 
- SFO: Golden Gate Bridge 
- Vidyo(9710) secreview [https://v.mozilla.com/flex.html?roomdirect.html&key=EEtiuXn8C5EP] 

* IRC Channel: #security 

* Etherpad: http://etherpad.mozilla.com/secreview 

* Dial-in Info (phone): 
- In office or soft phone: extension 92 
- US/INTL: 650-903-0800 or 650-215-1282 then extension 92 
- Toronto: 416-848-3114 then extension 92 
- Toll-free: 800-707-2533 then password 369 
- Conference num 99710 

Items to be reviewed: 
https://bugzilla.mozilla.org/show_bug.cgi?id=831833 

Agenda: 
* Introduce Feature (5-10 minutes) [can be answered ahead of time to save meeting time] 
- Goal of Feature, what is trying to be achieved (problem solved, use cases, etc) 
- What solutions/approaches were considered other than the proposed solution? 
- Why was this solution chosen? 
- Any security threats already considered in the design and why? 
* Threat Brainstorming (30-40 minutes) 
* Conclusions / Action Items (10-20 minutes)
Assignee: nobody → curtisk
Whiteboard: [pending secreview][start yyyy-mm-dd][target yyyy-mm-dd]
Summary: Security Review for Push Notification → Security Review for Simple Push Notification
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Whiteboard: [pending secreview][start yyyy-mm-dd][target yyyy-mm-dd] → [pending secreview][start yyyy-mm-dd][target yyyy-mm-dd][FxOS]
You need to log in before you can comment on or make changes to this bug.