Closed Bug 862828 Opened 11 years ago Closed 10 years ago

Security Review: Mozilla Location Service

Categories

(mozilla.org :: Security Assurance: Review Request, task)

task
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: dougt, Assigned: st3fan)

References

Details

(Whiteboard: [pending secreview][start 2014-03-23][target 2014-04-30][Web])

Initial Questions:

Project/Feature Name: CellID Service
Tracking  ID:
Description:

Client bits:
https://bugzilla.mozilla.org/show_bug.cgi?id=837987 (no collection included, but we will be adding that soon.

Service bits:
https://github.com/andreasgal/celldb-server

The background is that we want to provide a set of B2G phones with the ability to find themselves and improve GPS aquisition time by using a mozilla hosted service based on opencellid.  We will collect data from the devices to improve the service.  Legal is involved (denelle dixon-thayer). 
Additional Information:

Urgency: 2 days
Key Initiative: Firefox OS
Release Date: 2013-04-19
Project Status: ready
Mozilla Data: Yes
New or Change: New
Mozilla Project: General
Mozilla Related: 
Separate Party: No

Security Review Questions:

Affects Products: Yes
Review Due Date: 2013-04-19
Review Invitees: doug.turner@gmail.com
Extra Information:
Flags: sec-review?
Blocks: 837987
Group: mozilla-corporation-confidential
Whiteboard: [triage needed]
Assignee: nobody → sarentz
Flags: sec-review?
Whiteboard: [triage needed] → [pending secreview][start yyyy-mm-dd][target yyyy-mm-dd]
Whiteboard: [pending secreview][start yyyy-mm-dd][target yyyy-mm-dd] → [pending secreview][start yyyy-mm-dd][target yyyy-mm-dd][Web]
Assignee: sarentz → nobody
Flags: sec-review?(yboily)
Assignee: nobody → yboily
Update title, removed irrelevant bug. The project needs to go through the actual process soon.
No longer blocks: 837987
Summary: Security Review: CellID Service → Security Review: Mozilla Location Service
Hanno, what exactly needs to be reviewed here? The service bits that are linked to look like a proof of concept that have not been touched in almost a while. Not sure what to exactly look at.
Flags: needinfo?(hschlichting)
Yeah, sorry. The bug is outdated. The relevant project pages these days are:

https://wiki.mozilla.org/CloudServices/Location
https://location.services.mozilla.com/
http://mozilla-ichnaea.readthedocs.org/en/latest/
https://github.com/mozilla/ichnaea/

There's also a standalone MozStumbler application, code in FxOS and Fennec, but I'd consider those outside the scope for this bug and concentrate on the service side.

This project has silently changed from being an experiment into something real and so side-stepped due process. This bug is a reminder that we need to look at the security side, before we actually use this in real FxOS devices in the summer timeframe.

I'm on vacation next week, and a cloud services team meetup the week after in/near Mountain View. What's the best way forward? Schedule a meeting and talk about scope, what we need to document/provide for you?
Flags: needinfo?(hschlichting)
Yes, lets define the scope first. If you request a code and API review then I want to suggest to split it up in separate reviews for the server-side parts and the client parts.
Whiteboard: [pending secreview][start yyyy-mm-dd][target yyyy-mm-dd][Web] → [pending secreview][start yyyy-mm-dd][target 2014-04-30][Web]
Assignee: yboily → sarentz
Hanno and I had a discussion.

I will be working on the server side part of this review.

I've asked :pauljt to file a similar bug for the Firefox OS side of things. (But maybe he already has this covered)

I set the target date of the review to end of April.
Whiteboard: [pending secreview][start yyyy-mm-dd][target 2014-04-30][Web] → [pending secreview][start 2014-03-23][target 2014-04-30][Web]
My initial review comments are online at

https://wiki.mozilla.org/Mozilla_Location_Services_Security_Review

This is a pretty standard and well written application and I have no major concerns. Let's have a quick chat about my findings after the services work week.
Thanks for the very timely review on such short notice!

I've opened a new bug to track the SQL injection point at https://github.com/mozilla/ichnaea/issues/164.

API key support is intentionally weak, the next follow-up bug is https://github.com/mozilla/ichnaea/issues/140. Once 140 is done, we should only log and send known keys to heka. That should address the concern of sending arbitrary user-supplied data to the backend.

As for rate limiting per IP/user: We don't have a real plan yet. The next step on this is to define what we consider acceptable use and come up with terms of service. We don't yet know how much traffic we'll get. And how much of it will come from very few IP addresses in the form of mobile provider / internet gateways.

Practically speaking we are also waiting for the abuse detection work to make progress for Firefox Accounts. Hopefully we can share some of the same approaches for the location project.
Hanno are you ok with closing this review bug?
Flags: needinfo?(hschlichting)
The review is done. We have issues to track the remaining review comments, so I think this can be closed.

Much thanks!
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(hschlichting)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.