Closed
Bug 862828
Opened 11 years ago
Closed 10 years ago
Security Review: Mozilla Location Service
Categories
(mozilla.org :: Security Assurance: Review Request, task)
mozilla.org
Security Assurance: Review Request
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: dougt, Assigned: st3fan)
References
Details
(Whiteboard: [pending secreview][start 2014-03-23][target 2014-04-30][Web])
Initial Questions: Project/Feature Name: CellID Service Tracking ID: Description: Client bits: https://bugzilla.mozilla.org/show_bug.cgi?id=837987 (no collection included, but we will be adding that soon. Service bits: https://github.com/andreasgal/celldb-server The background is that we want to provide a set of B2G phones with the ability to find themselves and improve GPS aquisition time by using a mozilla hosted service based on opencellid. We will collect data from the devices to improve the service. Legal is involved (denelle dixon-thayer). Additional Information: Urgency: 2 days Key Initiative: Firefox OS Release Date: 2013-04-19 Project Status: ready Mozilla Data: Yes New or Change: New Mozilla Project: General Mozilla Related: Separate Party: No Security Review Questions: Affects Products: Yes Review Due Date: 2013-04-19 Review Invitees: doug.turner@gmail.com Extra Information:
Reporter | ||
Updated•11 years ago
|
Flags: sec-review?
Updated•11 years ago
|
Updated•11 years ago
|
Assignee: nobody → sarentz
Flags: sec-review?
Whiteboard: [triage needed] → [pending secreview][start yyyy-mm-dd][target yyyy-mm-dd]
Updated•11 years ago
|
Whiteboard: [pending secreview][start yyyy-mm-dd][target yyyy-mm-dd] → [pending secreview][start yyyy-mm-dd][target yyyy-mm-dd][Web]
Assignee | ||
Updated•11 years ago
|
Assignee: sarentz → nobody
Updated•10 years ago
|
Flags: sec-review?(yboily)
Updated•10 years ago
|
Assignee: nobody → yboily
Comment 1•10 years ago
|
||
Update title, removed irrelevant bug. The project needs to go through the actual process soon.
No longer blocks: 837987
Summary: Security Review: CellID Service → Security Review: Mozilla Location Service
Assignee | ||
Comment 2•10 years ago
|
||
Hanno, what exactly needs to be reviewed here? The service bits that are linked to look like a proof of concept that have not been touched in almost a while. Not sure what to exactly look at.
Flags: needinfo?(hschlichting)
Comment 3•10 years ago
|
||
Yeah, sorry. The bug is outdated. The relevant project pages these days are: https://wiki.mozilla.org/CloudServices/Location https://location.services.mozilla.com/ http://mozilla-ichnaea.readthedocs.org/en/latest/ https://github.com/mozilla/ichnaea/ There's also a standalone MozStumbler application, code in FxOS and Fennec, but I'd consider those outside the scope for this bug and concentrate on the service side. This project has silently changed from being an experiment into something real and so side-stepped due process. This bug is a reminder that we need to look at the security side, before we actually use this in real FxOS devices in the summer timeframe. I'm on vacation next week, and a cloud services team meetup the week after in/near Mountain View. What's the best way forward? Schedule a meeting and talk about scope, what we need to document/provide for you?
Flags: needinfo?(hschlichting)
Assignee | ||
Comment 4•10 years ago
|
||
Yes, lets define the scope first. If you request a code and API review then I want to suggest to split it up in separate reviews for the server-side parts and the client parts.
Assignee | ||
Updated•10 years ago
|
Whiteboard: [pending secreview][start yyyy-mm-dd][target yyyy-mm-dd][Web] → [pending secreview][start yyyy-mm-dd][target 2014-04-30][Web]
Assignee | ||
Updated•10 years ago
|
Assignee: yboily → sarentz
Assignee | ||
Comment 5•10 years ago
|
||
Hanno and I had a discussion. I will be working on the server side part of this review. I've asked :pauljt to file a similar bug for the Firefox OS side of things. (But maybe he already has this covered) I set the target date of the review to end of April.
Assignee | ||
Updated•10 years ago
|
Whiteboard: [pending secreview][start yyyy-mm-dd][target 2014-04-30][Web] → [pending secreview][start 2014-03-23][target 2014-04-30][Web]
Assignee | ||
Comment 6•10 years ago
|
||
My initial review comments are online at https://wiki.mozilla.org/Mozilla_Location_Services_Security_Review This is a pretty standard and well written application and I have no major concerns. Let's have a quick chat about my findings after the services work week.
Comment 7•10 years ago
|
||
Thanks for the very timely review on such short notice! I've opened a new bug to track the SQL injection point at https://github.com/mozilla/ichnaea/issues/164. API key support is intentionally weak, the next follow-up bug is https://github.com/mozilla/ichnaea/issues/140. Once 140 is done, we should only log and send known keys to heka. That should address the concern of sending arbitrary user-supplied data to the backend. As for rate limiting per IP/user: We don't have a real plan yet. The next step on this is to define what we consider acceptable use and come up with terms of service. We don't yet know how much traffic we'll get. And how much of it will come from very few IP addresses in the form of mobile provider / internet gateways. Practically speaking we are also waiting for the abuse detection work to make progress for Firefox Accounts. Hopefully we can share some of the same approaches for the location project.
Assignee | ||
Comment 8•10 years ago
|
||
Hanno are you ok with closing this review bug?
Flags: needinfo?(hschlichting)
Comment 9•10 years ago
|
||
The review is done. We have issues to track the remaining review comments, so I think this can be closed. Much thanks!
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(hschlichting)
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•