Security/Reviews/SimplePushSrv
Item Reviewed
| Simple Push Server | |||||||||
| Target |
1 Total; 0 Open (0%); 1 Resolved (100%); 0 Verified (0%);
protocol spec: https://wiki.mozilla.org/WebAPI/SimplePush/Protocol Review of system and wire protocol changes.
|
||||||||
{{#set:SecReview name=Simple Push Server
|SecReview target=
| ID | Summary | Priority | Status |
|---|---|---|---|
| 897454 | SecReview: Simple Push Server | -- | RESOLVED |
1 Total; 0 Open (0%); 1 Resolved (100%); 0 Verified (0%);
principal document:
https://wiki.mozilla.org/WebAPI/SimplePush
protocol spec: https://wiki.mozilla.org/WebAPI/SimplePush/Protocol
Review of system and wire protocol changes.
- System now uses "short" pongs consisting of "{}" response to a "{}" ping.
- System uses AWS provided memcache lookup system
- Due to Go SSL performance constraints, PUT updates moved to ELB fronted cluster
- longer lived socket connections remain on principle servers.
- message routing system created between servers.
- Simple reversable crypto used to discourage token associations
- Per original sec review/privacy discussions
- https://github.com/mozilla-services/pushgo/blob/master/src/mozilla.org/simplepush/crypt.go
}}
Introduce the Feature
Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)
- SimplePush is a near data free method to remotely wake an application. This server is a means by which the client application can connect using secure websockets, and receive updates from the trusted third party server.
What solutions/approaches were considered other than the proposed solution?
- XMPP - (too heavyweight for current requirements)
- Thialfi - requires too much pre-existing backend storage
Why was this solution chosen?
- This solution provides the absolute minimum of useful information exchange in a method that is blind to the server.
Any security threats already considered in the design and why?
- PUT URLs require no authorization to send triggering events.
- not considered a threat both because of the very large id space (an endpoint consists of 2 UUIDs lightly encypted with AES and convered to a base64 string) and the fact that endpoints are effectively disposable from the client point of view. (compromised endpoints can be easily discarded and a new endpoint can be created with minimal impact to the system.)
Threat Brainstorming
- use up data usage limit on a phone by sending bogus push notification for an app the user does not have
- yes if you can break the AES and guess the UUID for that device
{{#set: SecReview feature goal=* https://wiki.mozilla.org/WebAPI/SimplePush
- SimplePush is a near data free method to remotely wake an application. This server is a means by which the client application can connect using secure websockets, and receive updates from the trusted third party server.
|SecReview alt solutions=* XMPP - (too heavyweight for current requirements)
- Thialfi - requires too much pre-existing backend storage
|SecReview solution chosen=* This solution provides the absolute minimum of useful information exchange in a method that is blind to the server. |SecReview threats considered=* PUT URLs require no authorization to send triggering events.
- not considered a threat both because of the very large id space (an endpoint consists of 2 UUIDs lightly encypted with AES and convered to a base64 string) and the fact that endpoints are effectively disposable from the client point of view. (compromised endpoints can be easily discarded and a new endpoint can be created with minimal impact to the system.)
|SecReview threat brainstorming=* use up data usage limit on a phone by sending bogus push notification for an app the user does not have
- yes if you can break the AES and guess the UUID for that device
}}
Action Items
| Action Item Status | Complete |
| Release Target | ` |
| Action Items | |
| ' | |
{{#set:|SecReview action item status=Complete
|Feature version=` |SecReview action items=` }}