Security/Reviews/SimplePushSrv
From MozillaWiki
Please use "Edit with form" above to edit this page.
Item Reviewed
| Simple Push Server | |||||||||
| Target |
1 Total; 0 Open (0%); 1 Resolved (100%); 0 Verified (0%);
protocol spec: https://wiki.mozilla.org/WebAPI/SimplePush/Protocol Review of system and wire protocol changes.
|
||||||||
The given value "
| ID | Summary | Priority | Status |
|---|---|---|---|
| 897454 | SecReview: Simple Push Server | -- | RESOLVED |
1 Total; 0 Open (0%); 1 Resolved (100%); 0 Verified (0%);
principal document:
https://wiki.mozilla.org/WebAPI/SimplePush
protocol spec: https://wiki.mozilla.org/WebAPI/SimplePush/Protocol
Review of system and wire protocol changes.
- System now uses "short" pongs consisting of "{}" response to a "{}" ping.
- System uses AWS provided memcache lookup system
- Due to Go SSL performance constraints, PUT updates moved to ELB fronted cluster
- longer lived socket connections remain on principle servers.
- message routing system created between servers.
- Simple reversable crypto used to discourage token associations
- Per original sec review/privacy discussions
- https://github.com/mozilla-services/pushgo/blob/master/src/mozilla.org/simplepush/crypt.go" contains strip markers and therefore it cannot be parsed sufficiently.
Introduce the Feature
Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)
- SimplePush is a near data free method to remotely wake an application. This server is a means by which the client application can connect using secure websockets, and receive updates from the trusted third party server.
What solutions/approaches were considered other than the proposed solution?
- XMPP - (too heavyweight for current requirements)
- Thialfi - requires too much pre-existing backend storage
Why was this solution chosen?
- This solution provides the absolute minimum of useful information exchange in a method that is blind to the server.
Any security threats already considered in the design and why?
- PUT URLs require no authorization to send triggering events.
- not considered a threat both because of the very large id space (an endpoint consists of 2 UUIDs lightly encypted with AES and convered to a base64 string) and the fact that endpoints are effectively disposable from the client point of view. (compromised endpoints can be easily discarded and a new endpoint can be created with minimal impact to the system.)
Threat Brainstorming
- use up data usage limit on a phone by sending bogus push notification for an app the user does not have
- yes if you can break the AES and guess the UUID for that device
- Property "SecReview feature goal" (as page type) with input value "* https://wiki.mozilla.org/WebAPI/SimplePush
- SimplePush is a near data free method to remotely wake an application. This server is a means by which the client application can connect using secure websockets, and receive updates from the trusted third party server." contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.
- Property "SecReview alt solutions" (as page type) with input value "* XMPP - (too heavyweight for current requirements)
- Thialfi - requires too much pre-existing backend storage" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.
- Property "SecReview threats considered" (as page type) with input value "* PUT URLs require no authorization to send triggering events.
- not considered a threat both because of the very large id space (an endpoint consists of 2 UUIDs lightly encypted with AES and convered to a base64 string) and the fact that endpoints are effectively disposable from the client point of view. (compromised endpoints can be easily discarded and a new endpoint can be created with minimal impact to the system.)" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.
- Property "SecReview threat brainstorming" (as page type) with input value "* use up data usage limit on a phone by sending bogus push notification for an app the user does not have
- yes if you can break the AES and guess the UUID for that device" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.
Action Items
| Action Item Status | Complete |
| Release Target | ` |
| Action Items | |
| ' | |
