Labs/Weave/Sync Client Security Review: Difference between revisions

Overview

Synchronize your bookmarks, history, tabs and passwords wherever you go. Whether you use Firefox on your phone, laptop, or desktop, securely access all your data.

Background links

• https://mozillalabs.com/weave/
• https://hg.mozilla.org/labs/weave/
• https://addons.mozilla.org/en-US/firefox/addon/10868

Security and Privacy

• Is this feature a security feature? If it is, what security issues is it intended to resolve?
  • Securely sync data across browser profiles by encrypting and storing data on Weave servers
• What potential security issues in your feature have you already considered and addressed?
  • Encrypting data that requires a passphrase that only the user knows to unlock
• Is system or subsystem security compromised in any way if your project's configuration files / prefs are corrupt or missing?
• Include a thorough description of the security assumptions, capabilities and any potential risks (possible attack points) being introduced by your project.
  • Data/actions are generated on the client but stored on the server, so how the server responds with what can change the behavior (e.g., missing data)
• How are transitions in/out of Private Browsing mode handled?
  • Sync is disabled during private browsing and reschedules on exit

Exported APIs

• Please provide a table of exported interfaces (APIs, ABIs, protocols, UI, etc.)
  • JSMs: there's a number of modules that get imported into the service/UI
    • Service: main entry point to connect and control sync behavior
    • Engines: tracks active engines registered with Weave and provides an abstract base class to implement engines
    • Storage: wrapper around Firefox's implementation of various data storage
    • Tracker: hooks into various notifications for detecting data change
    • Resource/Auth/Identity: handles network communications
  • Firefox status bar: allows triggering sync and connect
  • Firefox pref pane: configure what data to sync to which account
  • Firefox tabs view: view and open tabs from other profiles in a menu
  • Fennec pref pane: connect and sync
  • Fennec tabs view: view and open tabs from content space
• Does it interoperate with a web service? How will it do so?
  • https://wiki.mozilla.org/Labs/Weave/API storage/user APIs
• Explain the significant file formats, names, syntax, and semantics.
  • JSON: local temporary storage (changes, to fetch)
• Are the externally visible interfaces documented clearly enough for a non-Mozilla developer to use them successfully?
  • https://wiki.mozilla.org/Labs/Weave/Developer
• Does it change any existing interfaces?
  • Extra data is stored using existing annotation interfaces

Module interactions

• What other modules are used (REQUIRES in the makefile, interfaces)?
  • NSS: WeaveCrypto
  • Places: Bookmarks/History
  • LoginManager: Passwords
  • FormHistory: autofill data
  • Browser/Sessionstore: Open tabs
  • Prefs: some preferences synced

Data

• What data is read or parsed by this feature?
  • Records from the server are stored as WBO (weave basic object) with encrypted JSON payloads that are specific to the particular data synced
• What is the output of this feature?
  • Profile data recreated on another profile, e.g., bookmarks and history
• What storage formats are used?
  • JSON for talking to the server as well as local caching
  • Prefs with simple values (int/bool/string) for basic local storage

Reliability

• What failure modes or decision points are presented to the user?
  • Account creation: username check, password/passphrase strength, captcha
  • Login: username/password/passphrase failures
  • Sync direction: choose to merge/wipe data locally/wipe all other machines
  • Sync: notifications are shown based on the type of failure to do nothing (auto-retry) or present actions (e.g., upgrade add-on)
• Can its files be corrupted by failures? Does it clean up any locks/files after crashes?
  • Potentially some data might get lost if it was in the process of being downloaded, but it'll refetch at a later time when the data updates
  • Data to be uploaded are cached by GUID on disk to persist across crash/restarts

Configuration

• Can the end user configure settings, via a UI or about:config? Hidden prefs? Environment variables?
  • Pref pane controls what data gets synced and which account is logged in
  • about:config contains other prefs that the service uses for data storage like logging levels, when to sync, server urls, prefs to sync
  • Password/passphrase are stored with the password manager
• Are there build options for developers? [#ifdefs, ac_add_options, etc.]
  • Packaging for dev/amo channels (sets update url)
  • Rebuilding crypto library
• What ranges for the tunable are appropriate? How are they determined?
  • Sync intervals depend on the makeup of clients connected (desktop? mobile? how many?)
• What are its on-going maintenance requirements (e.g. Web links, perishable data files)?
  • Update urls/updated landing page

Relationships to other projects

Are there related projects in the community?

• If so, what is the proposal's relationship to their work? Do you depend on others' work, or vice-versa?
• Are you updating, copying or changing functional areas maintained by other groups? How are you coordinating and communicating with them? Do they "approve" of what you propose?
  • various data providers, e.g., Places, have updated their interfaces to better support Weave with better notifications and annotations/guids

Review comments