505
edits
Labs/Weave/Sync Client Security Review: Difference between revisions
Labs/Weave/Sync Client Security Review (view source)
Revision as of 00:06, 11 February 2010
, 11 February 2010→Review comments
| Line 110: | Line 110: | ||
* '''Action:''' We should have the user fill out or pick a client name. User doesn't realize that they are sharing this information to us. Also affects the Privacy Policy. If this information is actually not useful to us, then we should encrypt it. | * '''Action:''' We should have the user fill out or pick a client name. User doesn't realize that they are sharing this information to us. Also affects the Privacy Policy. If this information is actually not useful to us, then we should encrypt it. | ||
* '''Action:''' IV should be stored along side the record and should be changed every time the record is changed. | * '''Action:''' IV should be stored along side the record and should be changed every time the record is changed. | ||
* '''Action:''' Document the Weave crypto stuff really well and have a hacker challenge to see if people can break it. | |||
* '''Action:''' We need to have exponential backoff for authentication failures. | |||
* '''Action:''' When downloading keys from the server, the client should generate the public key from the private instead of using what it just got. | |||
* '''Action:''' NIST is encouraging people get away from 2k keys by the end of 2010. | |||