Services/Sync/Features/MigrateToDigestAuth: Difference between revisions
No edit summary |
No edit summary |
||
| Line 7: | Line 7: | ||
{{FeatureTeam}} | {{FeatureTeam}} | ||
{{FeaturePageBody | {{FeaturePageBody | ||
|Feature open issues and risks=Cleartext username/pass sent through BasicAuth will put sync-keys (and therefore sync data) at risk when we start storing sync-keys on a sync-key server. | |||
|Feature overview=Sync web servers receive username/pass in cleartext (BasicAuth) before using them in LDAP/mySQL. Will be a problem when we store sync-keys protected by username/pass, because access to Sync web servers will be point of vulnerability. | |||
|Feature users and use cases=When sync-keys are stored on a sync-key server, if attackers gain control of Sync web servers they will have access to username/pass in cleartext, use credentials to access sync-key, and then unencrypt user data stored on Sync web servers. | |||
|Feature implementation notes=* https://bugzilla.mozilla.org/show_bug.cgi?id=445757 | |Feature implementation notes=* https://bugzilla.mozilla.org/show_bug.cgi?id=445757 | ||
}} | }} | ||
Revision as of 21:54, 30 August 2011
Status
| Migrate from Basic Auth | |
| Stage | Draft |
| Status | In progress |
| Release target | ` |
| Health | OK |
| Status note | ` |
{{#set:Feature name=Migrate from Basic Auth
|Feature stage=Draft |Feature status=In progress |Feature version=` |Feature health=OK |Feature status note=` }}
Team
| Product manager | ` |
| Directly Responsible Individual | ` |
| Lead engineer | ` |
| Security lead | ` |
| Privacy lead | ` |
| Localization lead | ` |
| Accessibility lead | ` |
| QA lead | ` |
| UX lead | ` |
| Product marketing lead | ` |
| Operations lead | ` |
| Additional members | ` |
{{#set:Feature product manager=`
|Feature feature manager=` |Feature lead engineer=` |Feature security lead=` |Feature privacy lead=` |Feature localization lead=` |Feature accessibility lead=` |Feature qa lead=` |Feature ux lead=` |Feature product marketing lead=` |Feature operations lead=` |Feature additional members=` }}
Open issues/risks
Cleartext username/pass sent through BasicAuth will put sync-keys (and therefore sync data) at risk when we start storing sync-keys on a sync-key server.
Stage 1: Definition
1. Feature overview
Sync web servers receive username/pass in cleartext (BasicAuth) before using them in LDAP/mySQL. Will be a problem when we store sync-keys protected by username/pass, because access to Sync web servers will be point of vulnerability.
2. Users & use cases
When sync-keys are stored on a sync-key server, if attackers gain control of Sync web servers they will have access to username/pass in cleartext, use credentials to access sync-key, and then unencrypt user data stored on Sync web servers.
3. Dependencies
`
4. Requirements
`
Non-goals
`
Stage 2: Design
5. Functional specification
`
6. User experience design
`
Stage 3: Planning
7. Implementation plan
`
8. Reviews
Security review
`
Privacy review
`
Localization review
`
Accessibility
`
Quality Assurance review
`
Operations review
`
Stage 4: Development
9. Implementation
Stage 5: Release
10. Landing criteria
` {{#set:Feature open issues and risks=Cleartext username/pass sent through BasicAuth will put sync-keys (and therefore sync data) at risk when we start storing sync-keys on a sync-key server. |Feature overview=Sync web servers receive username/pass in cleartext (BasicAuth) before using them in LDAP/mySQL. Will be a problem when we store sync-keys protected by username/pass, because access to Sync web servers will be point of vulnerability. |Feature users and use cases=When sync-keys are stored on a sync-key server, if attackers gain control of Sync web servers they will have access to username/pass in cleartext, use credentials to access sync-key, and then unencrypt user data stored on Sync web servers. |Feature dependencies=` |Feature requirements=` |Feature non-goals=` |Feature functional spec=` |Feature ux design=` |Feature implementation plan=` |Feature security review=` |Feature privacy review=` |Feature localization review=` |Feature accessibility review=` |Feature qa review=` |Feature operations review=` |Feature implementation notes=* https://bugzilla.mozilla.org/show_bug.cgi?id=445757 |Feature landing criteria=` }}
Feature details
| Priority | P2 |
| Rank | 999 |
| Theme / Goal | ` |
| Roadmap | Sync |
| Secondary roadmap | ` |
| Feature list | Services |
| Project | ` |
| Engineering team | Sync |
{{#set:Feature priority=P2
|Feature rank=999 |Feature theme=` |Feature roadmap=Sync |Feature secondary roadmap=` |Feature list=Services |Feature project=` |Feature engineering team=Sync }}
Team status notes
| status | notes | |
| Products | ` | ` |
| Engineering | ` | ` |
| Security | ` | ` |
| Privacy | ` | ` |
| Localization | ` | ` |
| Accessibility | ` | ` |
| Quality assurance | ` | ` |
| User experience | ` | ` |
| Product marketing | ` | ` |
| Operations | ` | ` |
{{#set:Feature products status=`
|Feature products notes=` |Feature engineering status=` |Feature engineering notes=` |Feature security status=` |Feature security health=` |Feature security notes=` |Feature privacy status=` |Feature privacy notes=` |Feature localization status=` |Feature localization notes=` |Feature accessibility status=` |Feature accessibility notes=` |Feature qa status=` |Feature qa notes=` |Feature ux status=` |Feature ux notes=` |Feature product marketing status=` |Feature product marketing notes=` |Feature operations status=` |Feature operations notes=` }}