Security/Reviews/Firefox/AddOnSync
From MozillaWiki
- Items to be reviewed
Introduce Feature
Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)
- sync add-ons between sync enabled devices
- xpi extensions and themes from AMO in profile directory for initial version
- in JS in sync, running as chrome priv
- diff devices with diff ver of FX
- tries to install
- no explicit UX for any part of this - the user is not prompted
- later to support all add-ons, out of scope for this review
- this will apply to all add-ons, fully reviewed and partially reviewed
- this sync feature does not sync across devices (desktop -> mobile)
- later addition
- sync of add-on state (local resources, prefs, etc) is not in initial feature
- sync of add-on "enabled" state does get synced.
- just the add-on ID and meta data (client ID, platform ID, etc) -> add-ons mgr API -> gets xpi from AMO
- add-on version isn't synced
- there's a sync preference / check box to opt out of this
What solutions/approaches were considered other than the proposed solution?
Why was this solution chosen?
Any security threats already considered in the design and why?=
(from feature page https://wiki.mozilla.org/Services/Sync/Addon_Sync )
- The feature follows the same security model as other sync engines: add-on records are encrypted using the Sync Key and the IDs for each add-on are randomly generated.
- For the initial feature drop, synchronized add-ons will be limited to:
- XPI extensions or themes
- from the same application ID as other Sync profiles
- installed in the profile directory
- installed explicitly by the user (those put in the profile directory by nefarious applications will be ignored - !addon.foreignInstall)
- installed from addons.mozilla.org
- In the implementation, the hostname is defined by a preference. the default value is *addons.mozilla.org*
- This is the first component of Sync which will indirectly communicate with a non-Sync server (addons.mozilla.org). Sync will be talking with it via the AddonRepository JS APIs (over HTTPS) Sync assumes those APIs are doing the proper things to secure against MITM attacks, etc.
Threat Brainstorming
- Attacker with access to your sync account could silently push malicious add-ons to your sync clients
- is this a sync problem or a problem for this feature?
- a problem introduced by the feature. Before this feature, an attacker could only push bookmarks/history to your sync devices.
- is this a sync problem or a problem for this feature?
- Privacy: AMO (or in future, other download sites) can track you across installs
- Ok for AMO if you are logged in, but also not an issue since we already know this via sync service
- Communication via HTTPS too (super double bonus)
- no extra "cert property" checks (true of addon updates as well)
- new sync engine will not require storage version bump.
Conclusions / Action Items
- [mossop] check whether experimental addons would also be sync'd. We don't want them to be, only reviewed add-ons should be allowed.
- continue looking at ways to protect the sync account and give users more information about their sync account
- out of scope for this feature