info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
WebAPI Security Discussion: Socket API
77 views
Skip to first unread message
Lucas Adamski
May 8, 2012, 2:50:15 PM5/8/12
to dev-w...@lists.mozilla.org, dev-w...@lists.mozilla.org, dev-se...@lists.mozilla.org, dev-b2g
Please reply-to dev-w...@lists.mozilla.org
Name of API: Socket API
Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=733573
Brief purpose of API: Grant full access to raw sockets to allow applications such as SMTP clients etc
General Use Cases: None
Inherent threats:Malicious apps attacking internal systems (firewall bypass), local device access
Threat severity: High
== Regular web content (unauthenticated) ==
Use cases for unauthenticated code:None
Authorization model for normal content:
Authorization model for installed content:
Potential mitigations:
== Trusted (authenticated by publisher) ==
Use cases for authenticated code: Talk to non-HTTP services. SSH, FTP, mail clients, supporting custom protocols
Use cases for trusted code: Implicit
Potential mitigations: Firewall should prohibit access to privileged low number OS ports (<1024). Listening on a port < 1024 should be prohibited.
== Certified (vouched for by trusted 3rd party) ==
Use cases for certified code: Open a connection to any domain/port
Authorization model: Implicit
Potential mitigations: None
Name of API: Socket API
Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=733573
Brief purpose of API: Grant full access to raw sockets to allow applications such as SMTP clients etc
General Use Cases: None
Inherent threats:Malicious apps attacking internal systems (firewall bypass), local device access
Threat severity: High
== Regular web content (unauthenticated) ==
Use cases for unauthenticated code:None
Authorization model for normal content:
Authorization model for installed content:
Potential mitigations:
== Trusted (authenticated by publisher) ==
Use cases for authenticated code: Talk to non-HTTP services. SSH, FTP, mail clients, supporting custom protocols
Use cases for trusted code: Implicit
Potential mitigations: Firewall should prohibit access to privileged low number OS ports (<1024). Listening on a port < 1024 should be prohibited.
== Certified (vouched for by trusted 3rd party) ==
Use cases for certified code: Open a connection to any domain/port
Authorization model: Implicit
Potential mitigations: None
pther...@mozilla.com
May 31, 2012, 6:55:45 AM5/31/12
to mozilla-d...@lists.mozilla.org
0 new messages