Lucas Adamski
unread,May 8, 2012, 2:50:15 PM5/8/12You do not have permission to delete messages in this group
Sign in to report message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to dev-w...@lists.mozilla.org, dev-w...@lists.mozilla.org, dev-se...@lists.mozilla.org, dev-b2g
Please reply-to
dev-w...@lists.mozilla.org
Name of API: Socket API
Reference:
https://bugzilla.mozilla.org/show_bug.cgi?id=733573
Brief purpose of API: Grant full access to raw sockets to allow applications such as SMTP clients etc
General Use Cases: None
Inherent threats:Malicious apps attacking internal systems (firewall bypass), local device access
Threat severity: High
== Regular web content (unauthenticated) ==
Use cases for unauthenticated code:None
Authorization model for normal content:
Authorization model for installed content:
Potential mitigations:
== Trusted (authenticated by publisher) ==
Use cases for authenticated code: Talk to non-HTTP services. SSH, FTP, mail clients, supporting custom protocols
Use cases for trusted code: Implicit
Potential mitigations: Firewall should prohibit access to privileged low number OS ports (<1024). Listening on a port < 1024 should be prohibited.
== Certified (vouched for by trusted 3rd party) ==
Use cases for certified code: Open a connection to any domain/port
Authorization model: Implicit
Potential mitigations: None