static vs dynamic ISP database (was: Re: Governance and Release Model updates)

Andrew Sutherland asutherland at asutherland.org
Mon Nov 5 17:11:07 UTC 2012


On 11/05/2012 03:08 AM, Mark Banner wrote:
>> ISPDB:
>> "ispdb expected to be brought up to replace the static files for 
>> autoconfig."
>> I disagree here, I think the static approach using SVN we have right 
>> now is more secure for the high-value sites that we currently have.
> The issue I have with the static approach is that it is manual process 
> that takes up more time than really necessary and is difficult for 
> people to hook into (e.g. bugzilla account required, filing a bug, 
> working out the format, reviews, checking in etc). With Gaia starting 
> to use autoconfig as well as other apps, I am expecting that we may 
> get more submissions which will be much easier to handle with an 
> online service. Of course, as Blake mentioned, we'll also get the 
> necessary security reviews before rolling it out.

I had a talk with the privacy people before we (partially) implemented 
autoconfig for Gaia.  (We don't do domain guessing yet and we can't 
support certificate exceptions.)

The privacy team seemed happiest if we could do our MX lookups from the 
device (platform still can't do it) and just stored the ISP database 
locally on the device, since that takes the security of the ISP database 
server out of the loop.  Right now we do ask the server because we have 
to ask it for the MX lookups anyways, so there's no real benefit to 
storing the entire ISP database locally.  We are still interested in 
moving to storing the database locally once the platform allows, and 
assuming we can make it small enough that it doesn't fill up the device.

I am generally in agreement with Ben about the dynamic implementation 
being a bit scary.  A compromised ISP database server has great 
potential to man-in-the-middle attack new account creation, and the 
dynamic implementation arguably has at least an order of magnitude more 
surface area to attack.  This is partially mitigated by the fact that we 
are locally installing ISP database entries in gaia for the most popular 
services and ActiveSync's auto-discovery process will run prior to 
consulting the ISP database, just as we look for autoconfig.DOMAIN 
entries prior to consulting the ISP database.

My main concern is that security will do a quick pass on it (they have 
limited time), see no problems in the code proper, but the backing 
libraries like Django or whatever it uses will have a security issue and 
the ISP database won't be actively maintained by anyone and then we are 
boned.  If we are able to get webdev to adopt it, that would be good.  
B2G/gaia may be able to provide the impetus to give it to webdev, or we 
may be able to eventually provide review bandwidth (possibly augmented 
by offline verification of the proposed ISP database entries.)  B2G has 
a work week this week and I will try and raise the issue with product 
management.

Andrew



More information about the tb-planning mailing list