On Aug 12, 2013, at 6:55 AM, Lloyd Hilaiel <[email protected]> wrote:
> Now that some of the other challenging threads have died down, let's have > another one. > > As I think deeply (at least as deeply as I am capable of) about how users > will log into different firefox products, and how we can really achieve a > high level of integration, I am reminded just how challenging this problem > is. I'm at the point in my meditation where I have distilled things down to > a single most important question. > > What are the cons of reducing the security of recoverable class A data such > that it could be accessed with a persona assertion asserting ownership of the > email address stored in your account? > > Note: > I realize that we've taken some shortcuts in email verification, and that a > verified email address in firefox accounts isn't as rigorously verified as > one in persona. Ignore that for now. Think just about the security delta > from competing products and our current design. Is the idea that the data would sit on the servers unencrypted? How far reduced are you thinking? I'll set aside the PR questions - that's for another debate - and focus on some of the potential repercussions. We become a discoverable witness. Email sites shutting down are in the news right now, as well as everything we're reading about companies having to comply with the US government. This is partly a PR issue, but it does go beyond that. I don't have answers here, but the legal team probably does and should be consulted. Heck, if nothing else, it's a danger to their workload! Right now, there's effectively no value in the data our servers contain. This has made us an unappealing target for malicious attention - why bother breaking into servers for a bunch of random strings? This has let us skip some of the more expensive security oversight. Is class A data juicy enough that we're suddenly the easiest vector to acquire it? Is it worth breaking in to add an additional bookmark to each user's profile? To screw with history weights so that generic viagra is the first autocomplete for 'g'? Obviously, I don't want to imply that we're going to slack on security - we'll do everything we reasonably can to protect user data. But we don't have the resources of many of our competitors in this space (live 24/7 intrusion monitoring and response, for example) and/or are relying on third-party services (AWS), and that makes us a target. To close on a more upbeat note: we'd need to do a lot of rewriting, but unencrypted data + collection-specific storage would let us do a lot more on the server side, especially in record compression. Cost per user would go down a decent bit, I suspect. Toby _______________________________________________ Sync-dev mailing list [email protected] https://mail.mozilla.org/listinfo/sync-dev
