Page MenuHomePhabricator

Ensure that push-notifications requires TLS
Closed, ResolvedPublic


Finding from security review:


  • I assume the push-notifications service will require TLS per the trend in T235411. Risk: low.

We should ensure that assumption.

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 11 2020, 9:35 AM
MSantos added a subscriber: MSantos.
Mholloway triaged this task as High priority.Sep 15 2020, 3:40 PM
LGoto assigned this task to MSantos.Sep 15 2020, 3:40 PM
LGoto moved this task from To Do to Doing on the Product-Infrastructure-Team-Backlog (Kanban) board.
MSantos closed this task as Resolved.Sep 17 2020, 1:54 PM
MSantos added a subscriber: Joe.

To confirm the hypothesis:

  1. There isn't any non-TLS endpoint from LVS registered for push-notifications, see
  2. TLS is enabled for push-notifications in the current deployment-charts, see

I'm going to mark this as resolved, but also leave it to @jijiki or @Joe to re-open if I'm making the wrong assumption.