Page MenuHomePhabricator

Ensure that push-notifications requires TLS
Closed, ResolvedPublic

Description

Finding from security review:

TLS

  • I assume the push-notifications service will require TLS per the trend in T235411. Risk: low.

We should ensure that assumption.

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 11 2020, 9:35 AM
MSantos added a subscriber: MSantos.
Mholloway triaged this task as High priority.Sep 15 2020, 3:40 PM
LGoto assigned this task to MSantos.Sep 15 2020, 3:40 PM
LGoto moved this task from To Do to Doing on the Product-Infrastructure-Team-Backlog (Kanban) board.
MSantos closed this task as Resolved.Sep 17 2020, 1:54 PM
MSantos added a subscriber: Joe.

To confirm the hypothesis:

  1. There isn't any non-TLS endpoint from LVS registered for push-notifications, see https://gerrit.wikimedia.org/r/plugins/gitiles/operations/puppet/+/refs/heads/production/hieradata/common/service.yaml
  2. TLS is enabled for push-notifications in the current deployment-charts, see https://gerrit.wikimedia.org/r/c/operations/deployment-charts/+/622330

I'm going to mark this as resolved, but also leave it to @jijiki or @Joe to re-open if I'm making the wrong assumption.