Security/Features/SSL Error Reporting

Please use "Edit with form" above to edit this page.

Status

SSL Error Reporting
Stage	Design
Status	In progress
Release target	`
Health	OK
Status note	Certificate pinning will use this.

Team

Product manager	Kathleen Wilson
Directly Responsible Individual	David Keeler
Lead engineer	David Keeler
Security lead	`
Privacy lead	`
Localization lead	`
Accessibility lead	`
QA lead	`
UX lead	`
Product marketing lead	`
Operations lead	`
Additional members	`

Open issues/risks

`

Stage 1: Definition

1. Feature overview

Add a "Report to Mozilla" option to the "Untrusted Connection" error page. bug 846501

2. Users & use cases

A user browses to a secure website, but gets the warning: "This Connection is Untrusted". If the user has already opted-in to sending telemetry data to Mozilla, then Mozilla telemetry will collect the appropriate information.

Another use case will be when Certificate Pinning is available. When the set of keys in the certificate chain do not intersect with the set of keys 'pinned' in the browser, then an alert will be displayed to the user, and provide a "report to Mozilla" option. The user should be warned that their interaction with the website might be watched, so they should avoid entering personal data, but they should be able to accept the risk and go forward to the site. Note that the reporting mechanism could possibly get blocked by a malicious actor (or for some other reason), and if that happens the user should be notified that the reporting mechanism may be being blocked, and the information should be made available (in a file?) so the user can email or submit the information to us some other way.

3. Dependencies

Not necessarily a dependency, but need to keep in mind:

There's an IETF key-pinning draft in the works that can report pinning errors. See bug 846501#c5. If we use a format for the general SSL error reporting that is compatible with the IETF standard for reporting key pinning errors, we may be able to avoid writing that code twice.
Certificate Pinning will need this capability.

4. Requirements

Use telemetry permission settings for non-pinning errors. For Pinning errors, the user should opt-in to send the information to Mozilla. Enough information needs to be sent to Mozilla to reproduce or sufficiently analyze the problem.

Non-goals

`

Stage 2: Design

5. Functional specification

Two parts:

Add telemetry collection to the "Untrusted Connection" error, using the regular telemetry permission settings.
Certificate Pinning will need a way for the user (regardless of if their telemetry permissions are set) to report certificate pinning violations to Mozilla.

6. User experience design

Two parts:

Collecting telemetry data from the "Untrusted Connection" error page probably does not require any user interface change.
New user interface for reporting Certificate Pinning violations.

Stage 3: Planning

7. Implementation plan

Implement the capability to return the necessary information (Look into using Bagheera.)
- Entire certificate chain as sent by server
- Domain of bad connection
- NSS Error Code
- User Agent, IP address, Timestamp
UX changes for Certificate Pinning error reporting
Add back-end utilities to analyze the data.

8. Reviews

Security review

bug 846502

Privacy review

bug 846506

Localization review

`

Accessibility

`

Quality Assurance review

`

Operations review

bug 865918

Stage 4: Development

9. Implementation

Use Bagheera client. There is Bagheera client support for both desktop (as of Fx21) and Android (Fx23/24), so we should be able to generate a JSON payload and submit it for later analysis.

Stage 5: Release

10. Landing criteria

`

Feature details

Priority	P1
Rank	999
Theme / Goal	TLS Hardening
Roadmap	Security
Secondary roadmap	`
Feature list	`
Project	`
Engineering team	Security

Team status notes

	status	notes
Products	`	`
Engineering	`	`
Security	`	`
Privacy	`	`
Localization	`	`
Accessibility	`	`
Quality assurance	`	`
User experience	`	`
Product marketing	`	`
Operations	`	`