Security/Reviews/Telemetry Experiments r1

Please use "Edit with form" above to edit this page.

Item Reviewed

SecReview: Firefox Telemetry Experiments (rev 1)

Target

   
     Full Query

ID	Summary	Priority	Status
974029	Security Review: Firefox Telemetry Experiments (rev 1)	--	RESOLVED

1 Total; 0 Open (0%); 1 Resolved (100%); 0 Verified (0%);

The given value "

   
     Full Query

ID	Summary	Priority	Status
974029	Security Review: Firefox Telemetry Experiments (rev 1)	--	RESOLVED

1 Total; 0 Open (0%); 1 Resolved (100%); 0 Verified (0%);

" contains strip markers and therefore it cannot be parsed sufficiently.

Introduce the Feature

Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)

High Level Goal: Grow Firefox

Get a better understanding of how people use the produt to make data driven decisions
Allow Mozilla to deploy experiments to a statistically-relevant population of users and measure results.
PRD/plan: https://docs.google.com/document/d/1GPpkIcWFNkZmXONjqBCc05U3uocOD-1jpZHdAsR0v1k/edit?usp=sharing
Related FHR/telemetry data plan: https://docs.google.com/document/d/1JKnqejahVWMev4xUYGbRiICw0HpwopcXBqPYxco0YzU/edit?usp=sharing
Tracking bug: https://bugzilla.mozilla.org/showdependencytree.cgi?id=973990&hide_resolved=1

Deadlines: dev/staging mid-march. production end of march.

What solutions/approaches were considered other than the proposed solution?

Considered building all experiments into the browser code and deploying via the trains. Need more flexibility to develop and revise experiments quickly.
The original proposal was for experiment data collection to go to a separate server end point, similar to the way testpilot works. We changed to collect data using the existing FHR/telemetry systems to give users better visibility and control over data collection.

Why was this solution chosen?

sign XPI with a known key like Test Pilot did?
- Have not considered?
- This is basically like cert pinning (key for signature is pinned by hardcoding it in the product) < sounds simpler and a bit like code signing < yep, but our code signing support in gecko is close to nonexistant

   there is some basic support using the underlying xpi/jar signing format. currently used for marketplace apps

Any security threats already considered in the design and why?

`

Threat Brainstorming

Privacy Stuff

How will users opt-in for these?
- can be viewed via about:telemetry
all data would be usage data covered under the telemetry privacy policy (no pii)
- e.g., no URIs

Property "SecReview feature goal" (as page type) with input value "High Level Goal: Grow Firefox
- Get a better understanding of how people use the produt to make data driven decisions
- Allow Mozilla to deploy experiments to a statistically-relevant population of users and measure results.
- PRD/plan: https://docs.google.com/document/d/1GPpkIcWFNkZmXONjqBCc05U3uocOD-1jpZHdAsR0v1k/edit?usp=sharing
- Related FHR/telemetry data plan: https://docs.google.com/document/d/1JKnqejahVWMev4xUYGbRiICw0HpwopcXBqPYxco0YzU/edit?usp=sharing
- Tracking bug: https://bugzilla.mozilla.org/showdependencytree.cgi?id=973990&hide_resolved=1
Deadlines: dev/staging mid-march. production end of march." contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.
Property "SecReview alt solutions" (as page type) with input value "* Considered building all experiments into the browser code and deploying via the trains. Need more flexibility to develop and revise experiments quickly.
- The original proposal was for experiment data collection to go to a separate server end point, similar to the way testpilot works. We changed to collect data using the existing FHR/telemetry systems to give users better visibility and control over data collection." contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.
- Property "SecReview solution chosen" (as page type) with input value "* sign XPI with a known key like Test Pilot did?
  - Have not considered?
  - This is basically like cert pinning (key for signature is pinned by hardcoding it in the product) < sounds simpler and a bit like code signing < yep, but our code signing support in gecko is close to nonexistant
there is some basic support using the underlying xpi/jar signing format. currently used for marketplace apps" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.
Property "SecReview threat brainstorming" (as page type) with input value "=== Privacy Stuff ===
- How will users opt-in for these?
  - can be viewed via about:telemetry
- all data would be usage data covered under the telemetry privacy policy (no pii)
  - e.g., no URIs" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.

Action Items

Action Item Status	None
Release Target	`
Action Items
Who :: What :: By When benjamin :: make call on cert pinning direction, talk to Camilo Viecco (cviecco) :: before shipping benjamin :: file bug to annotate crash reporter if experiment is enabled

Security/Reviews/Telemetry Experiments r1

Item Reviewed

Introduce the Feature

Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)

What solutions/approaches were considered other than the proposed solution?

Why was this solution chosen?

Any security threats already considered in the design and why?

Threat Brainstorming

Privacy Stuff

Action Items

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

How to Contribute

MozillaWiki

Around Mozilla

Tools