Security/Reviews/Telemetry Experiments r1
From MozillaWiki
Please use "Edit with form" above to edit this page.
Item Reviewed
SecReview: Firefox Telemetry Experiments (rev 1) | |||||||||
Target |
1 Total; 0 Open (0%); 1 Resolved (100%); 0 Verified (0%); |
The given value "
ID | Summary | Priority | Status |
---|---|---|---|
974029 | Security Review: Firefox Telemetry Experiments (rev 1) | -- | RESOLVED |
1 Total; 0 Open (0%); 1 Resolved (100%); 0 Verified (0%);
" contains strip markers and therefore it cannot be parsed sufficiently.Introduce the Feature
Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)
High Level Goal: Grow Firefox
- Get a better understanding of how people use the produt to make data driven decisions
- Allow Mozilla to deploy experiments to a statistically-relevant population of users and measure results.
- PRD/plan: https://docs.google.com/document/d/1GPpkIcWFNkZmXONjqBCc05U3uocOD-1jpZHdAsR0v1k/edit?usp=sharing
- Related FHR/telemetry data plan: https://docs.google.com/document/d/1JKnqejahVWMev4xUYGbRiICw0HpwopcXBqPYxco0YzU/edit?usp=sharing
- Tracking bug: https://bugzilla.mozilla.org/showdependencytree.cgi?id=973990&hide_resolved=1
Deadlines: dev/staging mid-march. production end of march.
What solutions/approaches were considered other than the proposed solution?
- Considered building all experiments into the browser code and deploying via the trains. Need more flexibility to develop and revise experiments quickly.
- The original proposal was for experiment data collection to go to a separate server end point, similar to the way testpilot works. We changed to collect data using the existing FHR/telemetry systems to give users better visibility and control over data collection.
Why was this solution chosen?
- sign XPI with a known key like Test Pilot did?
- Have not considered?
- This is basically like cert pinning (key for signature is pinned by hardcoding it in the product) < sounds simpler and a bit like code signing < yep, but our code signing support in gecko is close to nonexistant
there is some basic support using the underlying xpi/jar signing format. currently used for marketplace apps
Any security threats already considered in the design and why?
`
Threat Brainstorming
Privacy Stuff
- How will users opt-in for these?
- can be viewed via about:telemetry
- all data would be usage data covered under the telemetry privacy policy (no pii)
- e.g., no URIs
- Property "SecReview feature goal" (as page type) with input value "High Level Goal: Grow Firefox
- Get a better understanding of how people use the produt to make data driven decisions
- Allow Mozilla to deploy experiments to a statistically-relevant population of users and measure results.
- PRD/plan: https://docs.google.com/document/d/1GPpkIcWFNkZmXONjqBCc05U3uocOD-1jpZHdAsR0v1k/edit?usp=sharing
- Related FHR/telemetry data plan: https://docs.google.com/document/d/1JKnqejahVWMev4xUYGbRiICw0HpwopcXBqPYxco0YzU/edit?usp=sharing
- Tracking bug: https://bugzilla.mozilla.org/showdependencytree.cgi?id=973990&hide_resolved=1
- Property "SecReview alt solutions" (as page type) with input value "* Considered building all experiments into the browser code and deploying via the trains. Need more flexibility to develop and revise experiments quickly.
- The original proposal was for experiment data collection to go to a separate server end point, similar to the way testpilot works. We changed to collect data using the existing FHR/telemetry systems to give users better visibility and control over data collection." contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.
- Property "SecReview solution chosen" (as page type) with input value "* sign XPI with a known key like Test Pilot did?
- Have not considered?
- This is basically like cert pinning (key for signature is pinned by hardcoding it in the product) < sounds simpler and a bit like code signing < yep, but our code signing support in gecko is close to nonexistant
- Property "SecReview threat brainstorming" (as page type) with input value "=== Privacy Stuff ===
- How will users opt-in for these?
- can be viewed via about:telemetry
- all data would be usage data covered under the telemetry privacy policy (no pii)
- e.g., no URIs" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.
- How will users opt-in for these?
Action Items
Action Item Status | None |
Release Target | ` |
Action Items | |
Who :: What :: By When
|