Security/Reviews/Telemetry Experiments r1

From MozillaWiki
Jump to: navigation, search
Please use "Edit with form" above to edit this page.

Item Reviewed

SecReview: Firefox Telemetry Experiments (rev 1)
Target
   
     Full Query    
ID Summary Priority Status
974029 Security Review: Firefox Telemetry Experiments (rev 1) -- RESOLVED

1 Total; 0 Open (0%); 1 Resolved (100%); 0 Verified (0%);

The given value "
   
     Full Query    
ID Summary Priority Status
974029 Security Review: Firefox Telemetry Experiments (rev 1) -- RESOLVED

1 Total; 0 Open (0%); 1 Resolved (100%); 0 Verified (0%);

" contains strip markers and therefore it cannot be parsed sufficiently.

Introduce the Feature

Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)

High Level Goal: Grow Firefox

Deadlines: dev/staging mid-march. production end of march.

What solutions/approaches were considered other than the proposed solution?

  • Considered building all experiments into the browser code and deploying via the trains. Need more flexibility to develop and revise experiments quickly.
  • The original proposal was for experiment data collection to go to a separate server end point, similar to the way testpilot works. We changed to collect data using the existing FHR/telemetry systems to give users better visibility and control over data collection.

Why was this solution chosen?

  • sign XPI with a known key like Test Pilot did?
    • Have not considered?
    • This is basically like cert pinning (key for signature is pinned by hardcoding it in the product) < sounds simpler and a bit like code signing < yep, but our code signing support in gecko is close to nonexistant
   there is some basic support using the underlying xpi/jar signing format. currently used for marketplace apps

Any security threats already considered in the design and why?

`

Threat Brainstorming

Privacy Stuff

  • How will users opt-in for these?
    • can be viewed via about:telemetry
  • all data would be usage data covered under the telemetry privacy policy (no pii)
    • e.g., no URIs
  • Property "SecReview feature goal" (as page type) with input value "High Level Goal: Grow Firefox Deadlines: dev/staging mid-march. production end of march." contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.
  • Property "SecReview alt solutions" (as page type) with input value "* Considered building all experiments into the browser code and deploying via the trains. Need more flexibility to develop and revise experiments quickly.
    • The original proposal was for experiment data collection to go to a separate server end point, similar to the way testpilot works. We changed to collect data using the existing FHR/telemetry systems to give users better visibility and control over data collection." contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.
    • Property "SecReview solution chosen" (as page type) with input value "* sign XPI with a known key like Test Pilot did?
      • Have not considered?
      • This is basically like cert pinning (key for signature is pinned by hardcoding it in the product) < sounds simpler and a bit like code signing < yep, but our code signing support in gecko is close to nonexistant
    there is some basic support using the underlying xpi/jar signing format. currently used for marketplace apps" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.
  • Property "SecReview threat brainstorming" (as page type) with input value "=== Privacy Stuff ===
    • How will users opt-in for these?
      • can be viewed via about:telemetry
    • all data would be usage data covered under the telemetry privacy policy (no pii)
      • e.g., no URIs" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.

Action Items

Action Item Status None
Release Target `
Action Items
Who :: What :: By When
  • benjamin :: make call on cert pinning direction, talk to Camilo Viecco (cviecco) :: before shipping
  • benjamin :: file bug to annotate crash reporter if experiment is enabled