|
|
| (25 intermediate revisions by 3 users not shown) |
| Line 1: |
Line 1: |
| = Firefox Services & Operations Security = | | = Firefox Operations Security = |
| The FoxSec team is tasked with securing core Firefox services operated by the Firefox Services Engineering and Operations organization at Mozilla.
| | Firefox Operations Security is responsible for application & operations security for internal & external services and websites in the Firefox organization that host sensitive data or provide a mission critical service. |
|
| |
|
| [[File:Foxsec1024.png|400px|right]] | | [[File:Secops1024.png|400px|right]] |
|
| |
|
| == Contact == | | == Contact == |
| Email us at foxsec@mozilla.com. | | Email us at secops@mozilla.com. |
|
| |
|
| To report a security issue on a given site, use the bug bounty form [https://www.mozilla.org/en-US/security/bug-bounty/faq-webapp/ as explained here]. | | To report a security issue on a given site, use the bug bounty form [https://www.mozilla.org/en-US/security/bug-bounty/faq-webapp/ as explained here]. |
| | |
| | To tell us about a new service create a [https://github.com/mozilla-services/foxsec/issues/new?template=NewService.md&labels=New%20Service&assignee=psiinon&title=New%20Service:%20 New Service issue]. |
|
| |
|
| __TOC__ | | __TOC__ |
|
| |
|
| == Backlog == | | == Product Lines == |
| | |
| The table below summarizes the open issues assigned to the FoxSec team, sorted by area of focus.
| |
| | |
| === Operational Security ===
| |
| === Operational Security ===
| |
| {| class="wikitable"
| |
| |- style="vertical-align:bottom;"
| |
| ! style="height:100px; width:200px; text-align:center;" |
| |
| Continuous Testing (TDS)
| |
| ! style="height:100px; width:200px; text-align:center;" |
| |
| Fraud Detection
| |
| ! style="height:100px; width:200px; text-align:center;" |
| |
| User management
| |
| ! style="height:100px; width:200px; text-align:center;" |
| |
| Infra Hardening
| |
| ! style="height:100px; width:200px; text-align:center;" |
| |
| Threat monitoring
| |
| |-
| |
| | style="background-color: #ffd351;"|
| |
| [https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A"1.1+TDS" <span style="color:black;">'''3 MEDIUM'''<br />'''5 LOW'''<br /></span>]
| |
| | style="background-color: #d04437;"|
| |
| [https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A"1.2+fraud+detection" <span style="color:white;">'''2 HIGH'''<br />'''2 MEDIUM'''<br />'''3 LOW'''<br /></span>]
| |
| | style="background-color: #ffd351;"|
| |
| [https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A"1.3+identity+management" <span style="color:black;">'''1 HIGH'''<br />'''1 MEDIUM'''<br /></span>]
| |
| | style="background-color: #d04437;"|
| |
| [https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A"1.4+infra+hardening" <span style="color:white;">'''4 MEDIUM'''<br />'''5 LOW'''<br /></span>]
| |
| | style="background-color: #cccccc;"|no pending task
| |
| |}
| |
| | |
| === Application Security ===
| |
| {| class="wikitable"
| |
| |- style="vertical-align:bottom;"
| |
| ! style="height:100px; width:200px; text-align:center;" |
| |
| Risk & Security reviews
| |
| ! style="height:100px; width:200px; text-align:center;" |
| |
| Test & Implement Baseline Security
| |
| ! style="height:100px; width:200px; text-align:center;" |
| |
| Data & Code Signing
| |
| ! style="height:100px; width:200px; text-align:center;" |
| |
| Training & Communication
| |
| ! style="height:100px; width:200px; text-align:center;" |
| |
| Bug Bounty
| |
| ! style="height:100px; width:200px; text-align:center;" |
| |
| External audits
| |
| |-
| |
| | style="background-color: #d04437;"|
| |
| [https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A"2.1+risk+assessment" <span style="color:white;">'''2 HIGH'''<br />'''4 MEDIUM'''<br />'''3 LOW'''<br /></span>]
| |
| | style="background-color: #d04437;"|
| |
| [https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A"2.2+appsec+baseline" <span style="color:white;">'''2 HIGH'''<br />'''10 MEDIUM'''<br />'''7 LOW'''<br /></span>]
| |
| | style="background-color: #ffd351;"|
| |
| [https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A"3.1+signature" <span style="color:black;">'''1 HIGH'''<br />'''1 MEDIUM'''<br />'''1 LOW'''<br /></span>]
| |
| | style="background-color: #ffd351;"|
| |
| [https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A"2.3+security+communication" <span style="color:black;">'''1 MEDIUM'''<br />'''6 LOW'''<br /></span>]
| |
| | style="background-color: #4a6785;"|
| |
| [https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A"2.4+bug+bounty" <span style="color:white;">'''2 LOW'''<br /></span>]
| |
| | style="background-color: #ffd351;"|
| |
| [https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A"3.3+external+audits" <span style="color:black;">'''1 HIGH'''<br />'''1 MEDIUM'''<br /></span>]
| |
| |}
| |
| | |
| == Strategy ==
| |
| === 1. Improve operational security of the core infrastructure ===
| |
| | |
| ==== 1.1 Implement Test Driven Security (TDS) in CI/CD ====
| |
| Security tests should be part of the continuous integration (CI) and continuous delivery (CD) pipelines.
| |
| * CI integration should be part of the code commit/review process, either in an existing CI (travis-ci, circleci, taskcluster) or in a security dedicated one. CI tests should include static code analysis and recommendations, docker containers testing and dependency checks (vulnerability management).
| |
| * CD integration should be done at Jenkins' level, when stage environments are built and promoted.All services are regularly rebuilt by Jenkins. CD tests should include application vulnerability scanning (ZAProxy) and infrastructure access control tests (security groups, IAM permissions, ...).
| |
| TDS should output directly in the build pipeline at first, and allow dev & ops to control levels that block integration & delivery. In a second phase, TDS outputs should be aggregated into a central security tracking platform.
| |
| | |
| ==== 1.2 Make use of the logging pipeline to detect fraud and anomalies ====
| |
| Heka, ElasticSearch and Kafka are powerful tools on top of which we can plug various pattern detection mechanisms to identify known bad actors, or unusual behavior. Fraud detection is a highly requested feature that devs don’t want to rebuild every time. Fraud detection should operate autonomously for each service, taking into account business rules set by the developers and the security team.
| |
| | |
| ==== 1.3 Improve user management and authentication ====
| |
| We should make better use of LDAP to add and remove employees from various third party services and admin panels.
| |
| * Admin panels should rely on Mozilla's Identity Management platform provided by IT
| |
| * Third-party services (datadog, pagerduty, aws) should have automated user management (userplex).
| |
| foxsec need to facilitate integration with Mozilla's IAM with standard libraries and tools.
| |
| | |
| ==== 1.4 Harden the infrastructure ====
| |
| All services and tools that are part of the standard infrastructure should undergo security hardening. Hardening rules should be testable in the CD pipeline (see TDS above) to prevent security regressions. Some examples:
| |
| * SSH should enforce MFA authentication
| |
| * Disabled users should be removed from all systems, particularly bastion hosts
| |
| * AWS permissions must prevent services from compromising each other
| |
| * Secrets must be provisioned encrypted
| |
| * ...
| |
| | |
| === 2. Increase security maturity ===
| |
| | |
| ==== 2.1 Help new projects identify threats and controls (RRA, threat models,...) ====
| |
| Risk assessment and threat modeling help people think through failure scenarios they wouldn’t evaluate otherwise. RRAs often leads to architectural changes that are best identified early. Each new project must undergo a 30/60min RRA with one of the member of foxsec to assess the security posture of the project.
| |
|
| |
|
| ==== 2.2 Implement baseline services security standards ====
| | * Firefox Accounts |
| Content Security Policy (CSP), HSTS, HPKP, data signature and encryption, input validation, XSS and SQLi protection are part of techniques developers should care about when building new services. foxsec defines services security standards that devs can implement and foxsec tests in TDS.
| | * Addons.mozilla.org |
| | * Browser services (sync, push, normandy, remote settings, balrog, product delivery, etc.) |
| | * Data services (telemetry, pioneer, taar, prio, etc.) |
| | * Web presence of Premium services (FxSend, FxMonitor, FPN website, etc.) |
| | * Release Engineering (taskcluster, shipit, *.build.m.o, build infra, etc.) |
| | * Developer Services (phabricator, lando, bugzilla, sentry, crash reports, etc.) |
|
| |
|
| ==== 2.3 Communicate security effectively throughout the organization ==== | | == Scope == |
| Teams need a channel to ask security questions, discuss concerns and share techniques. FoxSec must organize information flow and broadcast to developers, ops and managers. This includes general security best practices, analyzis and actions to take on CVE vulnerabilities, response and communication on incidents.
| |
|
| |
|
| ==== 2.4 Use Mozilla’s bug bounty program ==== | | === Application security === |
| The bug bounty program is a fantastic tool: for a small amount of money, we reward people worldwide for helping us improve our security posture. Most security issues identified in our services come from the bug bounty program. We must ensure that all services are part of the bug bounty program and that triaging is performed regularly. As much as possible, we must assist developers in fixing security issues that are reported through bug bounties.
| | Responsibility for internal & external services and websites in the Firefox organization that host sensitive data or provide a mission critical service. |
| | * Risk assessments |
| | * Security Reviews |
| | * Manual and automated testing |
| | * Review risks w/ product owners |
| | * Security incident management |
|
| |
|
| === 3. Build core security services ===
| | The application security group also owns cryptographic services (autograph, tls canary, tls observatory, etc) and appsec tooling (zap, dependency observatory, etc.). |
|
| |
|
| ==== 3.1 Sign data that changes the configuration of user agents ==== | | === Operations security === |
| We iterate fast, and eventually someone, either us or a partner, is bound to make a mistake and open a door that could put our users at risk. Signing the data we send to our users helps cover that risk. Digital signature for Firefox is a complex topic - not every project can implement it independently - so foxsec must provide the tooling and services to facilitate signing ([autograph](https://github.com/mozilla-services/autograph))
| | Responsibility for infrastructure and hosting of Firefox services. |
| | * Covers the security of AWS and GCP infrastructure, and datacenters for the build infra |
| | * Security operations consulting for the Firefox organization at large |
|
| |
|
| ==== 3.2 Monitor our ecosystem for external threats ====
| | The operations security group also owns the fraud pipeline (foxsec-pipeline) and secops tooling (frost, sops, etc.). |
| There are many scenarios in which our users can be at risk because of the fraudulent or careless behavior of a third party. A bad certificate authority could issue a certificate that impersonates us. A careless partner could leak addon signing keys. A web startup could get hacked and leak web push endpoints. We should implement the tools needed to identify fraudulent behavior outside of our organization that impact us, so we can react in a timely manner and protect Firefox users.
| |
|
| |
|
| ==== 3.3 Partner with external firms to monitor our security ==== | | === Risk Management === |
| We can’t do everything ourselves. External security firms can help us keep an eye on and audit our services. Some of their work may be redundant with current efforts, such as automated security testing, but would help cover the interim. We should evaluate various vendors and partner with the ones that have the best support of our technologies.
| | Responsibility for maintaining visibility into the security posture of the Firefox infrastructure. |
| | * Rapid Risk Assessments framework & associated tooling |
| | * Security posture reports & leadership reporting |
|
| |
|
| == Security Checklist == | | == Security Checklist == |
|
| |
|
| The checklist below is in MARKDOWN format to be copy/pasted into Github issues.
| | This has moved to https://github.com/mozilla-services/websec-check |
| | |
| <source lang:markdown>
| |
| | |
| Risk Management
| |
| ---------------
| |
| * [ ] The service must have performed a Rapid Risk Assessment and have a Risk Record bug (**SVC-RRA**).
| |
| | |
| Infrastructure rules
| |
| --------------------
| |
| | |
| * [ ] Access and application logs must be archived for a minimum of 90 days
| |
| * [ ] Use [Modern](https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility) or [Intermediate](https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility) TLS (**INFRA-TLS**)
| |
| * [ ] Set HSTS to 31536000 (1 year) (**INFRA-HSTS**)
| |
| * `strict-transport-security: max-age=31536000`
| |
| * [ ] Set HPKP to 5184000 (60 days) (**INFRA-HPKP**)
| |
| * `Public-Key-Pins: max-age=5184000; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; pin-sha256="r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E="; pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="; pin-sha256="sRHdihwgkaib1P1gxX8HFszlD+7/gTfNvuAybgLPNis=";`
| |
| * Start with max-age set to 5 minutes (`max-age=300`) and increase progressively
| |
| * The first two pins are for Digicert EV and DV roots, the last two are for Let's Encrypt X3 and X4 intermediates (LE is only used for backup)
| |
| * [ ] If the service is not hosted under `services.mozilla.com`, it must be manually added to [Firefox's preloaded pins](https://dxr.mozilla.org/mozilla-central/source/security/manager/tools/PreloadedHPKPins.json#184).
| |
| * If service has an admin panels, it must:
| |
| * [ ] only be available behind Mozilla VPN (which provides MFA) (**INFRA-ADMINVPN**)
| |
| * [ ] require LDAP authentication (**INFRA-ADMINLDAP**)
| |
| * [ ] enforce a two-man rule on sensitive changes (**INFRA-2MANRULE**)
| |
| | |
| Coding rules
| |
| ------------
| |
| | |
| The following rules apply to all web applications: api and websites.
| |
| | |
| * [ ] Sign all release tags, and maybe commits as well (**APP-COMMITSIG**)
| |
| * Developers should [configure git to sign all tags](http://micropipes.com/blog//2016/08/31/signing-your-commits-on-github-with-a-gpg-key/) and upload their PGP fingerprint to https://login.mozilla.com
| |
| * The signature verification will eventually become a requirement to shipping a release to staging & prod: the tag being deployed in the pipeline must have a matching tag in git signed by a project owner. This control is designed to reduce the risk of a 3rd party GitHub integration from compromising our source code.
| |
| * [ ] Publish detailed logs in [mozlog](https://github.com/mozilla-services/Dockerflow/blob/master/docs/mozlog.md) format (**APP-MOZLOG**)
| |
| * Business logic must be logged with app specific codes (errno)
| |
| * Access control failures must be logged at WARN level
| |
| * [ ] Must have a CSP with (**APP-CSP**)
| |
| * [ ] a report-uri pointing to the service's own `/__cspreport__` endpoint
| |
| * [ ] web APIs should set `default-src` to `none`, disallowing all content rendering
| |
| * [ ] if default-src is not `self`, frame-src should be `none` or only allow specific origins
| |
| * [ ] no use of unsafe-inline or unsafe-eval
| |
| * [ ] User data must be escaped for the right context prior to reflecting it (**APP-ESCAPE**)
| |
| * [ ] Web APIs must set a non-HTML content-type on all responses, including 300s, 400s and 500s (**APP-NOHTML**)
| |
| * [ ] All SQL queries must be parameterized, not concatenated (**APP-SQL**)
| |
| * [ ] Apply sensible limits to user inputs, see [input validation](https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines#Input_Validation) (**APP-INPUTVAL**)
| |
| * [ ] When managing permissions, make sure access controls are enforced server-side (**APP-ACL**)
| |
| * [ ] Set the Secure and HTTPOnly flags on [Cookies](https://wiki.mozilla.org/Security/Guidelines/Web_Security#Cookies), and use sensible Expiration (**APP-SECCOOKIE**)
| |
| * Keep 3rd-party libraries up to date (**APP-DEPS**)
| |
| * [ ] Use [NSP](https://nodesecurity.io/) or [GreenKeeper](https://greenkeeper.io/ Greenkeeper) for NodeJS applications
| |
| * [ ] Use pip --outdated or [requires.io](https://requires.io/) for Python applications
| |
| * [ ] If handling cryptographic keys, must have a mechanism to handle quarterly key rotations (**APP-KEYROT**)
| |
| * Keys used to sign sessions don't need a rotation mechanism if destroying all sessions is acceptable in case of emergency.
| |
| * [ ] Applications must use accounts with limited GRANTS when connecting to databases (**APP-DBPRIV**)
| |
| * In particular, applications **must not use admin or owner accounts**, to decrease the impact of a sql injection vulnerability.
| |
| | |
| ### Additional websites requirements
| |
| | |
| The following coding rules only apply to websites, not web apis.
| |
| | |
| * [ ] Never store passwords, use Firefox Accounts (**APP-IDP**)
| |
| * [ ] Forbid Mixed content, always use HTTPS (**APP-MIXCONTENT**)
| |
| * [ ] Must have CSRF tokens and manually excluded specific forms (**APP-CSRF**)
| |
| * [ ] Should consider having checksums for 3rd-party content via SRI (**APP-SRI**).
| |
| * Trusted 3rd parties, like Google Analytics, don't need SRI. Use your best judgment to decide if a 3rd party script is trustworthy (and assume it is not).
| |
| * Set the following security headers (**APP-HEADERS**)
| |
| * [ ] X-Content-Type-Options
| |
| * [ ] X-Frame-Options
| |
| * [ ] X-XSS-Protection
| |
| * [ ] Host user uploaded content on a separate domain (e.g. FxA avatar images on firefoxcontent.com, bug attachments on bug<bug ID>.bmoattachments.org)
| |
| * [ ] Forbid the use of third party resources (GA, optimizely, ...) on sites that have privileges permissions in Firefox (AMO, testpilot)
| |
| | |
| Data rules
| |
| ----------
| |
| | |
| * When storing sensitive user data (like browsing history) on Mozilla servers:
| |
| * [ ] Anonymize it (similar to Tiles) (**DATA-ANON**)
| |
| * [ ] Encrypt it client-side (similar to Sync) (**DATA-CRYPT**)
| |
| * [ ] If user data must be stored non-anonymized and in clear text, you must talk to the security and legal teams about it.
| |
| * If the service pushes data to Firefox, like when distributing blacklists or pushing updates, cryptographic signatures must be used. (**DATA-SIGN**)
| |
| * [ ] Addons must use standard AMO signing (**APP-SIGNING**)
| |
| * [ ] Code & Conf must use Content-Signature via [Autograph](https://github.com/mozilla-services/autograph) (**DATA-SIGNING**)
| |
| | |
| </source>
| |
| | |
| == Sites and Services ==
| |
| | |
| FoxSec is responsible for the security of the following websites and backend services.
| |
| | |
| (note: foxsec is not responsible for the security of implementations in firefox, only of the backend services).
| |
| | |
| === ABSearch ===
| |
| Code: [https://github.com/mozilla-services/absearch absearch]
| |
| | |
| Public Endpoints:
| |
| * search.services.mozilla.com
| |
| | |
| === Addons.mozilla.org ===
| |
| Code:
| |
| * [https://github.com/mozilla/addons-frontend addons-frontend]
| |
| * [https://github.com/mozilla/addons-server/ addons-server]
| |
| * [https://github.com/mozilla/addons-linter addons-linter]
| |
| | |
| Public Endpoints:
| |
| * addon.mozilla.org
| |
| * addons.mozilla.org
| |
| * blocklist.addons.mozilla.org
| |
| * builder.addons.mozilla.org
| |
| * controller-review.apk.firefox.com
| |
| * controller.apk.firefox.com
| |
| * services.addons.mozilla.org
| |
| * static.addons.mozilla.net
| |
| * versioncheck-bg.addons.mozilla.org
| |
| * versioncheck.addons.mozilla.org
| |
| | |
| === Product Delivery ===
| |
| Code: [https://github.com/mozilla-services/go-bouncer go-bouncer]
| |
| | |
| Public Endpoints:
| |
| * download-installer.cdn.mozilla.net
| |
| * download.mozilla.org
| |
| | |
| === AUS/Balrog ===
| |
| Code: [https://github.com/mozilla/balrog/ balrog]
| |
| | |
| Public Endpoints:
| |
| * aus3.mozilla.org
| |
| * aus4.mozilla.org
| |
| * aus5.mozilla.org
| |
| * aus.mozilla.org
| |
| | |
| === Crash reports (Socorro) ===
| |
| Code: https://github.com/mozilla/socorro/
| |
| | |
| Public Endpoints:
| |
| * crash-reports-xpsp2.mozilla.com
| |
| * crash-reports.mozilla.com
| |
| * crash-stats.mozilla.com
| |
| | |
| === Firefox Accounts ===
| |
| Code:
| |
| * [https://github.com/mozilla/fxa fxa]
| |
| * [https://github.com/mozilla/fxa-auth-server fxa-auth-server]
| |
| * [https://github.com/mozilla/fxa-content-server fxa-content-server]
| |
| * [https://github.com/mozilla/fxa-js-client fxa-js-client]
| |
| * [https://github.com/mozilla/fxa-oauth-server fxa-oauth-server]
| |
| * [https://github.com/mozilla/fxa-customs-server/ fxa-customs-server]
| |
| | |
| Public Endpoints:
| |
| * accounts.firefox.com
| |
| * api.accounts.firefox.com
| |
| * oauth.accounts.firefox.com
| |
| * profile.accounts.firefox.com
| |
| * verifier.accounts.firefox.com
| |
| | |
| === Firefox Sync ===
| |
| Code:
| |
| * [https://github.com/mozilla-services/syncserver syncserver]
| |
| * [https://github.com/mozilla-services/tokenserver tokenserver]
| |
| | |
| Public Endpoints:
| |
| * *.$region.sync.services.mozilla.com
| |
| * token.services.mozilla.com
| |
| | |
| === Location (MLS) ===
| |
| Code:
| |
| * [https://github.com/mozilla/ichnaea ichnaea]
| |
| * [https://github.com/mozilla-services/location-leaderboard location-leaderboard]
| |
| | |
| Public Endpoints:
| |
| * location.services.mozilla.com
| |
| * location-leaderboard.services.mozilla.com
| |
| | |
| === Marketplace.firefox.com ===
| |
| Code: [https://github.com/mozilla/zamboni zamboni]
| |
| | |
| Public Endpoints:
| |
| * marketplace.firefox.com
| |
| * receiptcheck.marketplace.firefox.com
| |
| * static.marketplace.firefox.com
| |
| | |
| === Push ===
| |
| Code:
| |
| * [https://github.com/mozilla-services/autopush autopush]
| |
| * [https://github.com/mozilla-services/push-dev-dashboard push-dev-dashboard]
| |
| | |
| Public Endpoints:
| |
| * push.services.mozilla.com
| |
| * updates.push.services.mozilla.com
| |
| | |
| === Firefox Settings (Kinto) ===
| |
| Code: https://github.com/Kinto/kinto
| |
| | |
| Public Endpoints:
| |
| * firefox.settings.services.mozilla.com
| |
| | |
| === Pageshot ===
| |
| Code: https://github.com/mozilla-services/pageshot/
| |
| | |
| Public Endpoints: pageshot.net
| |
| | |
| === Shield / Normandy ===
| |
| Code:
| |
| * [https://github.com/mozilla/normandy normandy]
| |
| | |
| Public Endpoints: self-repair.mozilla.org
| |
| | |
| === Telemetry ===
| |
| Code:
| |
| * [https://github.com/mozilla/telemetry-server telemetry-server] (deprecated moving to [https://github.com/mozilla/telemetry-analysis-service telemetry-analysis-service])
| |
| * [https://github.com/mozilla/telemetry-dashboard/ telemetry-dashboard]
| |
| | |
| Public Endpoints:
| |
| * incoming.telemetry.mozilla.org
| |
| * telemetry-experiment.cdn.mozilla.net
| |
| * analysis.telemetry.mozilla.org
| |
| * sql.telemetry.mozilla.org
| |
| * metrics.services.mozilla.com
| |
| | |
| === Test Pilot ===
| |
| Code: [https://github.com/mozilla/testpilot testpilot]
| |
| | |
| Public Endpoints:
| |
| * http://testpilot.firefox.com/
| |
| | |
| === Tiles/Pingcenter ===
| |
| Code: [https://github.com/mozilla/splice splice]
| |
| | |
| Public Endpoints:
| |
| * tiles.cdn.mozilla.net
| |
| * tiles.services.mozilla.com
| |
| | |
| === TLS Observatory ===
| |
| Code: [https://github.com/mozilla/tls-observatory tls-observatory]
| |
| | |
| Public Endpoints:
| |
| * tls-observatory.services.mozilla.com
| |
|
| |
|
| === Tracking Protection === | | == About the logo == |
| Code: [https://github.com/mozilla-services/shavar shavar]
| |
|
| |
|
| Public Endpoints:
| | The Firefox Operations Security logo is derived [https://github.com/synthagency/icons-flat-osx/blob/master/SVG/Apps-Firefox.svg from this work by Synth Agency], and published under Creative Commons Attribution-NonCommercial 4.0 International Public License. |
| * shavar.services.mozilla.com
| |
| * tracking.services.mozilla.com
| |