Security/Features/SSL Error Reporting: Difference between revisions
No edit summary |
No edit summary |
||
| Line 17: | Line 17: | ||
Another use case will be when [https://wiki.mozilla.org/Security/Features/CA_pinning_functionality Certificate Pinning] is available. When the set of keys in the certificate chain do not intersect with the set of keys 'pinned' in the browser, then an alert will be generated and sent to Mozilla to be stored and analyzed. There may be some false alarms, but if a real issue (such as MITM) is identified, the security-group should be alerted for further action. | Another use case will be when [https://wiki.mozilla.org/Security/Features/CA_pinning_functionality Certificate Pinning] is available. When the set of keys in the certificate chain do not intersect with the set of keys 'pinned' in the browser, then an alert will be generated and sent to Mozilla to be stored and analyzed. There may be some false alarms, but if a real issue (such as MITM) is identified, the security-group should be alerted for further action. | ||
|Feature dependencies=Not necessarily a dependency, but need to keep in mind: | |Feature dependencies=Not necessarily a dependency, but need to keep in mind: | ||
* There's an [http://tools.ietf.org/html/draft-ietf-websec-key-pinning-04#section-3 IETF key-pinning draft] in the works that can report pinning errors. See {{Bug|846501#c5}}. If we use a format for the general SSL error reporting that is compatible with the IETF standard for reporting key pinning | * There's an [http://tools.ietf.org/html/draft-ietf-websec-key-pinning-04#section-3 IETF key-pinning draft] in the works that can report pinning errors. See {{Bug|846501#c5}}. If we use a format for the general SSL error reporting that is compatible with the IETF standard for reporting key pinning errors, we may be able to avoid writing that code twice. | ||
errors, we may be able to avoid writing that code twice. | |||
* [https://wiki.mozilla.org/Security/Features/CA_pinning_functionality Certificate Pinning] will need this capability. | * [https://wiki.mozilla.org/Security/Features/CA_pinning_functionality Certificate Pinning] will need this capability. | ||
|Feature requirements=The user should opt-in to send the information to Mozilla. | |Feature requirements=The user should opt-in to send the information to Mozilla. | ||
Revision as of 18:07, 21 May 2013
Status
| SSL Error Reporting | |
| Stage | Design |
| Status | In progress |
| Release target | ` |
| Health | OK |
| Status note | Certificate pinning will use this. |
{{#set:Feature name=SSL Error Reporting
|Feature stage=Design |Feature status=In progress |Feature version=` |Feature health=OK |Feature status note=Certificate pinning will use this. }}
Team
| Product manager | Kathleen Wilson |
| Directly Responsible Individual | David Keeler |
| Lead engineer | David Keeler |
| Security lead | ` |
| Privacy lead | ` |
| Localization lead | ` |
| Accessibility lead | ` |
| QA lead | ` |
| UX lead | ` |
| Product marketing lead | ` |
| Operations lead | ` |
| Additional members | ` |
{{#set:Feature product manager=Kathleen Wilson
|Feature feature manager=David Keeler |Feature lead engineer=David Keeler |Feature security lead=` |Feature privacy lead=` |Feature localization lead=` |Feature accessibility lead=` |Feature qa lead=` |Feature ux lead=` |Feature product marketing lead=` |Feature operations lead=` |Feature additional members=` }}
Open issues/risks
`
Stage 1: Definition
1. Feature overview
Add a "Report to Mozilla" option to the "Untrusted Connection" error page. bug 846501
2. Users & use cases
A user browses to a secure website, but gets the warning: "This Connection is Untrusted". The user views the technical details and sees that the error is due to an invalid security certificate, so they click on the option to send the error information to Mozilla for analysis.
Another use case will be when Certificate Pinning is available. When the set of keys in the certificate chain do not intersect with the set of keys 'pinned' in the browser, then an alert will be generated and sent to Mozilla to be stored and analyzed. There may be some false alarms, but if a real issue (such as MITM) is identified, the security-group should be alerted for further action.
3. Dependencies
Not necessarily a dependency, but need to keep in mind:
- There's an IETF key-pinning draft in the works that can report pinning errors. See bug 846501#c5. If we use a format for the general SSL error reporting that is compatible with the IETF standard for reporting key pinning errors, we may be able to avoid writing that code twice.
- Certificate Pinning will need this capability.
4. Requirements
The user should opt-in to send the information to Mozilla. Enough information needs to be sent to Mozilla to reproduce or sufficiently analyze the problem.
Non-goals
`
Stage 2: Design
5. Functional specification
Two phases:
- Add interface to "Untrusted Connection" for user to send error report to Mozilla.
- Certificate Pinning to use this ability to send the information back to Mozilla about certificate pinning violations.
6. User experience design
Potentially two phases:
- Update the "Untrusted Connection" error page to add the option to report the error to Mozilla.
- Possible separate user interface for when a Certificate Pinning violation is caught?
Stage 3: Planning
7. Implementation plan
- Implement the capability to return the necessary information (Look into using Bagheera.)
- Entire certificate chain as sent by server
- Domain of bad connection
- NSS Error Code
- User Agent, IP address, Timestamp
- Add user interface for opt-in to send error info to Mozilla.
- Add back-end utilities to analyze the data.
- If needed, additional UX changes for Certificate Pinning
8. Reviews
Security review
Privacy review
Localization review
`
Accessibility
`
Quality Assurance review
`
Operations review
Stage 4: Development
9. Implementation
Use Bagheera client. There is Bagheera client support for both desktop (as of Fx21) and Android (Fx23/24), so we should be able to generate a JSON payload and submit it for later analysis.
Stage 5: Release
10. Landing criteria
` {{#set:Feature open issues and risks=` |Feature overview=Add a "Report to Mozilla" option to the "Untrusted Connection" error page. bug 846501 |Feature users and use cases=A user browses to a secure website, but gets the warning: "This Connection is Untrusted". The user views the technical details and sees that the error is due to an invalid security certificate, so they click on the option to send the error information to Mozilla for analysis.
Another use case will be when Certificate Pinning is available. When the set of keys in the certificate chain do not intersect with the set of keys 'pinned' in the browser, then an alert will be generated and sent to Mozilla to be stored and analyzed. There may be some false alarms, but if a real issue (such as MITM) is identified, the security-group should be alerted for further action. |Feature dependencies=Not necessarily a dependency, but need to keep in mind:
- There's an IETF key-pinning draft in the works that can report pinning errors. See bug 846501#c5. If we use a format for the general SSL error reporting that is compatible with the IETF standard for reporting key pinning errors, we may be able to avoid writing that code twice.
- Certificate Pinning will need this capability.
|Feature requirements=The user should opt-in to send the information to Mozilla. Enough information needs to be sent to Mozilla to reproduce or sufficiently analyze the problem. |Feature non-goals=` |Feature functional spec=Two phases:
- Add interface to "Untrusted Connection" for user to send error report to Mozilla.
- Certificate Pinning to use this ability to send the information back to Mozilla about certificate pinning violations.
|Feature ux design=Potentially two phases:
- Update the "Untrusted Connection" error page to add the option to report the error to Mozilla.
- Possible separate user interface for when a Certificate Pinning violation is caught?
|Feature implementation plan=# Implement the capability to return the necessary information (Look into using Bagheera.)
- Entire certificate chain as sent by server
- Domain of bad connection
- NSS Error Code
- User Agent, IP address, Timestamp
- Add user interface for opt-in to send error info to Mozilla.
- Add back-end utilities to analyze the data.
- If needed, additional UX changes for Certificate Pinning
|Feature security review=bug 846502 |Feature privacy review=bug 846506 |Feature localization review=` |Feature accessibility review=` |Feature qa review=` |Feature operations review=bug 865918 |Feature implementation notes=Use Bagheera client. There is Bagheera client support for both desktop (as of Fx21) and Android (Fx23/24), so we should be able to generate a JSON payload and submit it for later analysis. |Feature landing criteria=` }}
Feature details
| Priority | P1 |
| Rank | 999 |
| Theme / Goal | Security Leadership |
| Roadmap | Security |
| Secondary roadmap | ` |
| Feature list | ` |
| Project | ` |
| Engineering team | Security |
{{#set:Feature priority=P1
|Feature rank=999 |Feature theme=Security Leadership |Feature roadmap=Security |Feature secondary roadmap=` |Feature list=` |Feature project=` |Feature engineering team=Security }}
Team status notes
| status | notes | |
| Products | ` | ` |
| Engineering | ` | ` |
| Security | ` | ` |
| Privacy | ` | ` |
| Localization | ` | ` |
| Accessibility | ` | ` |
| Quality assurance | ` | ` |
| User experience | ` | ` |
| Product marketing | ` | ` |
| Operations | ` | ` |
{{#set:Feature products status=`
|Feature products notes=` |Feature engineering status=` |Feature engineering notes=` |Feature security status=` |Feature security health=` |Feature security notes=` |Feature privacy status=` |Feature privacy notes=` |Feature localization status=` |Feature localization notes=` |Feature accessibility status=` |Feature accessibility notes=` |Feature qa status=` |Feature qa notes=` |Feature ux status=` |Feature ux notes=` |Feature product marketing status=` |Feature product marketing notes=` |Feature operations status=` |Feature operations notes=` }}