Security/Features/SSL Error Reporting: Difference between revisions

Status

{{#set:Feature name=SSL Error Reporting

|Feature stage=Design |Feature status=In progress |Feature version=` |Feature health=OK |Feature status note=Certificate pinning will use this. }}

Team

{{#set:Feature product manager=Kathleen Wilson

|Feature feature manager=David Keeler |Feature lead engineer=David Keeler |Feature security lead=` |Feature privacy lead=` |Feature localization lead=` |Feature accessibility lead=` |Feature qa lead=` |Feature ux lead=` |Feature product marketing lead=` |Feature operations lead=` |Feature additional members=` }}

Open issues/risks

`

Stage 1: Definition

1. Feature overview

Add a "Report to Mozilla" option to the "Untrusted Connection" error page. bug 846501

2. Users & use cases

A user browses to a secure website, but gets the warning: "This Connection is Untrusted". If the user has already opted-in to sending telemetry data to Mozilla, then Mozilla telemetry will collect the appropriate information.

Another use case will be when Certificate Pinning is available. When the set of keys in the certificate chain do not intersect with the set of keys 'pinned' in the browser, then an alert will be displayed to the user, and provide a "report to Mozilla" option. The user should be warned that their interaction with the website might be watched, so they should avoid entering personal data, but they should be able to accept the risk and go forward to the site. Note that the reporting mechanism could possibly get blocked by a malicious actor (or for some other reason), and if that happens the user should be notified that the reporting mechanism may be being blocked, and the information should be made available (in a file?) so the user can email or submit the information to us some other way.

3. Dependencies

Not necessarily a dependency, but need to keep in mind:

• There's an IETF key-pinning draft in the works that can report pinning errors. See bug 846501#c5. If we use a format for the general SSL error reporting that is compatible with the IETF standard for reporting key pinning errors, we may be able to avoid writing that code twice.
• Certificate Pinning will need this capability.

4. Requirements

Use telemetry permission settings for non-pinning errors. For Pinning errors, the user should opt-in to send the information to Mozilla. Enough information needs to be sent to Mozilla to reproduce or sufficiently analyze the problem.

Non-goals

`

Stage 2: Design

5. Functional specification

Two parts:

1. Add telemetry collection to the "Untrusted Connection" error, using the regular telemetry permission settings.
2. Certificate Pinning will need a way for the user (regardless of if their telemetry permissions are set) to report certificate pinning violations to Mozilla.

6. User experience design

Two parts:

1. Collecting telemetry data from the "Untrusted Connection" error page probably does not require any user interface change.
2. New user interface for reporting Certificate Pinning violations.

Stage 3: Planning

7. Implementation plan

1. Implement the capability to return the necessary information (Look into using Bagheera.)
   • Entire certificate chain as sent by server
   • Domain of bad connection
   • NSS Error Code
   • User Agent, IP address, Timestamp
2. UX changes for Certificate Pinning error reporting
3. Add back-end utilities to analyze the data.

8. Reviews

Security review

bug 846502

Privacy review

bug 846506

Localization review

`

Accessibility

`

Quality Assurance review

`

Operations review

bug 865918

Stage 4: Development

9. Implementation

Use Bagheera client. There is Bagheera client support for both desktop (as of Fx21) and Android (Fx23/24), so we should be able to generate a JSON payload and submit it for later analysis.

Stage 5: Release

10. Landing criteria

` {{#set:Feature open issues and risks=` |Feature overview=Add a "Report to Mozilla" option to the "Untrusted Connection" error page. bug 846501 |Feature users and use cases=A user browses to a secure website, but gets the warning: "This Connection is Untrusted". If the user has already opted-in to sending telemetry data to Mozilla, then Mozilla telemetry will collect the appropriate information.

Another use case will be when Certificate Pinning is available. When the set of keys in the certificate chain do not intersect with the set of keys 'pinned' in the browser, then an alert will be displayed to the user, and provide a "report to Mozilla" option. The user should be warned that their interaction with the website might be watched, so they should avoid entering personal data, but they should be able to accept the risk and go forward to the site. Note that the reporting mechanism could possibly get blocked by a malicious actor (or for some other reason), and if that happens the user should be notified that the reporting mechanism may be being blocked, and the information should be made available (in a file?) so the user can email or submit the information to us some other way. |Feature dependencies=Not necessarily a dependency, but need to keep in mind:

• There's an IETF key-pinning draft in the works that can report pinning errors. See bug 846501#c5. If we use a format for the general SSL error reporting that is compatible with the IETF standard for reporting key pinning errors, we may be able to avoid writing that code twice.
• Certificate Pinning will need this capability.

|Feature requirements=Use telemetry permission settings for non-pinning errors. For Pinning errors, the user should opt-in to send the information to Mozilla. Enough information needs to be sent to Mozilla to reproduce or sufficiently analyze the problem. |Feature non-goals=` |Feature functional spec=Two parts:

1. Add telemetry collection to the "Untrusted Connection" error, using the regular telemetry permission settings.
2. Certificate Pinning will need a way for the user (regardless of if their telemetry permissions are set) to report certificate pinning violations to Mozilla.

|Feature ux design=Two parts:

1. Collecting telemetry data from the "Untrusted Connection" error page probably does not require any user interface change.
2. New user interface for reporting Certificate Pinning violations.

|Feature implementation plan=# Implement the capability to return the necessary information (Look into using Bagheera.)

1. • Entire certificate chain as sent by server
   • Domain of bad connection
   • NSS Error Code
   • User Agent, IP address, Timestamp
2. UX changes for Certificate Pinning error reporting
3. Add back-end utilities to analyze the data.

|Feature security review=bug 846502 |Feature privacy review=bug 846506 |Feature localization review=` |Feature accessibility review=` |Feature qa review=` |Feature operations review=bug 865918 |Feature implementation notes=Use Bagheera client. There is Bagheera client support for both desktop (as of Fx21) and Android (Fx23/24), so we should be able to generate a JSON payload and submit it for later analysis. |Feature landing criteria=` }}

Feature details

{{#set:Feature priority=P1

|Feature rank=999 |Feature theme=TLS Hardening |Feature roadmap=Security |Feature secondary roadmap=` |Feature list=` |Feature project=` |Feature engineering team=Security }}

Team status notes

{{#set:Feature products status=`

|Feature products notes=` |Feature engineering status=` |Feature engineering notes=` |Feature security status=` |Feature security health=` |Feature security notes=` |Feature privacy status=` |Feature privacy notes=` |Feature localization status=` |Feature localization notes=` |Feature accessibility status=` |Feature accessibility notes=` |Feature qa status=` |Feature qa notes=` |Feature ux status=` |Feature ux notes=` |Feature product marketing status=` |Feature product marketing notes=` |Feature operations status=` |Feature operations notes=` }}