Security/Reviews/Telemetry Experiments r1: Difference between revisions
Jump to navigation
Jump to search
(Created page with "{{SecReviewInfo |SecReview name=SecReview: Firefox Telemetry Experiments (rev 1) }} {{SecReview}} {{SecReviewActionStatus |SecReview action item status=None }}") |
No edit summary |
||
| Line 1: | Line 1: | ||
{{SecReviewInfo | {{SecReviewInfo | ||
|SecReview name=SecReview: Firefox Telemetry Experiments (rev 1) | |SecReview name=SecReview: Firefox Telemetry Experiments (rev 1) | ||
|SecReview target=<bugzilla> | |||
{ | |||
"ID":"974029,974029" | |||
} | |||
</bugzilla> | |||
}} | |||
{{SecReview | |||
|SecReview feature goal=High Level Goal: Grow Firefox | |||
* Get a better understanding of how people use the produt to make data driven decisions | |||
* Allow Mozilla to deploy experiments to a statistically-relevant population of users and measure results. | |||
* PRD/plan: https://docs.google.com/document/d/1GPpkIcWFNkZmXONjqBCc05U3uocOD-1jpZHdAsR0v1k/edit?usp=sharing | |||
* Related FHR/telemetry data plan: https://docs.google.com/document/d/1JKnqejahVWMev4xUYGbRiICw0HpwopcXBqPYxco0YzU/edit?usp=sharing | |||
* Tracking bug: https://bugzilla.mozilla.org/showdependencytree.cgi?id=973990&hide_resolved=1 | |||
Deadlines: dev/staging mid-march. production end of march. | |||
|SecReview alt solutions=* Considered building all experiments into the browser code and deploying via the trains. Need more flexibility to develop and revise experiments quickly. | |||
* The original proposal was for experiment data collection to go to a separate server end point, similar to the way testpilot works. We changed to collect data using the existing FHR/telemetry systems to give users better visibility and control over data collection. | |||
|SecReview solution chosen=* sign XPI with a known key like Test Pilot did? | |||
** Have not considered? | |||
** This is basically like cert pinning (key for signature is pinned by hardcoding it in the product) < sounds simpler and a bit like code signing < yep, but our code signing support in gecko is close to nonexistant | |||
there is some basic support using the underlying xpi/jar signing format. currently used for marketplace apps | |||
|SecReview threat brainstorming==== Privacy Stuff === | |||
* How will users opt-in for these? | |||
** can be viewed via about:telemetry | |||
* all data would be usage data covered under the telemetry privacy policy (no pii) | |||
** e.g., no URIs | |||
}} | }} | ||
{{SecReviewActionStatus | {{SecReviewActionStatus | ||
|SecReview action item status=None | |SecReview action item status=None | ||
|SecReview action items=Who :: What :: By When | |||
* benjamin :: make call on cert pinning direction, talk to Camilo Viecco (cviecco) :: before shipping | |||
* benjamin :: file bug to annotate crash reporter if experiment is enabled | |||
}} | }} | ||
Revision as of 20:44, 4 March 2014
Please use "Edit with form" above to edit this page.
Item Reviewed
| SecReview: Firefox Telemetry Experiments (rev 1) | |
| Target |
Bugzilla query errorArray ( [type] => error [message] => http-bad-status [params] => Array ( [0] => 400 [1] => Bad Request ) ) 1 |
{{#set:SecReview name=SecReview: Firefox Telemetry Experiments (rev 1) |SecReview target=
Bugzilla query error
Array ( [type] => error [message] => http-bad-status [params] => Array ( [0] => 400 [1] => Bad Request ) ) 1
}}
Introduce the Feature
Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)
High Level Goal: Grow Firefox
- Get a better understanding of how people use the produt to make data driven decisions
- Allow Mozilla to deploy experiments to a statistically-relevant population of users and measure results.
- PRD/plan: https://docs.google.com/document/d/1GPpkIcWFNkZmXONjqBCc05U3uocOD-1jpZHdAsR0v1k/edit?usp=sharing
- Related FHR/telemetry data plan: https://docs.google.com/document/d/1JKnqejahVWMev4xUYGbRiICw0HpwopcXBqPYxco0YzU/edit?usp=sharing
- Tracking bug: https://bugzilla.mozilla.org/showdependencytree.cgi?id=973990&hide_resolved=1
Deadlines: dev/staging mid-march. production end of march.
What solutions/approaches were considered other than the proposed solution?
- Considered building all experiments into the browser code and deploying via the trains. Need more flexibility to develop and revise experiments quickly.
- The original proposal was for experiment data collection to go to a separate server end point, similar to the way testpilot works. We changed to collect data using the existing FHR/telemetry systems to give users better visibility and control over data collection.
Why was this solution chosen?
- sign XPI with a known key like Test Pilot did?
- Have not considered?
- This is basically like cert pinning (key for signature is pinned by hardcoding it in the product) < sounds simpler and a bit like code signing < yep, but our code signing support in gecko is close to nonexistant
there is some basic support using the underlying xpi/jar signing format. currently used for marketplace apps
Any security threats already considered in the design and why?
`
Threat Brainstorming
Privacy Stuff
- How will users opt-in for these?
- can be viewed via about:telemetry
- all data would be usage data covered under the telemetry privacy policy (no pii)
- e.g., no URIs
{{#set: SecReview feature goal=High Level Goal: Grow Firefox
- Get a better understanding of how people use the produt to make data driven decisions
- Allow Mozilla to deploy experiments to a statistically-relevant population of users and measure results.
- PRD/plan: https://docs.google.com/document/d/1GPpkIcWFNkZmXONjqBCc05U3uocOD-1jpZHdAsR0v1k/edit?usp=sharing
- Related FHR/telemetry data plan: https://docs.google.com/document/d/1JKnqejahVWMev4xUYGbRiICw0HpwopcXBqPYxco0YzU/edit?usp=sharing
- Tracking bug: https://bugzilla.mozilla.org/showdependencytree.cgi?id=973990&hide_resolved=1
Deadlines: dev/staging mid-march. production end of march. |SecReview alt solutions=* Considered building all experiments into the browser code and deploying via the trains. Need more flexibility to develop and revise experiments quickly.
- The original proposal was for experiment data collection to go to a separate server end point, similar to the way testpilot works. We changed to collect data using the existing FHR/telemetry systems to give users better visibility and control over data collection.
|SecReview solution chosen=* sign XPI with a known key like Test Pilot did?
- Have not considered?
- This is basically like cert pinning (key for signature is pinned by hardcoding it in the product) < sounds simpler and a bit like code signing < yep, but our code signing support in gecko is close to nonexistant
there is some basic support using the underlying xpi/jar signing format. currently used for marketplace apps
|SecReview threats considered=' |SecReview threat brainstorming==== Privacy Stuff ===
- How will users opt-in for these?
- can be viewed via about:telemetry
- all data would be usage data covered under the telemetry privacy policy (no pii)
- e.g., no URIs
}}
Action Items
| Action Item Status | None |
| Release Target | ` |
| Action Items | |
Who :: What :: By When
|
|
{{#set:|SecReview action item status=None
|Feature version=` |SecReview action items=Who :: What :: By When
- benjamin :: make call on cert pinning direction, talk to Camilo Viecco (cviecco) :: before shipping
- benjamin :: file bug to annotate crash reporter if experiment is enabled
}}