Please use "Edit with form" above to edit this page.
Item Reviewed
| SecReview: Firefox Telemetry Experiments (rev 1) | |||||||||
| Target |
1 Total; 0 Open (0%); 1 Resolved (100%); 0 Verified (0%); |
||||||||
{{#set:SecReview name=SecReview: Firefox Telemetry Experiments (rev 1)
|SecReview target=
| ID | Summary | Priority | Status |
|---|---|---|---|
| 974029 | Security Review: Firefox Telemetry Experiments (rev 1) | -- | RESOLVED |
1 Total; 0 Open (0%); 1 Resolved (100%); 0 Verified (0%);
}}
Introduce the Feature
Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)
High Level Goal: Grow Firefox
- Get a better understanding of how people use the produt to make data driven decisions
- Allow Mozilla to deploy experiments to a statistically-relevant population of users and measure results.
- PRD/plan: https://docs.google.com/document/d/1GPpkIcWFNkZmXONjqBCc05U3uocOD-1jpZHdAsR0v1k/edit?usp=sharing
- Related FHR/telemetry data plan: https://docs.google.com/document/d/1JKnqejahVWMev4xUYGbRiICw0HpwopcXBqPYxco0YzU/edit?usp=sharing
- Tracking bug: https://bugzilla.mozilla.org/showdependencytree.cgi?id=973990&hide_resolved=1
Deadlines: dev/staging mid-march. production end of march.
What solutions/approaches were considered other than the proposed solution?
- Considered building all experiments into the browser code and deploying via the trains. Need more flexibility to develop and revise experiments quickly.
- The original proposal was for experiment data collection to go to a separate server end point, similar to the way testpilot works. We changed to collect data using the existing FHR/telemetry systems to give users better visibility and control over data collection.
Why was this solution chosen?
- sign XPI with a known key like Test Pilot did?
- Have not considered?
- This is basically like cert pinning (key for signature is pinned by hardcoding it in the product) < sounds simpler and a bit like code signing < yep, but our code signing support in gecko is close to nonexistant
there is some basic support using the underlying xpi/jar signing format. currently used for marketplace apps
Any security threats already considered in the design and why?
`
Threat Brainstorming
Privacy Stuff
- How will users opt-in for these?
- can be viewed via about:telemetry
- all data would be usage data covered under the telemetry privacy policy (no pii)
- e.g., no URIs
{{#set: SecReview feature goal=High Level Goal: Grow Firefox
- Get a better understanding of how people use the produt to make data driven decisions
- Allow Mozilla to deploy experiments to a statistically-relevant population of users and measure results.
- PRD/plan: https://docs.google.com/document/d/1GPpkIcWFNkZmXONjqBCc05U3uocOD-1jpZHdAsR0v1k/edit?usp=sharing
- Related FHR/telemetry data plan: https://docs.google.com/document/d/1JKnqejahVWMev4xUYGbRiICw0HpwopcXBqPYxco0YzU/edit?usp=sharing
- Tracking bug: https://bugzilla.mozilla.org/showdependencytree.cgi?id=973990&hide_resolved=1
Deadlines: dev/staging mid-march. production end of march. |SecReview alt solutions=* Considered building all experiments into the browser code and deploying via the trains. Need more flexibility to develop and revise experiments quickly.
- The original proposal was for experiment data collection to go to a separate server end point, similar to the way testpilot works. We changed to collect data using the existing FHR/telemetry systems to give users better visibility and control over data collection.
|SecReview solution chosen=* sign XPI with a known key like Test Pilot did?
- Have not considered?
- This is basically like cert pinning (key for signature is pinned by hardcoding it in the product) < sounds simpler and a bit like code signing < yep, but our code signing support in gecko is close to nonexistant
there is some basic support using the underlying xpi/jar signing format. currently used for marketplace apps
|SecReview threats considered=' |SecReview threat brainstorming==== Privacy Stuff ===
- How will users opt-in for these?
- can be viewed via about:telemetry
- all data would be usage data covered under the telemetry privacy policy (no pii)
- e.g., no URIs
}}
Action Items
| Action Item Status | None |
| Release Target | ` |
| Action Items | |
Who :: What :: By When
|
|
{{#set:|SecReview action item status=None
|Feature version=` |SecReview action items=Who :: What :: By When
- benjamin :: make call on cert pinning direction, talk to Camilo Viecco (cviecco) :: before shipping
- benjamin :: file bug to annotate crash reporter if experiment is enabled
}}