Security/Features/SSL Error Reporting
Status
| SSL Error Reporting | |
| Stage | Design |
| Status | In progress |
| Release target | ` |
| Health | OK |
| Status note | Certificate pinning will use this. |
{{#set:Feature name=SSL Error Reporting
|Feature stage=Design |Feature status=In progress |Feature version=` |Feature health=OK |Feature status note=Certificate pinning will use this. }}
Team
| Product manager | Kathleen Wilson |
| Directly Responsible Individual | David Keeler |
| Lead engineer | David Keeler |
| Security lead | ` |
| Privacy lead | ` |
| Localization lead | ` |
| Accessibility lead | ` |
| QA lead | ` |
| UX lead | ` |
| Product marketing lead | ` |
| Operations lead | ` |
| Additional members | ` |
{{#set:Feature product manager=Kathleen Wilson
|Feature feature manager=David Keeler |Feature lead engineer=David Keeler |Feature security lead=` |Feature privacy lead=` |Feature localization lead=` |Feature accessibility lead=` |Feature qa lead=` |Feature ux lead=` |Feature product marketing lead=` |Feature operations lead=` |Feature additional members=` }}
Open issues/risks
`
Stage 1: Definition
1. Feature overview
Add a "Report to Mozilla" option to the "Untrusted Connection" error page.
2. Users & use cases
A user browses to a secure website, but gets the warning: "This Connection is Untrusted". The user views the technical details and sees that the error is due to an invalid security certificate, so they click on the option to send the error information to Mozilla for analysis.
3. Dependencies
This feature is not dependent on anything else, but Cert Pinning will need this capability.
4. Requirements
The user should opt-in to send the information to Mozilla. Enough information needs to be sent to Mozilla for us to be able to reproduce or sufficiently analyze the problem.
Non-goals
`
Stage 2: Design
5. Functional specification
Two phases:
- Add interface to "Untrusted Connection" for user to send error report to Mozilla.
- Cert Pinning to use this ability to send the information back to Mozilla about certificate pinning violations.
6. User experience design
Update the "Untrusted Connection" error page.
Stage 3: Planning
7. Implementation plan
Information needed:
- Entire certificate chain
- Domain of bad connection
- Error Code
- User Agent, IP, Timestamp
8. Reviews
Security review
Privacy review
Localization review
`
Accessibility
`
Quality Assurance review
`
Operations review
`
Stage 4: Development
9. Implementation
Use Bagheera client. There is Bagheera client support for both desktop (as of Fx21) and Android (Fx23/24), so we should be able to generate a JSON payload and submit it for later analysis.
Stage 5: Release
10. Landing criteria
` {{#set:Feature open issues and risks=` |Feature overview=Add a "Report to Mozilla" option to the "Untrusted Connection" error page. |Feature users and use cases=A user browses to a secure website, but gets the warning: "This Connection is Untrusted". The user views the technical details and sees that the error is due to an invalid security certificate, so they click on the option to send the error information to Mozilla for analysis. |Feature dependencies=This feature is not dependent on anything else, but Cert Pinning will need this capability. |Feature requirements=The user should opt-in to send the information to Mozilla. Enough information needs to be sent to Mozilla for us to be able to reproduce or sufficiently analyze the problem. |Feature non-goals=` |Feature functional spec=Two phases:
- Add interface to "Untrusted Connection" for user to send error report to Mozilla.
- Cert Pinning to use this ability to send the information back to Mozilla about certificate pinning violations.
|Feature ux design=Update the "Untrusted Connection" error page. |Feature implementation plan=Information needed:
- Entire certificate chain
- Domain of bad connection
- Error Code
- User Agent, IP, Timestamp
|Feature security review=bug 846502 |Feature privacy review=bug 846506 |Feature localization review=` |Feature accessibility review=` |Feature qa review=` |Feature operations review=` |Feature implementation notes=Use Bagheera client. There is Bagheera client support for both desktop (as of Fx21) and Android (Fx23/24), so we should be able to generate a JSON payload and submit it for later analysis. |Feature landing criteria=` }}
Feature details
| Priority | Unprioritized |
| Rank | 999 |
| Theme / Goal | Security Leadership |
| Roadmap | Security |
| Secondary roadmap | ` |
| Feature list | ` |
| Project | ` |
| Engineering team | Security |
{{#set:Feature priority=Unprioritized
|Feature rank=999 |Feature theme=Security Leadership |Feature roadmap=Security |Feature secondary roadmap=` |Feature list=` |Feature project=` |Feature engineering team=Security }}
Team status notes
| status | notes | |
| Products | ` | ` |
| Engineering | ` | ` |
| Security | ` | ` |
| Privacy | ` | ` |
| Localization | ` | ` |
| Accessibility | ` | ` |
| Quality assurance | ` | ` |
| User experience | ` | ` |
| Product marketing | ` | ` |
| Operations | ` | ` |
{{#set:Feature products status=`
|Feature products notes=` |Feature engineering status=` |Feature engineering notes=` |Feature security status=` |Feature security health=` |Feature security notes=` |Feature privacy status=` |Feature privacy notes=` |Feature localization status=` |Feature localization notes=` |Feature accessibility status=` |Feature accessibility notes=` |Feature qa status=` |Feature qa notes=` |Feature ux status=` |Feature ux notes=` |Feature product marketing status=` |Feature product marketing notes=` |Feature operations status=` |Feature operations notes=` }}