Security/Reviews/Telemetry Experiments r1

From MozillaWiki
< Security‎ | Reviews
Revision as of 20:49, 4 March 2014 by Curtisk (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
Please use "Edit with form" above to edit this page.

Item Reviewed

SecReview: Firefox Telemetry Experiments (rev 1)
Target
   
     Full Query    
   
ID Summary Priority Status
974029 Security Review: Firefox Telemetry Experiments (rev 1) -- RESOLVED

1 Total; 0 Open (0%); 1 Resolved (100%); 0 Verified (0%);

{{#set:SecReview name=SecReview: Firefox Telemetry Experiments (rev 1)

|SecReview target=

Full Query
ID Summary Priority Status
974029 Security Review: Firefox Telemetry Experiments (rev 1) -- RESOLVED

1 Total; 0 Open (0%); 1 Resolved (100%); 0 Verified (0%);

}}

Introduce the Feature

Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)

High Level Goal: Grow Firefox

Deadlines: dev/staging mid-march. production end of march.

What solutions/approaches were considered other than the proposed solution?

  • Considered building all experiments into the browser code and deploying via the trains. Need more flexibility to develop and revise experiments quickly.
  • The original proposal was for experiment data collection to go to a separate server end point, similar to the way testpilot works. We changed to collect data using the existing FHR/telemetry systems to give users better visibility and control over data collection.

Why was this solution chosen?

  • sign XPI with a known key like Test Pilot did?
    • Have not considered?
    • This is basically like cert pinning (key for signature is pinned by hardcoding it in the product) < sounds simpler and a bit like code signing < yep, but our code signing support in gecko is close to nonexistant
   there is some basic support using the underlying xpi/jar signing format. currently used for marketplace apps

Any security threats already considered in the design and why?

`

Threat Brainstorming

Privacy Stuff

  • How will users opt-in for these?
    • can be viewed via about:telemetry
  • all data would be usage data covered under the telemetry privacy policy (no pii)
    • e.g., no URIs

{{#set: SecReview feature goal=High Level Goal: Grow Firefox

Deadlines: dev/staging mid-march. production end of march. |SecReview alt solutions=* Considered building all experiments into the browser code and deploying via the trains. Need more flexibility to develop and revise experiments quickly.

  • The original proposal was for experiment data collection to go to a separate server end point, similar to the way testpilot works. We changed to collect data using the existing FHR/telemetry systems to give users better visibility and control over data collection.

|SecReview solution chosen=* sign XPI with a known key like Test Pilot did?

    • Have not considered?
    • This is basically like cert pinning (key for signature is pinned by hardcoding it in the product) < sounds simpler and a bit like code signing < yep, but our code signing support in gecko is close to nonexistant
   there is some basic support using the underlying xpi/jar signing format. currently used for marketplace apps

|SecReview threats considered=' |SecReview threat brainstorming==== Privacy Stuff ===

  • How will users opt-in for these?
    • can be viewed via about:telemetry
  • all data would be usage data covered under the telemetry privacy policy (no pii)
    • e.g., no URIs

}}

Action Items

Action Item Status None
Release Target `
Action Items
Who :: What :: By When
  • benjamin :: make call on cert pinning direction, talk to Camilo Viecco (cviecco) :: before shipping
  • benjamin :: file bug to annotate crash reporter if experiment is enabled

{{#set:|SecReview action item status=None

|Feature version=` |SecReview action items=Who :: What :: By When

  • benjamin :: make call on cert pinning direction, talk to Camilo Viecco (cviecco) :: before shipping
  • benjamin :: file bug to annotate crash reporter if experiment is enabled

}}