Closed
Bug 846505
Opened 11 years ago
Closed 11 years ago
Privacy-Technical Review: Create an SSL Error Reporting Mechanism
Categories
(mozilla.org :: Security Assurance: Review Request, task)
mozilla.org
Security Assurance: Review Request
Tracking
(Not tracked)
RESOLVED
INVALID
People
(Reporter: kathleen.a.wilson, Unassigned)
References
Details
Initial Questions: Project/Feature Name: Create an SSL Error Reporting Mechanism Tracking ID:846489 Description: The goal of this project is to create a certificate error reporting mechanism that will transmit and store the following information on a Mozilla server, allowing the data to be analyzed both automatically and manually. - Domain of bad connection - Error type (e.g. Pinning, domain mismatch, etc) - Cert chain (at minimum, same data to distrust each cert in the chain) - Request data (e.g. User Agent, IP, Timestamp) Initially this reporting mechanism will be used to report, store, and analyze certificate pinning violations. In the future it could also be used for user-reported certificate errors, and other related concerns. Certificate pinning is a mechanism by which site owners can specify a set of keys (actually fingerprints of the keys) such that in the next connection to the site, the set of keys in the certificate chain MUST intersect with the set of keys 'pinned' in the browser. - https://bugzilla.mozilla.org/show_bug.cgi?id=744204 - https://wiki.mozilla.org/Security/Features/CA_pinning_functionality When the set of keys in the certificate chain do not intersect with the set of keys 'pinned' in the browsers, then an alert will be generated and sent to Mozilla to be stored and analyzed. There may be some false alarms, but if a real issue (such as MITM) is identified, the security-group should be alerted for further action. This reporting mechanism should be available before Key Pinning is live, which is targeted for May 2013. Additional Information: https://etherpad.mozilla.org/CA-KeyPinningReporting Urgency: 2-4 weeks Key Initiative: Firefox Platform Release Date: 2013-05-10 Project Status: active Mozilla Data: Yes New or Change: New Mozilla Project: none Mozilla Related: SSL, security Separate Party: Yes Type of Relationship: Other Data Access: No Privacy Policy: None -- it may be the case that the user should have to click to allow the data to be sent to Mozilla. Vendor Cost: N/A
privacy technical reviews are now gated on privacy policy reviews (kickoff workflow to be updated). If the policy review sees need for this we can reopen. I also see no reason to keep this hidden.
Group: mozilla-corporation-confidential
Status: NEW → RESOLVED
Closed: 11 years ago
Keywords: privacy-review-needed
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•