Open
Bug 1122305
Opened 9 years ago
Updated 1 month ago
Make use of mozAnon / loadFlags LOAD_ANONYMOUS when checking for updates and when downloading an update
Categories
(Toolkit :: Application Update, defect, P3)
Tracking
()
NEW
People
(Reporter: robert.strong.bugs, Unassigned)
References
Details
Attachments
(1 file)
1.14 KB,
patch
|
molly
:
review+
|
Details | Diff | Splinter Review |
This will prevent the use of cookies and lessen privacy concerns.
Comment 1•9 years ago
|
||
At some point AUS (or blocklist) used cookies to avoid double counting for metrics purposes. It's worth making sure we don't break this stuff.
Reporter | ||
Comment 2•9 years ago
|
||
Chris, fyi that I'd like to prevent cookies from being used by the update check and the update download to lessen privacy concerns. If you aren't the right person to notify please let me know. Thanks!
Reporter | ||
Updated•9 years ago
|
Mentor: robert.strong.bugs
Whiteboard: [good first bug]
Comment 4•9 years ago
|
||
(In reply to Robert Strong [:rstrong] (use needinfo to contact me) from comment #2) > Chris, fyi that I'd like to prevent cookies from being used by the update > check and the update download to lessen privacy concerns. If you aren't the > right person to notify please let me know. Thanks! Hi Rob. Does anyone do anything with the cookies now? What domain sets/reads the cookie now?
Flags: needinfo?(chrismore.bugzilla) → needinfo?(robert.strong.bugs)
Reporter | ||
Comment 5•9 years ago
|
||
Hi Chris, here is info posted to governance. Many years ago we used cookies for tracking update pings and I was told they would be removed. I have no idea if they are still used or who would be using them but they were used by metrics. Typical url: https://aus4.mozilla.org/update/3/Firefox/38.0a1/20150113030205/WINNT_x86-msvc/en-US/nightly/Windows_NT%206.3.0.0%20(x64)/default/default/update.xml?force=1 "Please remember that you still send cookies; here's what I got out of Firefox debugging itself as I went to Help -> About: optimizelySegments=%7B%22245875585%22%3A%22direct%22%2C%22245617832%22%3A%22none%22%2C%22246048108%22%3A%22false%22%2C%22245677587%22%3A%22ff%22%2C%22869421433%22%3A%22true%22%7D; optimizelyEndUserId=oeu1421293036707r0.8592334519134582; optimizelyBuckets=%7B%7D; __utma=150903082.1914521133.1421293040.1421293040.1421293040.1; __utmb=150903082.2.10.1421293040; __utmc=150903082; __utmz=150903082.1421293040.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1 So it's got Google Analytics and Optimizely; both are for tracking. Steps: 1) New download of latest release, 35.0 2) Start with firefox -profile (empty directory) -offline 3) Turn on browser + remote debugging; open the browser toolbox in Network tab. 4) Click on Try Again in the first run page to go online and trigger things 5) Help -> About Firefox. I have not checked the addon update ping; that presumably has similar behaviour. Being privacy-oriented there would likely involve fetching updates for each addon separately over a period of time to avoid the ability to track people by the combination of addons they have installed. Quick scan of things with timestamps in prefs: app update; addon update; telemetry; FHR; sync; openh264 / gmp; safebrowsing; phishing. Not sure if things like social that I've disabled involve pings. When trading between user privacy and designing a better web site, user privacy lost. (It should be obvious, but: I believe the right choice here would be a request with no identifying information beyond the build of Firefox in use, the OS it's running on, and the source IP address so it can send the response.)"
Flags: needinfo?(robert.strong.bugs) → needinfo?(chrismore.bugzilla)
Hi! Sorry, there seems to be some confusion. (I was the person to provide the info in comment 5.) The update service itself does not set any cookies; however, the firstrun page pulls in Google analytics (and, judging from the cookies above, optimizely) which sets them for mozilla.org across the whole TLD. They're not likely to be something you're actively looking for (since you didn't set them in the first place, www.m.o did), but it's still there and needlessly raises privacy concerns.
Reporter | ||
Comment 7•9 years ago
|
||
Thanks for the additional info Mook.
Comment 8•9 years ago
|
||
(In reply to :Mook from comment #6) > Hi! Sorry, there seems to be some confusion. (I was the person to provide > the info in comment 5.) > > The update service itself does not set any cookies; however, the firstrun > page pulls in Google analytics (and, judging from the cookies above, > optimizely) which sets them for mozilla.org across the whole TLD. They're > not likely to be something you're actively looking for (since you didn't set > them in the first place, www.m.o did), but it's still there and needlessly > raises privacy concerns. Ok, this makes more sense as I was confused about this bug and the summary. Yes, www.mozilla.org (among 70 other websites at Mozilla) use Google Analytics premium to understand how our websites are working, to find problems, and to improve the user experience. Our Google Analytics premium account is set to opt-out on all of 3rd party uses of the data and the only people who have access to the anonymous aggregated data is Mozilla Employees. This is not the normal Google Analytics setup that most people use on other websites. Also, to increase privacy we flipped the anonymize flag in the Google Analytics request via bug 946705 since that is not something enabled by default. We also create a single Google Analytics web property per sub-domain (www.mozilla.org, developer.mozilla.org, support.mozilla.org, etc.) and don't do any cross-domain cookies within Google Analytics. Google Analytics on www.mozilla.org is set to the www sub-domain and not the entire TLD of mozilla.org. As for Optimizely, we use that for A/B testing on key www.mozilla.org pages (as do other Mozilla teams on their websites) to test out theories on improvements to interfaces and content that resonates better with our visitors. Let me know if you have any other questions.
Flags: needinfo?(chrismore.bugzilla)
Comment 9•9 years ago
|
||
The question that needed answering, specifically, is "does aus4.mozilla.org (or any other AUS back-end) read any cookies from incoming requests ever?". Sounds like the answer is "not as far as Chris knows", but probably someone from the release engineering team (who administer the update servers) can say conclusively.
Flags: needinfo?(catlee)
Flags: needinfo?(bhearsum)
Reporter | ||
Comment 10•9 years ago
|
||
The cookies in the past were used by metrics and the cookies at this time are set by Google Analytics and Optimizely across mozilla.org. Is releng reading these cookies from Google Analytics and Optimizely?
Comment 11•9 years ago
|
||
(In reply to :Gavin Sharp [email: gavin@gavinsharp.com] from comment #9) > The question that needed answering, specifically, is "does aus4.mozilla.org > (or any other AUS back-end) read any cookies from incoming requests ever?". > Sounds like the answer is "not as far as Chris knows", but probably someone > from the release engineering team (who administer the update servers) can > say conclusively. AUS4 (Balrog) definitely does not. We look at the URL, query args, and User-Agent header: https://github.com/mozilla/balrog/blob/master/auslib/web/views/client.py. Requests hit a load balance before the app, but I highly doubt it's looking at cookies. We can ask WebOps to confirm if you like. AUS3 (which is basically unused at this point) seems to set a cookie for a reason that I don't understand: http://mxr.mozilla.org/mozilla/source/webtools/aus/xml/index.php#64. https://bugzilla.mozilla.org/show_bug.cgi?id=481313 has a small amount of background, I'm still not sure what it was for though.
Reporter | ||
Comment 12•9 years ago
|
||
I would be surprised if this wasn't the metrics app update cookie but the people that I talked with about the app update cookie (Ken Kovacs and Daniel Einspanjer) are no longer at Mozilla.
Comment 13•9 years ago
|
||
We've never used it AFAIK. Nick may have more information.
Flags: needinfo?(catlee) → needinfo?(nthomas)
Updated•9 years ago
|
Flags: needinfo?(bhearsum)
Comment 14•9 years ago
|
||
The update server has never used the cookie to change the response, and I think it must have been for metrics. Also, I think it's been broken for a long time, as the cookie is set for aus2.mozilla.org and we moved to aus3.m.o years ago. See bug 1122814 comment #1 for the value of COOKIE_DOMAIN, to go with http://mxr.mozilla.org/mozilla/source/webtools/aus/xml/index.php#64.
Flags: needinfo?(nthomas)
Comment 15•9 years ago
|
||
Hi everyone. A quick related update. * I re-opened bug 1000504 because I didn't like how the Optimizely opt-out was mentioned in the websites privacy policy. It could be made easier for users and thus I suggested changes to make it one-click for www.mozilla.org. * I opened bug 1125995 to make Optimizely's cookies to be specific to the sub-domain instead of associated with the mozilla.org root domain. The root domain setup is the default behavior in Optimizely and the code mentioned in that bug will improve that setup. * I flipped the bit on each optimizely project to have this turned on by default "Anonymize IP addresses for this project and remove the last octet of IP addresses prior to logging"
Comment 16•9 years ago
|
||
(In reply to Nick Thomas [:nthomas] from comment #14) > The update server has never used the cookie to change the response, and I > think it must have been for metrics. Also, I think it's been broken for a > long time, as the cookie is set for aus2.mozilla.org and we moved to > aus3.m.o years ago. See bug 1122814 comment #1 for the value of > COOKIE_DOMAIN, to go with > http://mxr.mozilla.org/mozilla/source/webtools/aus/xml/index.php#64. Interesting. I never knew the legacy aus server did anything with cookies. Since aus2 is gone, is this bug invalid?
Comment 17•9 years ago
|
||
No, this bug is about stopping the client from sending cookies. First we needed to confirm no one was depending on them being there. I think we've done that, so now we should go ahead and change Firefox to not send the cookies. (Good to hear that you adjusted the Optimizely cookie setting for mozilla.org, that seems like a good idea anyways.)
Comment 18•9 years ago
|
||
(In reply to :Gavin Sharp [email: gavin@gavinsharp.com] from comment #17) > No, this bug is about stopping the client from sending cookies. First we > needed to confirm no one was depending on them being there. I think we've > done that, so now we should go ahead and change Firefox to not send the > cookies. > > (Good to hear that you adjusted the Optimizely cookie setting for > mozilla.org, that seems like a good idea anyways.) +1
Reporter | ||
Updated•9 years ago
|
Summary: Make use of mozAnon when checking for updates and when downloading an update → Make use of mozAnon / loadFlags LOAD_ANONYMOUS when checking for updates and when downloading an update
Reporter | ||
Comment 19•6 years ago
|
||
Might as well just take care of this.
Assignee: nobody → robert.strong.bugs
Status: NEW → ASSIGNED
Attachment #9029532 -
Flags: review?(mhowell)
Updated•6 years ago
|
Attachment #9029532 -
Flags: review?(mhowell) → review+
Reporter | ||
Comment 20•5 years ago
|
||
I'm not going to be able to look into this more anytime soon so unassigning
Assignee: robert.strong.bugs → nobody
Status: ASSIGNED → NEW
Updated•5 years ago
|
Priority: -- → P3
Comment 21•5 years ago
|
||
Hi,
I am looking to contribute to mozilla.
Possible to pick up this issue?
Reporter | ||
Comment 22•5 years ago
|
||
I don't think this is a good first bug due to there being issues with LOAD_ANONYMOUS that will need to be researched before this bug can be fixed.
https://groups.google.com/forum/#!topic/mozilla.dev.platform/pxBCKzxBMDA
Whiteboard: [good first bug]
Reporter | ||
Updated•4 years ago
|
Mentor: robert.strong.bugs
Updated•2 years ago
|
Severity: normal → S3
Comment hidden (spam) |
Comment hidden (spam) |
Comment hidden (spam) |
Comment hidden (spam) |
Comment hidden (spam) |
Comment hidden (spam) |
Comment hidden (spam) |
Comment hidden (spam) |
Comment hidden (spam) |
Comment hidden (spam) |
Comment hidden (spam) |
You need to log in
before you can comment on or make changes to this bug.
Description
•