Closed Bug 1208847 Opened 4 years ago Closed 4 years ago

Add telemetry to measure how often secure cookies are set from non-secure origins

Categories

(Core :: Networking: Cookies, defect)

defect
Not set

Tracking

()

RESOLVED FIXED
mozilla44
Tracking Status
firefox42 --- fixed
firefox43 --- fixed
firefox44 --- fixed

People

(Reporter: rbarnes, Assigned: rbarnes)

References

Details

Attachments

(1 file)

Some recent research highlights risks that arise from non-secure origins being able to set secure cookies.

https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-zheng-updated.pdf

As a prelude to making any changes to cookie handling rules, we should add a telemetry probe to see how often this happens in practice.  (For completeness, though, let's measure the whole matrix of cookie/origin secure/nonsecure.)
Assignee: nobody → rlb
Status: NEW → ASSIGNED
Attachment #8666474 - Flags: review?(mcmanus)
Attachment #8666474 - Flags: feedback?(vladan.bugzilla)
Attachment #8666474 - Flags: review?(mcmanus) → review+
Comment on attachment 8666474 [details] [diff] [review]
bug-1208847.0.patch

Review of attachment 8666474 [details] [diff] [review]:
-----------------------------------------------------------------

::: toolkit/components/telemetry/Histograms.json
@@ +7563,5 @@
>      "description": "How often would blocked mixed content be allowed if HSTS upgrades were allowed? 0=display/no-HSTS, 1=display/HSTS, 2=active/no-HSTS, 3=active/HSTS"
>    },
> +  "COOKIE_SCHEME_SECURITY": {
> +    "alert_emails": ["seceng@mozilla.org"],
> +    "expires_in_version": "50",

can we make this expire sooner since it's opt-out?

@@ +7566,5 @@
> +    "alert_emails": ["seceng@mozilla.org"],
> +    "expires_in_version": "50",
> +    "kind": "enumerated",
> +    "n_values": 10,
> +    "releaseChannelCollection": "opt-out",

since this is opt-out, i have to ask what is the expected user-benefit from this probe? making users more secure by potentially blocking secure cookies from non-secure origins?

who will be monitoring the data collected by this probe?
Attachment #8666474 - Flags: feedback?(vladan.bugzilla)
(In reply to Vladan Djeric (:vladan) -- please needinfo! from comment #2)
> Comment on attachment 8666474 [details] [diff] [review]
> bug-1208847.0.patch
> 
> Review of attachment 8666474 [details] [diff] [review]:
> -----------------------------------------------------------------
> 
> ::: toolkit/components/telemetry/Histograms.json
> @@ +7563,5 @@
> >      "description": "How often would blocked mixed content be allowed if HSTS upgrades were allowed? 0=display/no-HSTS, 1=display/HSTS, 2=active/no-HSTS, 3=active/HSTS"
> >    },
> > +  "COOKIE_SCHEME_SECURITY": {
> > +    "alert_emails": ["seceng@mozilla.org"],
> > +    "expires_in_version": "50",
> 
> can we make this expire sooner since it's opt-out?

It's hard to say how soon we'll be able to make the judgement on whether we can take action here.  I'd prefer to give ourselves some runway.


> @@ +7566,5 @@
> > +    "alert_emails": ["seceng@mozilla.org"],
> > +    "expires_in_version": "50",
> > +    "kind": "enumerated",
> > +    "n_values": 10,
> > +    "releaseChannelCollection": "opt-out",
> 
> since this is opt-out, i have to ask what is the expected user-benefit from
> this probe? making users more secure by potentially blocking secure cookies
> from non-secure origins?

Precisely.  Since security changes often break things (the change being considered here is known to break some stuff), we need really solid telemetry before we make changes.  


> who will be monitoring the data collected by this probe?

Security engineering team, e.g., me, :ckerschb.
Comment on attachment 8666474 [details] [diff] [review]
bug-1208847.0.patch

Approval Request Comment
[Feature/regressing bug #]: Gather information about secure cookie usage (see link in bug for security research)
[User impact if declined]: Slower reaction to risks noted in the bug
[Describe test coverage new/current, TreeHerder]: manual verification of correct data collection, https://treeherder.mozilla.org/#/jobs?repo=mozilla-inbound&revision=b9496d4f7bfd
[Risks and why]: Low risk; small change to cookie setting code
[String/UUID change made/needed]: None
Attachment #8666474 - Flags: approval-mozilla-beta?
Attachment #8666474 - Flags: approval-mozilla-aurora?
https://hg.mozilla.org/mozilla-central/rev/b9496d4f7bfd
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla44
Comment on attachment 8666474 [details] [diff] [review]
bug-1208847.0.patch

Approved for aurora and beta, this should show up in beta 3.
Attachment #8666474 - Flags: approval-mozilla-beta?
Attachment #8666474 - Flags: approval-mozilla-beta+
Attachment #8666474 - Flags: approval-mozilla-aurora?
Attachment #8666474 - Flags: approval-mozilla-aurora+
Blocks: 1346364
You need to log in before you can comment on or make changes to this bug.