Closed
Bug 1435713
Opened 6 years ago
Closed 6 years ago
Add CN/hash of EE to Content Signature telemetry probe
Categories
(Core :: Security: PSM, enhancement)
Core
Security: PSM
Tracking
()
RESOLVED
FIXED
mozilla60
Tracking | Status | |
---|---|---|
firefox60 | --- | fixed |
People
(Reporter: jvehent, Assigned: franziskus)
Details
Attachments
(2 files, 1 obsolete file)
The telemetry data sent by the content signature verification logic should include the common name or hash of the end-entity cert to help detect which application caused the error.
Comment 1•6 years ago
|
||
Assignee | ||
Updated•6 years ago
|
Component: Security → Security: PSM
Assignee | ||
Comment 2•6 years ago
|
||
Because this question came up; we collect certificate fingerprints here but they are not from websites but from our internal PKI and identify the application the signed content is intended for. In particular, this is unrelated to user browsing behaviour.
Attachment #8952803 -
Flags: review?(francois)
Comment 3•6 years ago
|
||
Comment on attachment 8952803 [details] data review request There are two answers to expand on before I can r+ this. > 1) What questions will you answer with this data? > > It should help diagnosing errors we see with rejected content signatures on the server side. What server-side are you talking about? Is that kinto clients talking to the kinto servers and then rejecting the signature on the kinto payload because it doesn't match the signature? > 5) List all proposed measurements and indicate the category of data collection for each measurement, using the > Firefox [data c](https://wiki.mozilla.org/Firefox/Data_Collection)[ollection ](https://wiki.mozilla.org/Firefox > /Data_Collection)[categories](https://wiki.mozilla.org/Firefox/Data_Collection) on the found on the Mozilla wiki. > > All data collected in this bug is category 1 “Technical data”. Here you can refer to the description in the telemetry config ("See CONTENT_SIGNATURE_VERIFICATION_ERRORS in Histograms.json") but you do need to mention the data that's being collected, not just the category. In particular, the comment about these fingerprints coming from our internal PKI should be in there to support the assertion that it's Category 1 and not 3. In Question 4, you seem to suggest that each application (product feature?) uses a different cert. Does this mean that all you can tell from a cert fingerprint is which Mozilla service was involved when a signature failed? We expect all/most users to use all of these features/products so we can't really tell users apart?
Attachment #8952803 -
Flags: review?(francois) → review-
Assignee | ||
Comment 4•6 years ago
|
||
Attachment #8952803 -
Attachment is obsolete: true
Attachment #8953363 -
Flags: review?(francois)
Comment 5•6 years ago
|
||
Comment on attachment 8952654 [details] Bug 1435713 - collect cert fingerprints for failed CS verifications, r?keeler,francois François Marier [:francois] has approved the revision. https://phabricator.services.mozilla.com/D623
Attachment #8952654 -
Flags: review+
Comment 6•6 years ago
|
||
Comment on attachment 8953363 [details] data review request Thanks for the clarifications Franziskus. 1) Is there or will there be **documentation** that describes the schema for the ultimate data set available publicly, complete and accurate? Yes, in Histograms.json and in the attached data review request. 2) Is there a control mechanism that allows the user to turn the data collection on and off? Yes, telemetry setting. 3) If the request is for permanent data collection, is there someone who will monitor the data over time?** Yes, Franziskus. 4) Using the **[category system of data types](https://wiki.mozilla.org/Firefox/Data_Collection)** on the Mozilla wiki, what collection type of data do the requested measurements fall under? ** Category 1. 5) Is the data collection request for default-on or default-off? Default on, all channels. 6) Does the instrumentation include the addition of **any *new* identifiers** (whether anonymous or otherwise; e.g., username, random IDs, etc. See the appendix for more details)? No. 7) Is the data collection covered by the existing Firefox privacy notice? Yes. 8) Does there need to be a check-in in the future to determine whether to renew the data? (Yes/No) (If yes, set a todo reminder or file a bug if appropriate)** No, permanent.
Attachment #8953363 -
Flags: review?(francois) → review+
Comment 7•6 years ago
|
||
Comment on attachment 8952654 [details] Bug 1435713 - collect cert fingerprints for failed CS verifications, r?keeler,francois David Keeler [:keeler] (use needinfo) has approved the revision. https://phabricator.services.mozilla.com/D623
Attachment #8952654 -
Flags: review+
Pushed by franziskuskiefer@gmail.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/0b7257b46e0f collect cert fingerprints for failed CS verifications, r=keeler,francois
Pushed by franziskuskiefer@gmail.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/1b964f109297 fix linter errors, a=bustage
Comment 10•6 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/0b7257b46e0f https://hg.mozilla.org/mozilla-central/rev/1b964f109297
Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox60:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla60
You need to log in
before you can comment on or make changes to this bug.
Description
•