Closed Bug 1521857 Opened 11 months ago Closed 7 months ago

Let users enable security.enterprise_roots.enabled from the cert error page in case of MOZILLA_PKIX_ERROR_MITM_DETECTED

Categories

(Firefox :: Security, defect, P3)

66 Branch
defect

Tracking

()

RESOLVED DUPLICATE of bug 1529643
Tracking Status
firefox66 --- wontfix
firefox67 --- affected

People

(Reporter: RT, Unassigned)

References

(Blocks 1 open bug)

Details

Bug 1450784 helps improve the cert error page in case of MOZILLA_PKIX_ERROR_MITM_DETECTED by providing additional information to the user about the certificate issuer name for the certificate that caused the error.

Bug 1450784 is a step forward in helping users fix the issue although we know there are still limitations:

  • The cert issuer name can be different from the commercial name of the software causing the issue. This can cause further confusion with the user.
  • From research we know that users value and trust their AV probably more than Firefox. This likely means that getting users to disable SSL scanning features of AVs will be hard, especially if Chrome and Edge run fine on the same machine

User story: As a Firefox user, I want a very simple way to keep browsing the web securely in case a 3rd party software I run poorly integrates with the Firefox cert store, causing HTTPs connections to fail.

Acceptance criteria:

  • The certificate error page exposes a button that allows setting security.enterprise_roots.enabled to true and reloading the page
  • Telemetry gets sent on usage of the button to allow correlating usage with presence of specific AVs (AVs are already reported through the work done on bug 1418131)

Personally I'd be happy to add such a button, but this sounds like a pretty big step that should probably be at least checked with the folks maintaining our ecosystem :)

Telemetry gets sent on usage of the button to allow correlating usage with presence of specific AVs (AVs are already reported through the work done on bug 1418131)

The name of the AV/MitM could potentially be sensitive or even personalized user data that we shouldn't report by default.

I think a better and more privacy preserving method may be waiting for a successful page load coming up and then prompting the user whether they want to help Mozilla by reporting the name of the man in the middle.

Priority: -- → P3

(In reply to Johann Hofmann [:johannh] from comment #1)

Telemetry gets sent on usage of the button to allow correlating usage with presence of specific AVs (AVs are already reported through the work done on bug 1418131)

The name of the AV/MitM could potentially be sensitive or even personalized user data that we shouldn't report by default.

I think a better and more privacy preserving method may be waiting for a successful page load coming up and then prompting the user whether they want to help Mozilla by reporting the name of the man in the middle.

Oh, now I understand, you'd like to report just the click, without the MitM name, and then correlate that to the technical info submitted since bug 1418131. Then that might be fine?

I'm generally in favor of a "Fix it" button when we find a MitM. Dana and I have discussed it before with various folks, many of whom are also cc'd here.

As always, I just want to be careful in how we present it. Most people will regard it as the "click here to fix the internet" button.

(In reply to Johann Hofmann [:johannh] from comment #2)

(In reply to Johann Hofmann [:johannh] from comment #1)

Telemetry gets sent on usage of the button to allow correlating usage with presence of specific AVs (AVs are already reported through the work done on bug 1418131)

The name of the AV/MitM could potentially be sensitive or even personalized user data that we shouldn't report by default.

I think a better and more privacy preserving method may be waiting for a successful page load coming up and then prompting the user whether they want to help Mozilla by reporting the name of the man in the middle.

Oh, now I understand, you'd like to report just the click, without the MitM name, and then correlate that to the technical info submitted since bug 1418131. Then that might be fine?

True, just the click event to attempt drawing correlations between specific AV names that we already collect.

I'll look into UX options with Meridel which we could then gather feedback from this group on.

(In reply to J.C. Jones [:jcj] (he/him) from comment #3)

I'm generally in favor of a "Fix it" button when we find a MitM. Dana and I have discussed it before with various folks, many of whom are also cc'd here.

As always, I just want to be careful in how we present it. Most people will regard it as the "click here to fix the internet" button.

Something we should do either way is make sure that if we present this button, it really does fix the internet. E.g. it would be great to be able to do a canary request with security.enterprise_roots.enabled set only for that single instance (or if that will not work set security.enterprise_roots.enabled temporarily) and check whether it successfully connects to a trusted server of our choice.

I agree that a "fix it" button makes sense in this scenario, assuming that the worst thing that will happen is that the enterprise roots pref is enabled.

Depends on: 1529643

The changes in bug 1529643 where we automatically flip this switch make this bug unnecessary.

Status: NEW → RESOLVED
Closed: 7 months ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1529643
You need to log in before you can comment on or make changes to this bug.