Closed Bug 1654520 Opened 5 years ago Closed 5 years ago

[DoH] Debounce heuristics and include network ID in heuristics telemetry

Categories

(Firefox :: Security, enhancement, P1)

Product:
Firefox
Component:
Security
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Firefox 80
Tracking Flags:
Tracking Status
firefox80 --- fixed

People

(Reporter: nhnt11, Assigned: nhnt11)

References

Details

Attachments

(3 files, 1 obsolete file)

Bug 1654520 - [DoH] Debounce heuristics; Include networkID and captiveState in heuristics telemetry event. r=dragana!
47 bytes, text/x-phabricator-request
Details | Review
Bug 1654520 - Concat the networkID to the clientID and SHA256 the result before including in telemetry. r=Mossop!
47 bytes, text/x-phabricator-request
Details | Review
Data Review doc v2
2.44 KB, text/plain
tdsmith
: data-review+
Details

We want to look into caching heuristics results using network ID as the key. In order to be able to experiment on this effectively we should debounce heuristics runs as well as include the network ID (or some anonymized form of it if necessary) in the heuristics telemetry event.

Summary: [DoH] Debounce network-up events and include network ID in heuristics telemetry → [DoH] Debounce heuristics and include network ID in heuristics telemetry
Depends on: 1654714
Attachment #9165601 - Attachment description: Bug 1654520 - [DoH] Debounce heuristics runs and include network ID in heuristics telemetry event. r=dragana! → Bug 1654520 - [DoH] Debounce heuristics; Include networkID and captiveState in heuristics telemetry event. r=dragana!
Attached file Data Review doc (obsolete) —
Attachment #9165834 - Flags: data-review?(tdsmith)

What is networkId a hash of? Unless it's profile-specific it sounds like a hardware identifier, which we don't want to collect (and would require escalated review).

I think it would be safer to collect a HMAC of the networkId keyed with the clientId so that the networkId doesn't allow us to link distinct clientId's on the same hardware.

See hmac() and hmacLegacy() at https://searchfox.org/mozilla-central/rev/828f2319c0195d7f561ed35533aef6fe183e68e3/services/crypto/modules/utils.js#169.

(I think knowing hmac(m1, key1), hmac(m2, key2), and both key1 and key2 doesn't allow you to assert that m1 and m2 are the same or not 🤔)

(In reply to Tim Smith 👨‍🔬 [:tdsmith] from comment #3)

What is networkId a hash of? Unless it's profile-specific it sounds like a hardware identifier, which we don't want to collect (and would require escalated review).

I think it would be safer to collect a HMAC of the networkId keyed with the clientId so that the networkId doesn't allow us to link distinct clientId's on the same hardware.

See hmac() and hmacLegacy() at https://searchfox.org/mozilla-central/rev/828f2319c0195d7f561ed35533aef6fe183e68e3/services/crypto/modules/utils.js#169.

Bah! We are salting the hash but with a fixed set of bytes, so the hashes indeed won't vary profile to profile: https://searchfox.org/mozilla-central/rev/828f2319c0195d7f561ed35533aef6fe183e68e3/netwerk/system/mac/nsNetworkLinkService.mm#747

I'll update the patch with a fix.

Pushed by nhnt11@gmail.com: https://hg.mozilla.org/integration/autoland/rev/2bb0f85b7a8e [DoH] Debounce heuristics; Include networkID and captiveState in heuristics telemetry event. r=dragana https://hg.mozilla.org/integration/autoland/rev/a3f770663a9a Concat the networkID to the clientID and SHA256 the result before including in telemetry. r=mossop
Attached file Data Review doc v2

Updated the description of network ID in the doc.

Attachment #9165834 - Attachment is obsolete: true
Attachment #9165834 - Flags: data-review?(tdsmith)
Attachment #9165994 - Flags: data-review?(tdsmith)
Comment on attachment 9165994 [details] Data Review doc v2 Please use the newest form available at https://github.com/mozilla/data-review. 1) Is there or will there be **documentation** that describes the schema for the ultimate data set in a public, complete, and accurate way? Yes, in Events.yaml and the probe dictionary. 2) Is there a control mechanism that allows the user to turn the data collection on and off? Yes, the Firefox telemetry opt-out. 3) If the request is for permanent data collection, is there someone who will monitor the data over time? Yes, Nhi Nguyen. 4) Using the **[category system of data types](https://wiki.mozilla.org/Firefox/Data_Collection)** on the Mozilla wiki, what collection type of data do the requested measurements fall under? Category 1, technical data. 5) Is the data collection request for default-on or default-off? Default-on. 6) Does the instrumentation include the addition of **any *new* identifiers**? No; the network ID reported here is not a new identifier itself because it depends on the client_id. If the client_id changes, the network_id will change. 7) Is the data collection covered by the existing Firefox privacy notice? Yes. 8) Does there need to be a check-in in the future to determine whether to renew the data? No, permanent collection. 9) Does the data collection use a third-party collection tool? No.
Attachment #9165994 - Flags: data-review?(tdsmith) → data-review+

https://hg.mozilla.org/mozilla-central/rev/2bb0f85b7a8e
https://hg.mozilla.org/mozilla-central/rev/a3f770663a9a

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox80: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → Firefox 80
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: