Closed Bug 846502 Opened 7 years ago Closed 5 years ago

Security Review: Create an SSL Error Reporting Mechanism

Categories

(mozilla.org :: Security Assurance: Review Request, task)

task
Not set

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: kwilson, Assigned: mgoodwin)

References

Details

(Whiteboard: [pending secreview][start yyyy-mm-dd][target yyyy-mm-dd][Fx])

Initial Questions:

Project/Feature Name: Create an SSL Error Reporting Mechanism
Tracking  ID:846489
Description:
The goal of this project is to create a certificate error reporting mechanism that will transmit and store the following information on a Mozilla server, allowing the data to be analyzed both automatically and manually.
- Domain of bad connection
- Error type (e.g. Pinning, domain mismatch, etc)
- Cert chain (at minimum, same data to distrust each cert in the chain)
- Request data (e.g. User Agent, IP, Timestamp)

Initially this reporting mechanism will be used to report, store, and analyze certificate pinning violations. In the future it could also be used for user-reported certificate errors, and other related concerns.

Certificate pinning is a mechanism by which site owners can specify a set of keys (actually fingerprints of the keys) such that in the next connection to the site, the set of keys in the certificate chain MUST intersect with the set of keys 'pinned' in the browser.
- https://bugzilla.mozilla.org/show_bug.cgi?id=744204
- https://wiki.mozilla.org/Security/Features/CA_pinning_functionality

When the set of keys in the certificate chain do not intersect with the set of keys 'pinned' in the browsers, then an alert will be generated and sent to Mozilla to be stored and analyzed. There may be some false alarms, but if a real issue (such as MITM) is identified, the security-group should be alerted for further action.

This reporting mechanism should be available before Key Pinning is live, which is targeted for May 2013. 
Additional Information:
https://etherpad.mozilla.org/CA-KeyPinningReporting 
Urgency: 2-4 weeks
Key Initiative: Firefox Platform
Release Date: 2013-05-10
Project Status: active
Mozilla Data: Yes
New or Change: New
Mozilla Project: none
Mozilla Related: SSL, security
Separate Party: Yes
Type of Relationship: Other
Data Access: No
Privacy Policy: None -- it may be the case that the user should have to click to allow the data to be sent to Mozilla.
Vendor Cost: N/A

Security Review Questions:

Affects Products: Yes
Review Due Date: 
Review Invitees: 
Extra Information:
this will likely triage on 2013.03.13
Group: mozilla-corporation-confidential
Whiteboard: [triage needed]
aim to complete this in Q2
Assignee: nobody → mgoodwin
Whiteboard: [triage needed] → [pending secreview][start yyyy-mm-dd][target yyyy-mm-dd]
Kathleen; are you available at any time this week to talk me through this? I'm in the UK but I'm flexible (to a point) on meeting times.

Thanks
Flags: needinfo?(kwilson)
Hi Mark,

We're just getting started on this. I'll schedule a chat with you when we have more info.

Thanks,
Kathleen
Flags: needinfo?(kwilson)
> Privacy Policy: None -- it may be the case that the user should
> have to click to allow the data to be sent to Mozilla.

If new data is flowing to our servers, opt-in or not, we need to run it by the legal/privacy-policy folks to determine whether our current policy covers it or if we need an update. I agree this sounds very much like crash-reporting, but it still may need an explicit mention in the policy.
Whiteboard: [pending secreview][start yyyy-mm-dd][target yyyy-mm-dd] → [pending secreview][start yyyy-mm-dd][target yyyy-mm-dd][Fx]
(In reply to Kathleen Wilson from comment #4)
> We're just getting started on this. I'll schedule a chat with you when we
> have more info.

Do we have more info yet, Kathleen?
Flags: needinfo?(kwilson)
We've discussed with privacy folks (bug #846506#c6) and have requested UX wireframes for the CA Pinning error reporting.

For general SSL error gathering, we're planning to just tie into the already existing telemetry interface and permissions. When a user browses to a secure website, but gets the warning: "This Connection is Untrusted". If the user has already opted-in to sending telemetry data to Mozilla, then Mozilla telemetry will collect the appropriate information. 

We will need additional user interface for reporting errors about Key Pinning (https://wiki.mozilla.org/Security/Features/CA_pinning_functionality), because we want to collect this information from all users, regardless of what their telemetry permissions are. When Firefox runs into a pin violation error, the displayed error should have the "Report this to Mozilla" button. If the user selects to report the problem to Mozilla and the reporting fails, Firefox should warn the user that the reporting mechanism may be being blocked, and make the information available to the user so they can email or submit the information to us some other way.
Flags: needinfo?(kwilson)
Is there any software to review yet?
Flags: needinfo?(kwilson)
Not yet. Here's the status...

- Ready to work with Metrics Team on using bagheera to collect the error data; e.g. What server/host should the code upload to? How do we get at that information once stored?

- A couple more rounds are needed to finalize the design/implementation of the interaction with the user to choose to send the error report to Mozilla (which will include the URL and the website cert). Should be ready for Nightly soon.

- Changes to Privacy Policy have been ironed out, and will be included in the upcoming update to the privacy policy (February).

- The updated Privacy Policy and the new SSL Error reporting popup will link to a newly created SUMO page (https://support.mozilla.org/kb/secure-website-certificate) that will be undergoing reviews/enhancements over the next month.

- Plan is to roll this out gradually, by starting with one or two SSL errors. Need to identify which errors to start with.

- Would like to get this onto Nightly in February time frame.
Flags: needinfo?(kwilson)
The feature seems to have landed, is there anything left to do here?
Flags: needinfo?(dkeeler)
I don't think so, no.
Status: NEW → RESOLVED
Closed: 5 years ago
Flags: needinfo?(dkeeler)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.