Closed
Bug 979474
Opened 11 years ago
Closed 11 years ago
Telemetry experiments: Pin the experiment manifest fetch to a particular CA
Categories
(Firefox Health Report Graveyard :: Client: Desktop, defect, P2)
Tracking
(Not tracked)
RESOLVED
FIXED
Firefox 31
People
(Reporter: benjamin, Assigned: benjamin)
References
Details
Attachments
(2 files, 3 obsolete files)
4.75 KB,
patch
|
cturra
:
feedback+
|
Details | Diff | Splinter Review |
2.86 KB,
patch
|
gfritzsche
:
review+
|
Details | Diff | Splinter Review |
By default when fetching the telemetry experiment manifest, we should not only require valid SSL but also pin the manifest fetch to a particular CA the same way we do for AUS and AMO update checks.
Notes:
http://mxr.mozilla.org/mozilla-central/source/toolkit/modules/CertUtils.jsm @see checkCert and http://mxr.mozilla.org/mozilla-central/source/toolkit/mozapps/update/nsUpdateService.js#3719
It is not necessary to pin the XPI fetch because we're securing that using a hash (the channel might not even be HTTPS).
Comment 1•11 years ago
|
||
Just as a comment, we probably should allow two or three root certs from different CAs as we do for AUS just so we can fall back if the primary one has some issue.
Assignee | ||
Comment 2•11 years ago
|
||
I'm discussing that with webops. AUS is more important because breaking the pin means people can't update. Breaking this just means that we don't get new experiments until the next update, which is frequent enough for nightly/aurora/beta that I don't think it matters too much.
Comment 3•11 years ago
|
||
Ah, yes, makes sense. Just wanted to ensure we think of this as we had pretty scary moments with AUS when the pinned certs ran thin a while ago - but of course, as long as AUS works we can update to a build with newer pinning (and as long as the add-on hotfix mechanism works, we can even deliver something to installed builds if really required).
Assignee | ||
Updated•11 years ago
|
Assignee: georg.fritzsche → benjamin
Priority: -- → P2
Assignee | ||
Comment 4•11 years ago
|
||
Attachment #8390724 -
Flags: review?(cviecco)
Attachment #8390724 -
Flags: feedback?(cturra)
Assignee | ||
Updated•11 years ago
|
Status: NEW → ASSIGNED
Comment 5•11 years ago
|
||
Comment on attachment 8390724 [details] [diff] [review]
Pin telemetry experiments, rev. 1
Review of attachment 8390724 [details] [diff] [review]:
-----------------------------------------------------------------
The logic is sane. Assuming you don’t care about protecting the outbound information and you are aware for the breakage risk.
::: browser/app/profile/firefox.js
@@ +1413,5 @@
> pref("experiments.enabled", false);
> pref("experiments.manifest.fetchIntervalSeconds", 86400);
> +pref("experiments.manifest.uri", "https://telemetry-experiment.cdn.mozilla.net/manifest/v1/firefox/%VERSION%/%CHANNEL%");
> +pref("experiments.manifest.certs.1.commonName", "*.cdn.mozilla.net");
> +pref("experiments.manifest.certs.1.issuerName", "CN=Cybertrust Public SureServer SV CA,O=Cybertrust Inc");
I am worried about this. Since a pinning failure would only make our experiments data dry up (and not affect any other part of the code) and there is a time requirement I am OK with landing this. If we really need to change this to something else, do you know how hard is to push an update to a pref to our release channel?
::: browser/experiments/Experiments.jsm
@@ +386,5 @@
> deferred.reject(new Error("Experiments - XHR status for " + url + " is " + xhr.status));
> return;
> }
>
> + var certs = null;
let?
@@ +387,5 @@
> return;
> }
>
> + var certs = null;
> + if (gPrefs.get("manifest.cert.checkAttributes", true)) {
use the const you defined above or remove the const
@@ +391,5 @@
> + if (gPrefs.get("manifest.cert.checkAttributes", true)) {
> + certs = CertUtils.readCertPrefs(PREF_BRANCH + "manifest.certs.");
> + }
> + try {
> + var allowNonBuiltin = !gPrefs.get(PREF_BRANCH + "manifest.cert.requireBuiltin", true);
let
@@ +392,5 @@
> + certs = CertUtils.readCertPrefs(PREF_BRANCH + "manifest.certs.");
> + }
> + try {
> + var allowNonBuiltin = !gPrefs.get(PREF_BRANCH + "manifest.cert.requireBuiltin", true);
> + CertUtils.checkCert(xhr.channel, allowNonBuiltin, certs);
Since you are checking for pinning here I think is it important to notice that the url/cookies/outbound headers/ post values/url parameters are not protected by this pinning mechanism.
Attachment #8390724 -
Flags: review?(cviecco) → review+
Comment 6•11 years ago
|
||
How do you plan to test this?
Assignee | ||
Comment 7•11 years ago
|
||
Automated tests for this really rely on bug 466524, so for now I'm doing manual testing and I'll file a followup for better automated testing.
Updated•11 years ago
|
Comment 8•11 years ago
|
||
Rebased, minor fixup from above, rejection reason propagation restored.
bsmedberg, please take a look if you disagree with the propagation.
Attachment #8390724 -
Attachment is obsolete: true
Attachment #8390724 -
Flags: feedback?(cturra)
Comment 9•11 years ago
|
||
(In reply to Georg Fritzsche [:gfritzsche] from comment #8)
> rejection reason propagation restored.
> bsmedberg, please take a look if you disagree with the propagation.
Nevermind that part, wrong bug.
Updated•11 years ago
|
Attachment #8391754 -
Flags: feedback?(cturra)
Comment 10•11 years ago
|
||
Rebased.
Attachment #8391754 -
Attachment is obsolete: true
Attachment #8391754 -
Flags: feedback?(cturra)
Attachment #8392034 -
Flags: feedback?(cturra)
Comment 11•11 years ago
|
||
Attachment #8392035 -
Flags: review?(felipc)
Comment 12•11 years ago
|
||
Comment on attachment 8392035 [details] [diff] [review]
Disable certificate checks for the tests.
Review of attachment 8392035 [details] [diff] [review]:
-----------------------------------------------------------------
r+ with clearing the pref at the end of the tests
Attachment #8392035 -
Flags: review?(felipc) → review+
Comment 13•11 years ago
|
||
Pref cleanup, consolidation in header.js.
Attachment #8392035 -
Attachment is obsolete: true
Attachment #8392186 -
Flags: review+
Comment 14•11 years ago
|
||
Comment 15•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/9d5b62a13de0
https://hg.mozilla.org/mozilla-central/rev/887a2b5a7d42
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 31
Comment 16•11 years ago
|
||
Comment on attachment 8392034 [details] [diff] [review]
Pin telemetry experiments, rev. 3
clearing feedback.
Attachment #8392034 -
Flags: feedback?(cturra) → feedback+
Updated•6 years ago
|
Product: Firefox Health Report → Firefox Health Report Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•