Confirmed users
110
edits
Security/Features/TLS Telemetry: Difference between revisions
Jump to navigation
Jump to search
Security/Features/TLS Telemetry (view source)
Revision as of 20:13, 14 December 2011
, 14 December 2011no edit summary
No edit summary |
No edit summary |
||
| Line 19: | Line 19: | ||
We have decided to collect a smaller subset of the data in the initial feature. The study will be updated when more data is exposed through NSS. | We have decided to collect a smaller subset of the data in the initial feature. The study will be updated when more data is exposed through NSS. | ||
|Feature overview=The goal of this telemetry study is to collect SSL/TLS | |Feature overview=The goal of this telemetry study is to collect SSL/TLS errors that Firefox users encounter during browsing. The data can be used to decide whether Firefox should support legacy / less secure protocols such as weak keys or SSLv2 . | ||
|Feature users and use cases=The target users are Firefox users. | |Feature users and use cases=The target users are Firefox users. | ||
'''Use Cases''' | '''Use Cases''' | ||
*Collect cipher suites exchanged during handshake and negotiated cipher | * Collect cipher suites exchanged during handshake and negotiated cipher | ||
*Collect TLS/SSL version | ** Ciphersuites in PSM are ordered in decreasing preference. The SSL/TLS specification says that the client should send their supported ciphersuites in this order. The server then choose the most preferred ciphersuite that it also supports. | ||
*Collect certificate key strength (bits) | ** Collecting this data allows us to make decisions whether to remove certain weaker ciphers from our supported list. | ||
*Collect TLS | * Collect SSL/TLS version | ||
** | ** This is the version of SSL/TLS that ends up being negotiated. This doesn't correspond directly to whether the client has the preference for "Use SSL 3.0" or "Use TLS 1.0" enabled. | ||
** | ** The resulting version may be different due to what the server supports. | ||
* Collect certificate key strength (bits) | |||
** This is the server RSA public key modulus. A larger modulus is preferred | |||
** It would be desirable to disable weak certificates. {{bug|360126}} | |||
* Collect SSL/TLS certificate related errors | |||
* Collect count of TLS intolerant websites | |||
** Some websites do not implement the SSL protocol correctly and there is special handling for those cases. | |||
** In those cases, Firefox tries to reconnect but downgrading from TLS 1.0 to SSL 3.0 | |||
** It may be possible to remove this downgrading if the number of TLS intolerant sites is small enough. | |||
|Feature dependencies=N/A | |Feature dependencies=N/A | ||
|Feature requirements=# Collect type of SSL/TLS error | |Feature requirements=# Collect type of SSL/TLS error | ||
| Line 36: | Line 44: | ||
We will determine the strength of the negotiated channel by collecting: negotiated ciphersuite, SSL/TLS version, server public key bits, whether the server is TLS intolerant. | We will determine the strength of the negotiated channel by collecting: negotiated ciphersuite, SSL/TLS version, server public key bits, whether the server is TLS intolerant. | ||
|Feature ux design=The study uses the default Telemetry UI/UX. The only code changes are to add more probes. Histogram names / descriptions may need to be localized. | |Feature ux design=The study uses the default Telemetry UI/UX. The only code changes are to add more probes. Histogram names / descriptions may need to be localized. | ||
|Feature implementation plan=* Determine best areas of code to insert Telemetry probes | |Feature implementation plan=* Determine best areas of code to insert Telemetry probes | ||