1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

News Mozilla publishes initial analysis of extensions gaffe

Discussion in 'Article Discussion' started by bit-tech, 10 May 2019.

  1. bit-tech

    bit-tech Supreme Overlord Staff Administrator

    Joined:
    12 Mar 2001
    Posts:
    2,080
    Likes Received:
    39
    Read more
     
  2. David

    David RIP Tel

    Joined:
    7 Apr 2009
    Posts:
    13,120
    Likes Received:
    2,149
    If the telemetry system has the facility for two-way traffic, isn't it a potential attack vector?
     
    Fingers66 likes this.
  3. Gareth Halfacree

    Gareth Halfacree WIIGII! Staff Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    12,153
    Likes Received:
    1,674
    It's not the telemetry system that's two-way - and it's not the telemetry system they used to install the patch.

    Firefox has a thing called "Studies". The Studies system lets Mozilla try out new features or functionality by pushing them out to only a subset of its users - A-B testing. Group A gets the feature, Group B does not. Mozilla can then monitor the telemetry to see if the new functionality is a blessing or a curse.

    Studies doesn't work without telemetry, because Mozilla needs to know how the users are getting on with the feature being studied. That's fine for its intended use, but the problem comes when you try to send out an emergency patch using the Studies system (making 100% of users in Group A, 0% in Group B): anybody who turned telemetry off also turned off Studies at the same time, and the only way they can get the patch is to turn Studies on which also turns on telemetry - even though, in this case, Mozilla doesn't care about the telemetry (and, indeed, is deleting the telemetry it received.)

    Studies is no more an attack vector than anything else in the browser: all studies are published by Mozilla itself and signed with a security certificate (as are add-ons, which can also be updated outside of installing a new version of the browser - and it's that security layer that caused all this trouble to start with.)

    The fix, as Mozilla has explained, is to make sure that there's a means to roll out an emergency hotfix that doesn't rely on abusing the Studies system and thus won't need the privacy-conscious to turn telemetry back on again.
     
    MLyons and David like this.
  4. David

    David RIP Tel

    Joined:
    7 Apr 2009
    Posts:
    13,120
    Likes Received:
    2,149
    Cheers, Gareth, informative as always.
     
  5. Xlog

    Xlog Active Member

    Joined:
    16 Dec 2006
    Posts:
    545
    Likes Received:
    37
    heres a stupid question - why only addons that are newer than ~2018-08 were affected? Did Mozilla switched certs around that time?
     
  6. wolfticket

    wolfticket Downwind from the bloodhounds

    Joined:
    19 Apr 2008
    Posts:
    2,874
    Likes Received:
    205
    Pleasingly open, as one would hope.
     
Tags: Add Tags

Share This Page