Ritu Kothari (:ritu) (Inactive, please n-i to RyanVM, jcristau, or pascal) Reporter
	Description • 6 years ago

Can we use Normandy to push a TSL 1.3 pref off recipe on Firefox clients that has Avast installed? This is a potential mitigation while we wait for Avast to rollout a fix for Bug 1468892.

	Ritu Kothari (:ritu) (Inactive, please n-i to RyanVM, jcristau, or pascal) Reporter
	Comment 1 • 6 years ago

Hi Mike, Rob, Ryan, I just filed this bug to explore using Normandy for this critical issue since 61 rollout. Please note if Avast is able to update their clients super fast we may not need to use Normandy. See https://bugzilla.mozilla.org/show_bug.cgi?id=1468892#c40

	Michael Cooper [:mythmon] Assignee
	Comment 2 • 6 years ago

In Windows 8 and above, I believe there should be a telemetry item along the lines of `environment.system.sec.antivirus`. If we can verify that the value of that item correlates well with a user having Avast installed, then we can target it and use Normandy to change the TLS 1.3 pref temporarily.

I don't have a Windows machine with Avast handy to verify the above. I can work on that today, but perhaps someone already has a setup we can test.

	Ryan VanderMeulen [:RyanVM]
	Comment 3 • 6 years ago

I checked with the SV team in Vegas, but they don't have any machines handy with Avast/AVG. Andrei, can your team provide the info?

	Ritu Kothari (:ritu) (Inactive, please n-i to RyanVM, jcristau, or pascal) Reporter
	Comment 4 • 6 years ago

Hi Philipp, can we get release/SUMO users who are running into this problem (bug 1468892) to share the "security software" section of their about:support? We need to reliably know what strings to look for as an indication of an Avast-enabled Firefox client. Thanks!

	[:philipp]
	Comment 5 • 6 years ago

it's too late for me today to start reaching out to users. i myself see the following strings in about:support when test running the security software:

Avast:

Security Software
Type 	Name
Antivirus 	Avast Antivirus
Antispyware 	Avast Antivirus
Firewall 	Windows Firewall

===

AVG:

Security Software
Type 	Name
Antivirus 	AVG Antivirus
Antispyware 	AVG Antivirus
Firewall 	Windows Firewall

this doesn't work under windows 7 though, where the whole section isn't present - see the implementation details in bug 1418131

	Michael Cooper [:mythmon] Assignee
	Comment 6 • 6 years ago

I was able to get a Windows 10 VM running Avast, and confirmed that

a) Changing security.tls.version.max via Normandy fixes the problem.
b) Avast can be targeted by Normandy via Telemetry.

I used the filter expression

    'Avast Antivirus' in normandy.telemetry.main.environment.system.sec.antivirus

Which could be easily modified to work for both Avast and AVG Antivirus, if that's desirable.

	Tom Kloos
	Comment 7 • 6 years ago

Indeed, Windows 7 doesn't provide the needed information:

	Application Basics
	------------------

	Name: Firefox
	Version: 61.0
	Build ID: 20180621125625
	Update Channel: release
	User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
	OS: Windows_NT 6.1


	Security Software
	----------------- Type:

"Raw" version of "Security Software" section:

	"securitySoftware": {
	    "registeredAntiVirus": "",
	    "registeredAntiSpyware": "",
	    "registeredFirewall": ""
	  },

	Ritu Kothari (:ritu) (Inactive, please n-i to RyanVM, jcristau, or pascal) Reporter
	Comment 8 • 6 years ago

Hi Mike, based on comment 5, we should also look for "AVG Antivirus" in addition to "Avast Antivirus". Ryan, can correct me if I am wrong but we have issues with both of those security software and TLS 1.3. Thanks!

	Ryan VanderMeulen [:RyanVM]
	Comment 9 • 6 years ago

From an email thread with mythmon:
> I've updated my stage recipe to target both users with Avast and users
> with Windows versions <8 (that is, Win7 users). I don't have a Windows 7
> box to test this on, so I'm not 100% sure this approach works. Hopefully
> QA or someone else with Windows 7 can test it.
> 
> The recipe, for QA and others with access to Normandy, is
> https://normandy-admin.stage.mozaws.net/recipe/508/approval_history/
> 
> The data in the API for those without VPN access is
> https://normandy.cdn.mozilla.net/api/v1/recipe/508/

I'm submitting a PI request to cover testing of this recipe. As Ritu noted, we need to make sure it covers both Avast *and* AVG. So basically if Fx61 && (Win7 || Avast || AVG), set security.tls.version.max to 3. Otherwise, do nothing.

We will continue to monitor Avast's rollout of an updated version so that we can turn this recipe off as soon as is feasible.

	Julien Cristau [:jcristau]
	Comment 10 • 6 years ago

Make that https://normandy.stage.mozaws.net/api/v1/recipe/508/ for the recipe on stage.  It does not include AVG right now as far as I can tell.

	Andrei Vaida [:avaida]
	Comment 11 • 6 years ago

(In reply to Ryan VanderMeulen [:RyanVM] from comment #3)
> I checked with the SV team in Vegas, but they don't have any machines handy
> with Avast/AVG. Andrei, can your team provide the info?

We have test machines ready for this.

(In reply to Ryan VanderMeulen [:RyanVM] from comment #9)
> I'm submitting a PI request to cover testing of this recipe. As Ritu noted,
> we need to make sure it covers both Avast *and* AVG. So basically if Fx61 &&
> (Win7 || Avast || AVG), set security.tls.version.max to 3. Otherwise, do
> nothing.
> 
> We will continue to monitor Avast's rollout of an updated version so that we
> can turn this recipe off as soon as is feasible.

Thank you for filing the request, we created a test plan [1] and started testing. We'll post our results here, and on the associated PI email thread as soon as we're done.


[1]  https://public.etherpad-mozilla.org/p/pi-request_bug1471672

	Adrian Florinescu [:aflorinescu]
	Comment 12 • 6 years ago

As tests using https://normandy.stage.mozaws.net/api/v1/recipe/508/ fail to enroll, I've modified the staging recipe as follows:
Changed 'Avast Antivirus' to "Avast Antivirus" 
Fixed a typo in the second part of the filter "telementry" to "telemetry".

After the above changes, the targeting seems to be good.

One note related to using the telemetry env. matches is that in the cases of first run, the telemetry env. instantiates later than Normandy runs, which will mean a miss match in this particular case. Ofc, after 4h, when normandy runs again, the telemetry filters will match and recipe executed. This translates that first time users/new profiles on Win7 for example will have for ~4 hrs the tls 1.3, before the recipe is executed.

	Adrian Florinescu [:aflorinescu]
	Comment 13 • 6 years ago

Replaced this filter section (which targets windows 7)
(
                normandy.telemetry.main.environment.system.os.name == "Windows_NT"
                && normandy.telemetry.main.environment.system.os.version[0] != "1"
                && normandy.telemetry.main.environment.system.os.version < "8"
               )

with:

normandy.telemetry.main.environment.system.os.version == 6.1


and added filter for AVG.

	Julien Cristau [:jcristau]
	Comment 14 • 6 years ago

So I *think* the filter we want is

(
     "AVG Antivirus" in normandy.telemetry.main.environment.system.sec.antivirus
  || "Avast Antivirus" in normandy.telemetry.main.environment.system.sec.antivirus
  || (normandy.telemetry.main.environment.system.os.name == "Windows_NT"
      && normandy.telemetry.main.environment.system.os.version == "6.1")
)

i.e. add back the system.os.name check and add quotes around 6.1.

	Adrian Florinescu [:aflorinescu]
	Comment 15 • 6 years ago

done, currently the filters for staging server recipe for "TLS 1.3 Avast rollback test" are:

(
     "AVG Antivirus" in normandy.telemetry.main.environment.system.sec.antivirus
     ||  "Avast Antivirus" in normandy.telemetry.main.environment.system.sec.antivirus
     ||    
      (        normandy.telemetry.main.environment.system.os.version == "6.1" 
               &&  normandy.telemetry.main.environment.system.os.name == "Windows_NT" )
)


FYI: In my Cu.import tests, both 6.1 and "6.1" return the correct results :)

	Michael Cooper [:mythmon] Assignee
	Comment 16 • 6 years ago

I've tweaked the filter slightly, and added the recipe on prod in a disabled state. The filter is:

(
  "AVG Antivirus" in normandy.telemetry.main.environment.system.sec.antivirus
  || "Avast Antivirus" in normandy.telemetry.main.environment.system.sec.antivirus
  || (
    normandy.telemetry.main.environment.system.os.name == "Windows_NT" 
    && normandy.telemetry.main.environment.system.os.version == "6.1" 
  )
  || (normandy.isFirstRun || !normandy.telemetry.main.environment)
)

To summarize the above, in Ekr's and my words:

1. If you are upgrading, then we disable TLS 1.3 if you are running Avast.
2. If you are a new install, we disable TLS 1.3 unconditionally and then reenable it in 6 hours if you are not running Avast.
3. If you are on  Windows 7, then we disable TLS 1.3 in all cases, since we can't be sure you have Avast or not.

Can we get a formal sign off in this bug from relman? Then we should be ready to go

	Ryan VanderMeulen [:RyanVM]
	Comment 17 • 6 years ago

QA has tested this and signed off and the deployment plan in comment 16 looks good to me. Signing off for RelMan.

	Michael Cooper [:mythmon] Assignee
	Comment 18 • 6 years ago

This recipe is now live on Normandy to 100% of 61, given the above filtering rules. We'll monitor enrollment and the effect via Telemetry over the next few days.