Closed Bug 1228714 Opened 9 years ago Closed 4 years ago

Devise special enterprise-focused solution for breaking HPKP pins

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Version:
42 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: greg, Unassigned)

Details

(Keywords: sec-want) 

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:42.0) Gecko/20100101 Firefox/42.0
Build ID: 20151029151421
Firefox for Android

Steps to reproduce:

1. Visit a website that was pinned per the HPKP standard on a Dell


Actual results:

1. I was MITM'ed by a random stranger on the Internet who got ahold of the private key that's shipped on many Dells for a malicious CA that's installed on those Dells. My HPKP pins (all of them) became worthless and my life was ruined, possibly resulting in a breach of National Security.


Expected results:

Firefox should have protected me as per the HPKP RFC, which states that only the *USER* (me) should be allowed to override pins.

However someone other than me was able to do it.

This has now happened on 3 occasions, where random entities have been able to compromise users like me and hundreds of thousands of others:

http://blog.okturtles.com/2015/11/dells-tumble-googles-fumble-and-how-government-sabotage-of-internet-security-works/

We are still vulnerable to this day to this attack.

Firefox could have protected us by following the requirements of the HPKP RFC as specified in Section 2.6, that only *users* should be allowed to override the pins.

This can be done by:

- Removing the default of allowing any root CA in the cert store to override the pins.
- Adding a GUI for resetting pins individually

Now, as I also happen to run a business, I understand and sometimes need Firefox to be able to override the pins on my 100 corporate-owned machines so that we can use our DPKI software to monitor all of our employees traffic.

However, I want to do right by my employees (and by myself, my country, and all those other users out there), and not make it so that in solving this one problem I end up destroying the security of the entire world.

So I'm thinking maybe Firefox could create, for this *exceptional circumstance*, and *exceptional feature*, perhaps in the form of CorporateFox as a separate browser or extension that tells my employees that they are being monitored, and is not shipped by default with Firefox.

Thank you Mozilla for helping keeping us safe!
Severity: normal → critical
s/DPKI/DPI. lol. Been typing that acronym too much.
Also, I ACK the fact that Dell did not take the time to mess with Firefox's cert store, but if I recall correctly Lenovo did.

Some have made the specious argument that a compromised host means that it's not worth trying to address this problem, but that isn't true, as in both the case of Dell and Lenovo, the would have been forced to write malware for their computers instead of using an "Officially Approved Backdoor Feature". That could result in lawsuits, a worthless stock, and even potentially jail time for the offenders. So addressing this issue would have a meaningful impact on the net's security, even in the case of a compromised or malicious hardware manufacturer.
Severity: critical → normal
Keywords: sec-want
There's a parallel here with what we're trying to do with add-ons: forcing bad actors to cross a line they are not willing to cross.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Component: Untriaged → Security
OS: Unspecified → All
Product: Firefox → Core
Hardware: Unspecified → All

Wontfix?

Flags: needinfo?(dkeeler)

wontfix because HPKP is disabled by default but also this was never an issue - we didn't ever process HPKP from sites where the root wasn't a built-in (as in the dell/superfish/etc. situations (which weren't trusted by Firefox anyway)).

Status: NEW → RESOLVED
Closed: 4 years ago
Flags: needinfo?(dkeeler)
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.