Closed
Bug 1365790
Opened 7 years ago
Closed 7 years ago
Make sure HPKP preload expiration date is accurate for 54
Categories
(Core :: Security: PSM, defect, P1)
Tracking
()
RESOLVED
FIXED
mozilla54
People
(Reporter: jcj, Assigned: keeler)
References
Details
(Whiteboard: [psm-assigned])
Attachments
(1 file)
59 bytes,
text/x-review-board-request
|
jcj
:
review+
jcristau
:
approval-mozilla-beta+
|
Details |
Confirm and patch security/manager/ssl/StaticHPKPins.h and security/manager/ssl/nsSTSPreloadList.inc in 54 to have sufficient lifetime on the preloaded HPKP and STS pins.
Comment 1•7 years ago
|
||
Marking this as a blocker for 54 release to make sure we catch it.
status-firefox54:
--- → affected
tracking-firefox54:
--- → blocking
Assignee | ||
Updated•7 years ago
|
Priority: -- → P2
Whiteboard: [psm-blocked]
Comment 2•7 years ago
|
||
Hi :jcj, After checking the time, it seems HPKP is July 24. Is it correct? This might need your help to check? We need to extend the lifetime after August 8.
Flags: needinfo?(jjones)
Reporter | ||
Comment 3•7 years ago
|
||
Gerry, Yes, we should update mozilla-beta's StaticHPKPins.h and nsSTSPreloadList.inc files to 1506384000000000, which is 2017-09-26, the start of the 56 cycle (giving 1 whole cycle of overlap). Assigning :keeler - we should get this done in the next week.
Assignee: nobody → dkeeler
Comment hidden (mozreview-request) |
Assignee | ||
Updated•7 years ago
|
Priority: P2 → P1
Whiteboard: [psm-blocked] → [psm-assigned]
Reporter | ||
Comment 5•7 years ago
|
||
mozreview-review |
Comment on attachment 8871939 [details] bug 1365790 - bump security preload information expiration dates to 2017-09-26 for Firefox 54 a?gchang https://reviewboard.mozilla.org/r/143450/#review147218 Verified as 2017-09-26
Attachment #8871939 -
Flags: review?(jjones) → review+
Assignee | ||
Comment 6•7 years ago
|
||
Comment on attachment 8871939 [details] bug 1365790 - bump security preload information expiration dates to 2017-09-26 for Firefox 54 a?gchang Approval Request Comment [Feature/Bug causing the regression]: HSTS/HPKP preloading [User impact if declined]: users may have out-of-date preloaded security information before they can update to the next version [Is this code covered by automated tests?]: yes [Has the fix been verified in Nightly?]: n/a - doesn't need to land in Nightly [Needs manual test from QE? If yes, steps to reproduce]: no [List of other uplifts needed for the feature/fix]: none [Is the change risky?]: no [Why is the change risky/not risky?]: we've done this a few times before [String changes made/needed]: none
Attachment #8871939 -
Flags: approval-mozilla-beta?
Assignee | ||
Comment 7•7 years ago
|
||
(In reply to David Keeler [:keeler] (use needinfo?) from comment #6) > [User impact if declined]: users may have out-of-date preloaded security > information before they can update to the next version Er, rather, the preloaded lists may turn themselves off before users update, leaving a window of vulnerability.
Comment 8•7 years ago
|
||
Comment on attachment 8871939 [details] bug 1365790 - bump security preload information expiration dates to 2017-09-26 for Firefox 54 a?gchang bump hpkp/hsts preload expiration dates, beta54+ Should be in 54.0b13
Flags: needinfo?(jjones)
Attachment #8871939 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
Comment 9•7 years ago
|
||
bugherder uplift |
https://hg.mozilla.org/releases/mozilla-beta/rev/10cfa295a989
Updated•7 years ago
|
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla54
Comment 10•7 years ago
|
||
(In reply to David Keeler [:keeler] (use needinfo?) from comment #6) > [Is this code covered by automated tests?]: yes > [Has the fix been verified in Nightly?]: n/a - doesn't need to land in > Nightly > [Needs manual test from QE? If yes, steps to reproduce]: no Setting qe-verify- based on David's assessment on manual testing needs and the fact that this fix has automated coverage.
Flags: qe-verify-
You need to log in
before you can comment on or make changes to this bug.
Description
•