Closed Bug 1365790 Opened 7 years ago Closed 7 years ago

Make sure HPKP preload expiration date is accurate for 54

Categories

(Core :: Security: PSM, defect, P1)

Product:
Core
Component:
Security: PSM
Version:
54 Branch
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla54
Tracking Flags:
Tracking Status
firefox54 blocking fixed

People

(Reporter: jcj, Assigned: keeler)

References

Details

(Whiteboard: [psm-assigned])

Attachments

(1 file)

bug 1365790 - bump security preload information expiration dates to 2017-09-26 for Firefox 54 a?gchang
59 bytes, text/x-review-board-request
jcj
: review+
jcristau
: approval-mozilla-beta+
Details 
Confirm and patch security/manager/ssl/StaticHPKPins.h and security/manager/ssl/nsSTSPreloadList.inc in 54 to have sufficient lifetime on the preloaded HPKP and STS pins.
See Also: → 1365791
Marking this as a blocker for 54 release to make sure we catch it.
status-firefox54: --- → affected
tracking-firefox54: --- → blocking
Priority: -- → P2
Whiteboard: [psm-blocked]
Hi :jcj,
After checking the time, it seems HPKP is July 24. Is it correct? This might need your help to check? We need to extend the lifetime after August 8.
Flags: needinfo?(jjones)
Gerry,

Yes, we should update mozilla-beta's StaticHPKPins.h and nsSTSPreloadList.inc files to 1506384000000000, which is 2017-09-26, the start of the 56 cycle (giving 1 whole cycle of overlap).

Assigning :keeler - we should get this done in the next week.
Assignee: nobody → dkeeler
Priority: P2 → P1
Whiteboard: [psm-blocked] → [psm-assigned]
Comment on attachment 8871939 [details]
bug 1365790 - bump security preload information expiration dates to 2017-09-26 for Firefox 54  a?gchang

https://reviewboard.mozilla.org/r/143450/#review147218

Verified as 2017-09-26
Attachment #8871939 - Flags: review?(jjones) → review+
Comment on attachment 8871939 [details]
bug 1365790 - bump security preload information expiration dates to 2017-09-26 for Firefox 54  a?gchang

Approval Request Comment
[Feature/Bug causing the regression]: HSTS/HPKP preloading
[User impact if declined]: users may have out-of-date preloaded security information before they can update to the next version
[Is this code covered by automated tests?]: yes
[Has the fix been verified in Nightly?]: n/a - doesn't need to land in Nightly
[Needs manual test from QE? If yes, steps to reproduce]: no
[List of other uplifts needed for the feature/fix]: none
[Is the change risky?]: no
[Why is the change risky/not risky?]: we've done this a few times before
[String changes made/needed]: none
Attachment #8871939 - Flags: approval-mozilla-beta?
(In reply to David Keeler [:keeler] (use needinfo?) from comment #6)
> [User impact if declined]: users may have out-of-date preloaded security
> information before they can update to the next version

Er, rather, the preloaded lists may turn themselves off before users update, leaving a window of vulnerability.
Comment on attachment 8871939 [details]
bug 1365790 - bump security preload information expiration dates to 2017-09-26 for Firefox 54  a?gchang

bump hpkp/hsts preload expiration dates, beta54+

Should be in 54.0b13
Flags: needinfo?(jjones)
Attachment #8871939 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla54
(In reply to David Keeler [:keeler] (use needinfo?) from comment #6)
> [Is this code covered by automated tests?]: yes
> [Has the fix been verified in Nightly?]: n/a - doesn't need to land in
> Nightly
> [Needs manual test from QE? If yes, steps to reproduce]: no

Setting qe-verify- based on David's assessment on manual testing needs and the fact that this fix has automated coverage.
Flags: qe-verify-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: