Closed Bug 1004351 Opened 7 years ago Closed 6 years ago

Enable pinning for twitter

Categories

(Core :: Security: PSM, defect)

x86
macOS
defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla32

People

(Reporter: mmc, Assigned: mmc)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

Chrome does it, so it can be done. To be safe, we need to find the PEM or sha256 that corresponds to "Twitter1" (and anything else that maps to a sha1 fingerprint) in this file, or else fix bug 1004275.

https://code.google.com/p/chromium/codesearch#chromium/src/net/http/transport_security_state_static.json&l=60
No longer depends on: 744204
Blocks: 1004350
No longer depends on: 1004350
Twitter requested that we pin all of *.twitter.com to their full CDN pinset. However, I suggest that we wait on doing this until we promote their subdomains to production mode, then add a pin for *.twitter.com in test mode, due to telemetry restrictions.
Assignee: nobody → mmc
Status: NEW → ASSIGNED
Comment on attachment 8427328 [details] [diff] [review]
Enable production mode for twitter pins (

Review of attachment 8427328 [details] [diff] [review]:
-----------------------------------------------------------------

Chatted with Neil, he said go for it!

::: security/manager/boot/src/StaticHPKPins.h
@@ +961,2 @@
>    { "urchin.com", true, true, false, -1, &kPinset_google_root_pems },
> +  { "w-spotlight.appspot.com", true, true, false, -1, &kPinset_google_root_pems },

Chrome added a bunch of appspot domains since the last time I ran the generator.
Attachment #8427328 - Flags: review?(dkeeler)
Oh, interesting -- looks like Chrome set the pinsets for these even though they were covered by appspot.com, just to get HSTS.

https://src.chromium.org/viewvc/chrome/trunk/src/net/http/transport_security_state_static.json?r1=270145&r2=272316
Comment on attachment 8427328 [details] [diff] [review]
Enable production mode for twitter pins (

Review of attachment 8427328 [details] [diff] [review]:
-----------------------------------------------------------------

Looks good. I was debating whether or not it would be a good idea to add the new domains in one patch and then re-run with twitter's domains promoted to production, but I think this is fine (feel free to do that, though).
Attachment #8427328 - Flags: review?(dkeeler) → review+
I couldn't figure out a clean way to do that, since the generator downloads the chrome file every time, and I am not good at splitting patches by hand.

https://hg.mozilla.org/integration/mozilla-inbound/rev/6fd44e86c35f
https://hg.mozilla.org/mozilla-central/rev/6fd44e86c35f
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla32
You need to log in before you can comment on or make changes to this bug.