Closed
Bug 1004351
Opened 10 years ago
Closed 10 years ago
Enable pinning for twitter
Categories
(Core :: Security: PSM, defect)
Tracking
()
RESOLVED
FIXED
mozilla32
People
(Reporter: mmc, Assigned: mmc)
References
(Blocks 1 open bug)
Details
Attachments
(1 file)
|
9.52 KB,
patch
|
keeler
:
review+
|
Details | Diff | Splinter Review |
Chrome does it, so it can be done. To be safe, we need to find the PEM or sha256 that corresponds to "Twitter1" (and anything else that maps to a sha1 fingerprint) in this file, or else fix bug 1004275. https://code.google.com/p/chromium/codesearch#chromium/src/net/http/transport_security_state_static.json&l=60
|
Assignee | |
Updated•10 years ago
|
|
|
Assignee | |
Comment 1•10 years ago
|
||
Twitter requested that we pin all of *.twitter.com to their full CDN pinset. However, I suggest that we wait on doing this until we promote their subdomains to production mode, then add a pin for *.twitter.com in test mode, due to telemetry restrictions.
|
|
Assignee | |
Comment 2•10 years ago
|
||
|
|
Assignee | |
Updated•10 years ago
|
Assignee: nobody → mmc
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 3•10 years ago
|
||
Comment on attachment 8427328 [details] [diff] [review] Enable production mode for twitter pins ( Review of attachment 8427328 [details] [diff] [review]: ----------------------------------------------------------------- Chatted with Neil, he said go for it! ::: security/manager/boot/src/StaticHPKPins.h @@ +961,2 @@ > { "urchin.com", true, true, false, -1, &kPinset_google_root_pems }, > + { "w-spotlight.appspot.com", true, true, false, -1, &kPinset_google_root_pems }, Chrome added a bunch of appspot domains since the last time I ran the generator.
Attachment #8427328 -
Flags: review?(dkeeler)
|
|
Assignee | |
Comment 4•10 years ago
|
||
Oh, interesting -- looks like Chrome set the pinsets for these even though they were covered by appspot.com, just to get HSTS. https://src.chromium.org/viewvc/chrome/trunk/src/net/http/transport_security_state_static.json?r1=270145&r2=272316
Comment on attachment 8427328 [details] [diff] [review] Enable production mode for twitter pins ( Review of attachment 8427328 [details] [diff] [review]: ----------------------------------------------------------------- Looks good. I was debating whether or not it would be a good idea to add the new domains in one patch and then re-run with twitter's domains promoted to production, but I think this is fine (feel free to do that, though).
Attachment #8427328 -
Flags: review?(dkeeler) → review+
|
|
Assignee | |
Comment 6•10 years ago
|
||
I couldn't figure out a clean way to do that, since the generator downloads the chrome file every time, and I am not good at splitting patches by hand. https://hg.mozilla.org/integration/mozilla-inbound/rev/6fd44e86c35f
|
||
Comment 7•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/6fd44e86c35f
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla32
You need to log in
before you can comment on or make changes to this bug.
Description
•