Closed
Bug 1004781
Opened 10 years ago
Closed 9 years ago
enable pinning for facebook
Categories
(Core :: Security: PSM, defect)
Tracking
()
RESOLVED
FIXED
mozilla37
People
(Reporter: mmc, Assigned: mmc)
References
(Blocks 1 open bug)
Details
Attachments
(2 files, 9 obsolete files)
1.11 KB,
patch
|
keeler
:
review+
|
Details | Diff | Splinter Review |
10.83 KB,
patch
|
keeler
:
feedback+
|
Details | Diff | Splinter Review |
Facebook is not in Chrome's pinset. However, from looking through the CT database, they use 44 certs. That's pretty good. We should keep an eye on them over time to see if the cert set changes, as well as make contact to see if they're willing to coordinate.
Comment 1•10 years ago
|
||
Why would we ever want to pin something without explicit consent from a site? That seems like a massive problem just waiting to happen.
Assignee | ||
Comment 2•10 years ago
|
||
(In reply to Reed Loden [:reed] from comment #1) > Why would we ever want to pin something without explicit consent from a > site? That seems like a massive problem just waiting to happen. We don't, due to coordination issues. They're an obvious candidate due to high volume, though, and responded positively to our request. From Scott: *.facebook.com should be pinned to DigiCert EV Root (Subject Key Identifier B1:3E:C3:69:03:F8:BF:47:01:D4:98:26:1A:08:02:EF:63:64:2B:C3) and the Verisign Class 3 G3 root (no SKI, but serial number 9b:7e:06:49:a3:3e:62:b9:d5:ee:90:48:71:29:ef:57).
Assignee | ||
Comment 3•10 years ago
|
||
Assignee | ||
Updated•10 years ago
|
Assignee: nobody → mmc
Status: NEW → ASSIGNED
Assignee | ||
Comment 4•10 years ago
|
||
Comment on attachment 8480144 [details] [diff] [review] Enable pinning in test mode for facebook ( Review of attachment 8480144 [details] [diff] [review]: ----------------------------------------------------------------- David's out today, let's try to get this merged into m-c before the script generation on Saturday to avoid conflicts.
Attachment #8480144 -
Flags: review?(rlb)
Attachment #8480144 -
Flags: review?(cviecco)
Comment 5•10 years ago
|
||
Comment on attachment 8480144 [details] [diff] [review] Enable pinning in test mode for facebook ( Review of attachment 8480144 [details] [diff] [review]: ----------------------------------------------------------------- Looks good to me. I assume you have tried browsing basic fb pages?
Attachment #8480144 -
Flags: review?(cviecco) → review+
Assignee | ||
Comment 6•10 years ago
|
||
(In reply to Camilo Viecco (:cviecco) from comment #5) > Comment on attachment 8480144 [details] [diff] [review] > Enable pinning in test mode for facebook ( > > Review of attachment 8480144 [details] [diff] [review]: > ----------------------------------------------------------------- > > Looks good to me. I assume you have tried browsing basic fb pages? That wouldn't do anything, since we're in test mode.
Assignee | ||
Comment 7•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/27305d251dd6
Assignee | ||
Updated•10 years ago
|
Attachment #8480144 -
Flags: review?(rlb)
Assignee | ||
Updated•10 years ago
|
Keywords: leave-open
Comment 8•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/27305d251dd6
This doesn't seem like too much of a hack. We could even add Google's missing certs, if we wanted.
Attachment #8485223 -
Flags: review?(mmc)
Assignee | ||
Comment 10•10 years ago
|
||
Comment on attachment 8485223 [details] [diff] [review] follow-up to add DigiCert ECC Secure Server CA Review of attachment 8485223 [details] [diff] [review]: ----------------------------------------------------------------- Thanks!
Attachment #8485223 -
Flags: review?(mmc) → review+
Assignee | ||
Comment 11•10 years ago
|
||
Btw, buildbot touches these 3am Saturday so you either need to make sure it merges to m-c before then or wait until after that to checkin.
Assignee | ||
Comment 14•10 years ago
|
||
Comment on attachment 8480144 [details] [diff] [review] Enable pinning in test mode for facebook ( This is a similar approval request to https://bugzilla.mozilla.org/show_bug.cgi?id=1030135#c21, except I'd like to target FF 34. Approval Request Comment [Feature/regressing bug #]: None. [User impact if declined]: Facebook won't be pinned until Firefox 35. [Describe test coverage new/current, TBPL]: Telemetry dashboard at people.mozilla.org/~mchew/pinning_dashboard. [Risks and why]: This is a telemetry change at this point. [String/UUID change made/needed]: None.
Attachment #8480144 -
Flags: approval-mozilla-aurora?
Assignee | ||
Comment 15•10 years ago
|
||
Comment on attachment 8485223 [details] [diff] [review] follow-up to add DigiCert ECC Secure Server CA Approval Request Comment See comment 14.
Attachment #8485223 -
Flags: approval-mozilla-aurora?
Assignee | ||
Updated•10 years ago
|
Attachment #8485223 -
Flags: approval-mozilla-aurora?
Assignee | ||
Comment 16•10 years ago
|
||
Assignee | ||
Comment 17•10 years ago
|
||
Comment on attachment 8487414 [details] [diff] [review] Aurora-specific patch to enable pinning in test mode for facebook ( Review of attachment 8487414 [details] [diff] [review]: ----------------------------------------------------------------- See comment 14.
Attachment #8487414 -
Flags: approval-mozilla-aurora?
Updated•10 years ago
|
Attachment #8480144 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Updated•10 years ago
|
Attachment #8487414 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Assignee | ||
Updated•10 years ago
|
Attachment #8480144 -
Flags: approval-mozilla-aurora+
Assignee | ||
Comment 18•10 years ago
|
||
I misattributed this patch to a=lmandel instead of bhavana. Sorry! https://hg.mozilla.org/releases/mozilla-aurora/rev/6f5c35805e16
Assignee | ||
Comment 19•10 years ago
|
||
Assignee | ||
Updated•10 years ago
|
Attachment #8480144 -
Attachment is obsolete: true
Assignee | ||
Comment 20•10 years ago
|
||
Comment on attachment 8513899 [details] [diff] [review] Remove our pinset for facebook since it's in chromium now ( Review of attachment 8513899 [details] [diff] [review]: ----------------------------------------------------------------- https://chromium.googlesource.com/chromium/src/+/master/net/http/transport_security_state_static.json + ctrl-f "facebook"
Attachment #8513899 -
Flags: review?(dkeeler)
Comment on attachment 8513899 [details] [diff] [review] Remove our pinset for facebook since it's in chromium now ( Review of attachment 8513899 [details] [diff] [review]: ----------------------------------------------------------------- LGTM. Have you confirmed that the pinning information generation script successfully finds all the certificates it needs to with this change?
Attachment #8513899 -
Flags: review?(dkeeler) → review+
Assignee | ||
Comment 22•10 years ago
|
||
Yep, this is the output of manually re-running the generator script.
Assignee | ||
Updated•10 years ago
|
Attachment #8485223 -
Attachment is obsolete: true
Assignee | ||
Updated•10 years ago
|
Attachment #8487414 -
Attachment is obsolete: true
Assignee | ||
Comment 23•10 years ago
|
||
Assignee | ||
Comment 24•10 years ago
|
||
Assignee | ||
Comment 25•10 years ago
|
||
Assignee | ||
Updated•10 years ago
|
Attachment #8514668 -
Attachment is obsolete: true
Assignee | ||
Updated•10 years ago
|
Attachment #8514655 -
Attachment is obsolete: true
Assignee | ||
Comment 26•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/90f7e5edc367
Comment 27•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/cef5aaa2c0da https://hg.mozilla.org/mozilla-central/rev/90f7e5edc367
Comment 28•10 years ago
|
||
Comment on attachment 8514670 [details] [diff] [review] Actually remove the pinset ( Review of attachment 8514670 [details] [diff] [review]: ----------------------------------------------------------------- ::: security/manager/tools/PreloadedHPKPins.json @@ +230,4 @@ > ], > > "extra_certificates": [ > // DigiCert ECC Secure Server CA (for Facebook) Should this be removed as well, or is it still needed, even though that cert could be pulled from the Chromium list now?
Assignee | ||
Comment 29•10 years ago
|
||
Assignee | ||
Comment 30•10 years ago
|
||
Comment on attachment 8516821 [details] [diff] [review] Remove unnecessary cert for facebook ( Review of attachment 8516821 [details] [diff] [review]: ----------------------------------------------------------------- Thanks, Reed. We don't need that entry since we're also pulling certs from chromium. The only difference is that since it's not a root cert, it will be called kGOOGLE_PIN_DigiCertECCSecureServerCAFingerprint instead of kDigiCert_ECC_Secure_Server_CAFingerprint in the output file.
Attachment #8516821 -
Flags: review?(dkeeler)
Updated•10 years ago
|
Attachment #8516821 -
Flags: review?(dkeeler) → review+
Assignee | ||
Comment 31•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/9c8ca05b975a
Assignee | ||
Comment 33•10 years ago
|
||
Metrics look good.
Attachment #8513899 -
Attachment is obsolete: true
Attachment #8514669 -
Attachment is obsolete: true
Attachment #8514670 -
Attachment is obsolete: true
Attachment #8516821 -
Attachment is obsolete: true
Attachment #8535082 -
Flags: review?(dkeeler)
Assignee | ||
Comment 34•10 years ago
|
||
Output, not for checkin.
Attachment #8535083 -
Flags: review?(dkeeler)
Comment on attachment 8535082 [details] [diff] [review] facebook Review of attachment 8535082 [details] [diff] [review]: ----------------------------------------------------------------- Great!
Attachment #8535082 -
Flags: review?(dkeeler) → review+
Comment on attachment 8535083 [details] [diff] [review] output Review of attachment 8535083 [details] [diff] [review]: ----------------------------------------------------------------- This looks right. I'll just give feedback+ since this isn't for check-in.
Attachment #8535083 -
Flags: review?(dkeeler) → feedback+
Assignee | ||
Comment 37•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/ced6676b1d6c
Assignee | ||
Comment 39•9 years ago
|
||
I should have marked this bug fixed when we switched to production mode. We're enforcing Chrome's pins for facebook as of FF 37.
Assignee | ||
Updated•9 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Updated•9 years ago
|
Keywords: leave-open
Target Milestone: --- → mozilla37
You need to log in
before you can comment on or make changes to this bug.
Description
•