Closed Bug 1006107 Opened 10 years ago Closed 10 years ago

Set enforcement level for pinning to zero and setup pinning for *.addons.mozilla.org

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla32

People

(Reporter: cviecco, Assigned: cviecco)

References

Details

Attachments

(1 file, 1 obsolete file)

set-addons-pinn-and-pref-to-disabled (v2)
9.01 KB, patch
cviecco
: review+
Details | Diff | Splinter Review 
After today's meeting we agreed on:
1. make the pinning pref not hidden
2. Chnge the default from 1(enable mitm) to 0 (pinning disabled)
3. Put the addons site pins back on (and include use mozilla_cdn as the pinning info).

    
  

        Attachment #8417600 -
        Flags: review?(dkeeler)

    
  
Assignee: nobody → cviecco

    
    

    
  
Comment on attachment 8417600 [details] [diff] [review]
set-addons-pinn-and-pref-to-disabled

Review of attachment 8417600 [details] [diff] [review]:
-----------------------------------------------------------------

Great - r=me with comments addressed.

::: security/manager/tools/PreloadedHPKPins.json
@@ +25,5 @@
>  // equifax -> aus3
>  // Geotrust Primary -> www.mozilla.org
>  // Geotrust Global -> *. addons.mozilla.org
>  
> +// From bug 772756, mozilla uses GeoTrust, Digicert and Thawte

Put this documentation next to the declaration of the pinset itself.

@@ +30,5 @@
>  // geotrust ca info: http://www.geotrust.com/resources/root-certificates/index.html
>  {
>    "pinsets": [
>      {
>        "name": "mozilla",

If we're not using this pinset, let's remove it. In fact, let's remove this pinset and call the other one "mozilla".

@@ +93,5 @@
>      }
>    ],
>  
>    "entries": [
> +    // from bug 1005653 we learned that addon subdomains include cdn sites

I'm not sure this comment is helpful in the long run.

        Attachment #8417600 -
        Flags: review?(dkeeler) → review+

    
    

    
  


  
Keeping r+ from keeler

        Attachment #8417600 -
        Attachment is obsolete: true

        Attachment #8417643 -
        Flags: review+

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/6e1d2f5b54e3
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla32
Summary: Set enforcement level for pining to zero and setup pinning for *.addons.mozilla.org → Set enforcement level for pinning to zero and setup pinning for *.addons.mozilla.org

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: