GMPInstallManager.jsm shouldn't be using manually pinned certs

NEW
Assigned to

Status

()

Firefox
General
3 years ago
a year ago

People

(Reporter: Unfocused, Assigned: rhelmer)

Tracking

30 Branch
Points:
2
Dependency tree / graph
Bug Flags:
firefox-backlog +

Firefox Tracking Flags

(Not tracked)

Details

We have a fancy new cert pinning mechanism: https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning

GMPInstallManager.jsm shouldn't be checking against manually pinned certs specified in prefs anymore.
Depends on: 1009816, 1005430
No longer depends on: 948160
Points: --- → 2
Flags: firefox-backlog+

Comment 1

3 years ago
Is the new cert-pinning system already fatal, or is it still in warning/advisory mode? We would need a proper fatal pin for aus4.mozilla.org, and per bug 1052374 we may not want to fatally pin app updates ever, certainly not yet.
Flags: needinfo?(mmc)
Hi folks,

Pinning is in test mode (not fatal) for aus4 currently. After talking to Robert Strong we decided to delay pinning any updaters. The message from him was that origin checks were sufficiently strong by delivering signed MAR files (not yet available on all platforms) and that additional pinning checks may cause more hassle than they were worth. Some people felt that pinning checks provided additional benefit in case where an attacker could suppress or fake empty update responses. However that's an incremental benefit at best over "you know who you are talking to".

It might be worth revisiting this decision now that we are in 34 (we had that conversation in 32). You can see from http://people.mozilla.org/~mchew/pinning_dashboard/ how well aus4 is doing (between 1-3 in 10K failures in Nightly, significantly more in Aurora for some reason -- and I need to update the dashboard for Beta). However we are enforcing fatal pins starting in 34 for accounts.firefox.com which has similarly high violations rates and have had no complaints thus far.

Thanks,
Monica
Flags: needinfo?(mmc)
Hey Robert,

Maybe it's time to revisit the decision not to pin the updater. I still agree with you that the reduction on the attack surface is minimal considering that MARs are signed. However, if the alternative is that people roll their own (http://mxr.mozilla.org/mozilla-central/source/toolkit/modules/GMPInstallManager.jsm#520) then surely turning on proper pinning is better. There are around 1-3 failures/10K in Nightly. What do you think?

Thanks,
Monica
Flags: needinfo?(robert.strong.bugs)
(In reply to [:mmc] Monica Chew (please use needinfo) from comment #3)
> Hey Robert,
> 
> Maybe it's time to revisit the decision not to pin the updater. I still
> agree with you that the reduction on the attack surface is minimal
> considering that MARs are signed. However, if the alternative is that people
> roll their own
> (http://mxr.mozilla.org/mozilla-central/source/toolkit/modules/
> GMPInstallManager.jsm#520) then surely turning on proper pinning is better.
> There are around 1-3 failures/10K in Nightly. What do you think?
> 
> Thanks,
> Monica
Hi Monica,

I am fairly certain that I brought this up during the review or discussions for the GMP code and due to the timeframe that this needed to be done in it was decided to come back around and do this for GMP. As for app update, the plan as you and I discussed should still be the path forward.

Brian, did you file a bug for using pinned certs for GMP?

Thanks,
Robert
Flags: needinfo?(robert.strong.bugs) → needinfo?(netzen)
Meh... this is the bug for that :)
Flags: needinfo?(netzen)
Depends on: 1063111
(In reply to Robert Strong [:rstrong] (use needinfo to contact me) from comment #5)
> Meh... this is the bug for that :)

Filed https://bugzilla.mozilla.org/show_bug.cgi?id=1063111 anyway :)
(In reply to [:mmc] Monica Chew (please use needinfo) from comment #6)
> (In reply to Robert Strong [:rstrong] (use needinfo to contact me) from
> comment #5)
> > Meh... this is the bug for that :)
> 
> Filed https://bugzilla.mozilla.org/show_bug.cgi?id=1063111 anyway :)

Sorry, I think I misunderstood what you meant. That bug will be a wontfix and we won't be taking comment 0's approach.
What approach should this bug take then?

Comment 9

3 years ago
We can either use a separate host for this and pin it separately from aus4.mozilla.org, or we can sign the update manifest as content instead of relying on SSL.
rhelmer, this is related to what we discussed over irc today.
Assignee: nobody → rhelmer
You need to log in before you can comment on or make changes to this bug.