Closed Bug 1074091 Opened 10 years ago Closed 8 years ago

enable pinning for call.mozilla.com

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: freddy, Unassigned)

References

Details

call.mozilla.com is the server for Loop/Hello.
call.mozilla.com doesn't appear to exist any more. Do we still want to pin the loop/hello server(s)? If so, what are they and what should we put in the pinset?
Flags: needinfo?(fbraun)
That would be hello.mozilla.com, apparently.
Lots of things changed since I've last been there.
Let's reach out to the leads of Hello, to get their input
Flags: needinfo?(standard8)
Flags: needinfo?(ianb)
Flags: needinfo?(fbraun)
I think this would be done at the ops level.  JP or Phrawzty: thoughts?
Flags: needinfo?(standard8)
Flags: needinfo?(jschneider)
Flags: needinfo?(ianb)
Flags: needinfo?(dmaher)
The main question is: Do you still want this? We can implement key-pinning to be preloaded in Firefox.
As far as I know, Hello uses these two domains:
- hello.firefox.com
- loop.services.mozilla.com

loop.s.m.c is already protected by the pining in place for s.m.c [1]. We only need to add hello.firefox.com to this list:
    { "name": "hello.firefox.com",
      "include_subdomains": true,
      "pins": "mozilla_services",
      "test_mode": false, 
      "id": 6
    }

I believe that one is for you, keeler.

One question for Ian: do you know which domain TokBox uses for their URLs? The preloaded CSP contains tokbox.com and opentox.com. I just want to make sure we don't accidentally pin them to a CA they don't use.

[1] https://mxr.mozilla.org/mozilla-central/source/security/manager/tools/PreloadedHPKPins.json#201
Flags: needinfo?(jschneider)
Flags: needinfo?(ianb)
Flags: needinfo?(dmaher)
Flags: needinfo?(dkeeler)
Passing Comment 5 on to Mark
Flags: needinfo?(ianb) → needinfo?(standard8)
Julien, are you wanting a patch for just hello.firefox.com right now, or do you want to wait until we have the information for tokbox.com / opentox.com?
Flags: needinfo?(dkeeler) → needinfo?(jvehent)
I think we should wait for Mark's reply. I don't want to break hello.
Flags: needinfo?(jvehent)
After talking with ulfr, this appears to be overcome by events, so I'm marking it WONTFIX.
Status: NEW → RESOLVED
Closed: 8 years ago
Flags: needinfo?(standard8)
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.