Closed
Bug 1083085
Opened 10 years ago
Closed 10 years ago
Update source URL used for fetching HSTS and HPKP preload lists from Google
Categories
(Core :: Security: PSM, defect)
Core
Security: PSM
Tracking
()
RESOLVED
FIXED
mozilla36
People
(Reporter: reed, Assigned: keeler)
References
Details
Attachments
(1 file, 1 obsolete file)
|
6.16 KB,
patch
|
mmc
:
review+
lsblakk
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
https://src.chromium.org/chrome/trunk/src/net/http/transport_security_state_static.json and https://src.chromium.org/chrome/trunk/src/net/http/transport_security_state_static.certs aren't getting updated anymore... Need to figure out what the new URLs should be and update both security/manager/tools/PreloadedHPKPins.json and security/manager/tools/getHSTSPreloadList.js to use the new source URLs.
|
Reporter | |
Comment 1•10 years ago
|
||
We're 7-8 weeks out-of-date right now. :( -- this should be fixed and backported to the various branches as well, imho. So, this isn't as easy as just changing URLs. As far as I can tell, Gitiles only supports one form of "raw" output, and that's as base64-encoded text (https://code.google.com/p/gitiles/issues/detail?id=7). https://chromium.googlesource.com/chromium/src/net/+/master/http/transport_security_state_static.json?format=TEXT https://chromium.googlesource.com/chromium/src/net/+/master/http/transport_security_state_static.certs?format=TEXT We need to have getHSTSPreloadList.js and PreloadedHPKPins.json download those files (as appropriate) and base64 decode them before using them.
|
|
Reporter | |
Comment 2•10 years ago
|
||
Note that the 'snionly' option was removed. See https://chromium.googlesource.com/chromium/src/net/+/8761155994b46ee082499c778cd1743fa63ce3bc. I don't think anything we had ever supported it, but would be good to check. Also, a new compact representation of preloaded domains was added. See https://chromium.googlesource.com/chromium/src/net/+/97f74d049bacc74728d348dcc2f5fafe855e565b. Might be interesting to see about adding something like that for Gecko to replace the current format in nsSTSPreloadList.inc.
|
|
Reporter | |
Comment 3•10 years ago
|
||
I have no idea what the right flags are nowadays to request blocking on the appropriate branches. :mmc / :keeler, can one of you take this on? Pretty bad that we didn't notice that our list was out-of-date for two months. :(
Flags: needinfo?(mmc)
Flags: needinfo?(dkeeler)
|
||
Comment 4•10 years ago
|
||
I wonder if it might be possible to have a test that fails when the (seemingly) current URL has not been updated for X weeks.
|
Assignee | |
Updated•10 years ago
|
Assignee: nobody → dkeeler
Status: NEW → ASSIGNED
Flags: needinfo?(dkeeler)
|
|
Assignee | |
Comment 6•10 years ago
|
||
This updates the source url and decodes the base64 hosted there.
Attachment #8509049 -
Flags: review?(mmc)
|
||
Comment 7•10 years ago
|
||
Comment on attachment 8509049 [details] [diff] [review] patch Review of attachment 8509049 [details] [diff] [review]: ----------------------------------------------------------------- Is the auth stopper for the garron bug?
Attachment #8509049 -
Flags: review?(mmc) → review+
|
|
Assignee | |
Comment 8•10 years ago
|
||
(In reply to [:mmc] Monica Chew (please use needinfo) from comment #7) > Is the auth stopper for the garron bug? Actually, that's for another site that appears to request a client certificate. Gecko helpfully tries to open up a dialog so the user can pick one, but since xpcshell has no UI, that doesn't work. Thanks for the quick review. Unfortunately, I forgot that the HPKP script needs to be updated as well. I'll be uploading a more complete patch shortly.
|
|
Assignee | |
Comment 9•10 years ago
|
||
Attachment #8509049 -
Attachment is obsolete: true
Attachment #8509061 -
Flags: review?(mmc)
|
|
Assignee | |
Comment 10•10 years ago
•
|
||
(In reply to Dana Keeler (:keeler) [use needinfo?] from comment #8) > (In reply to [:mmc] Monica Chew (please use needinfo) from comment #7) > > Is the auth stopper for the garron bug? > > Actually, that's for another site that appears to request a client > certificate Or, rather, HTTP auth, I believe.
|
|
||
Comment 11•10 years ago
|
||
Comment on attachment 8509061 [details] [diff] [review] patch v2 Review of attachment 8509061 [details] [diff] [review]: ----------------------------------------------------------------- Thanks!
Attachment #8509061 -
Flags: review?(mmc) → review+
|
|
Assignee | |
Comment 12•10 years ago
|
||
Thank you! https://hg.mozilla.org/integration/mozilla-inbound/rev/e3318daf0ca6
|
|
||
Comment 13•10 years ago
•
|
||
This seems rather bad to me. Do you think this warrants requesting an uplift, Dana?
Flags: needinfo?(dkeeler)
|
|
Assignee | |
Comment 14•10 years ago
•
|
||
(In reply to Frederik Braun [:freddyb] from comment #13) > This seems rather bad to me. > Do you think this warrants requesting an uplift, Dana? Yes, we should uplift this where appropriate. I want to wait for a successful run of the update script on Saturday, though, before going further.
Flags: needinfo?(dkeeler)
|
|
Reporter | |
Comment 15•10 years ago
•
|
||
(In reply to Dana Keeler (:keeler) [use needinfo?] from comment #14) > (In reply to Frederik Braun [:freddyb] from comment #13) > > This seems rather bad to me. > > Do you think this warrants requesting an uplift, Dana? > > Yes, we should uplift this where appropriate. I want to wait for a > successful run of the update script on Saturday, though, before going > further. Can we just do a manual run and not wait until Saturday? ... or ask RelEng to run it via the official process but just early?
|
|
||
Comment 16•10 years ago
•
|
||
(In reply to Frederik Braun [:freddyb] from comment #13) > This seems rather bad to me. > Do you think this warrants requesting an uplift, Dana? Looking at the last 2 months of changes to https://chromium.googlesource.com/chromium/src/net/+log/97f74d049bacc74728d348dcc2f5fafe855e565b/http/transport_security_state_static.json, the biggest changes we've missed are adding github to HSTS. There was one HSTS removal 7 weeks ago, globalcs.co.uk. That change would have been in Aurora by now. There are no changes in Beta, by design, so that doesn't seem too bad to me. Coop, would you mind running the update script for HPKP and HSTS manually? If it succeeds, we can ask uplift in the next Aurora build which I think happens on Thursday, then both trees will be in sync by Saturday.
Flags: needinfo?(coop)
|
|
Assignee | |
Comment 17•10 years ago
|
||
(In reply to [:mmc] Monica Chew (please use needinfo) from comment #16) > Coop, would you mind running the update script for HPKP and HSTS manually? > If it succeeds, we can ask uplift in the next Aurora build which I think > happens on Thursday, then both trees will be in sync by Saturday. Although, we should probably first either directly land this on mozilla-central or wait for inbound to be merged, since it doesn't look like it has been, yet.
|
|
Reporter | |
Comment 18•10 years ago
•
|
||
(In reply to [:mmc] Monica Chew (please use needinfo) from comment #16) > (In reply to Frederik Braun [:freddyb] from comment #13) > > This seems rather bad to me. > > Do you think this warrants requesting an uplift, Dana? > > Looking at the last 2 months of changes to > https://chromium.googlesource.com/chromium/src/net/+log/ > 97f74d049bacc74728d348dcc2f5fafe855e565b/http/ > transport_security_state_static.json, the biggest changes we've missed are > adding github to HSTS. There was one HSTS removal 7 weeks ago, > globalcs.co.uk. That change would have been in Aurora by now. There are no > changes in Beta, by design, so that doesn't seem too bad to me. That link misses a bunch of changes in the last two weeks, including Yahoo domains getting added... Check out https://chromium.googlesource.com/chromium/src/net/+log/master/http/transport_security_state_static.json instead.
|
||
Comment 19•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/e3318daf0ca6
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla36
|
||
Comment 20•10 years ago
|
||
Script has been re-run: https://hg.mozilla.org/releases/mozilla-aurora/rev/b84b417ad1d5 https://hg.mozilla.org/releases/mozilla-aurora/rev/9014364077a7 https://hg.mozilla.org/mozilla-central/rev/5faccfb61d5c https://hg.mozilla.org/mozilla-central/rev/7bed20f7b776
Flags: needinfo?(coop)
|
|
||
Comment 21•10 years ago
|
||
Comment on attachment 8509061 [details] [diff] [review] patch v2 Approval Request Comment [Feature/regressing bug #]: Caused by Chromium moving their source tree to gittiles exclusively. [User impact if declined]: We'll be behind updating the HPKP and HSTS preload lists by about 2 months on Aurora. [Describe test coverage new/current, TBPL]: Update looks good in comment 20. [Risks and why]: Pretty low. The risk would come from buildbot differing significantly in behavior from coop's run in comment 20. [String/UUID change made/needed]: None.
Attachment #8509061 -
Flags: approval-mozilla-aurora?
|
||
Updated•10 years ago
|
Attachment #8509061 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
|
|
||
Comment 22•10 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/31a5a1aa4b8d
status-firefox35:
--- → fixed
status-firefox36:
--- → fixed
|
|
Reporter | |
Comment 23•10 years ago
|
||
(In reply to Chris Cooper [:coop] from comment #20) > Script has been re-run: > > https://hg.mozilla.org/releases/mozilla-aurora/rev/b84b417ad1d5 > https://hg.mozilla.org/releases/mozilla-aurora/rev/9014364077a7 Since this was run before the fixed script landed on Aurora, do we need to get coop to run it again, or will it get run over the weekend (not sure which branches get the buildbot runs)...
|
|
||
Comment 24•10 years ago
|
||
Buildbot runs it Saturdays for Nightly and Aurora.
You need to log in
before you can comment on or make changes to this bug.
Description
•