Cert pinning for SpiderOak

RESOLVED FIXED in mozilla36

Status

()

RESOLVED FIXED
4 years ago
4 years ago

People

(Reporter: tomas, Assigned: mmc)

Tracking

36 Branch
mozilla36
x86
All
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

4 years ago
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.111 Safari/537.36

Steps to reproduce:

N/A


Actual results:

N/A


Expected results:

Please add a pin for SpiderOak. It's ongoing for Chrome, here's the change where you should find all the information needed: https://codereview.chromium.org/722813002
(Reporter)

Updated

4 years ago
OS: Mac OS X → All

Comment 1

4 years ago
Monica, can you respond to this request? I don't know how we deal with requests for particular sites, and I've not found the relevant info after looking for a while now...
Component: Untriaged → Security: PSM
Flags: needinfo?(mmc)
Product: Firefox → Core
Hi Tomas,

As of FF 35, Firefox supports HPKP. We are trying to move away from static pins in favor of ones that the site operator can manage themselves. If you have a contact for SpiderOak, then you could point them at http://tools.ietf.org/html/draft-ietf-websec-key-pinning-21.

Thanks,
Monica
Flags: needinfo?(mmc)
It turns out that Tomas is the site operator (sorry, Tomas, didn't realize that). He is checking with his team to see if the 14-20 week lead time for key changes in https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning/SiteOperators is acceptable. If so, then we can proceed in this case.
(Reporter)

Comment 4

4 years ago
We (SpiderOak) would like to proceed with this.
Created attachment 8522542 [details] [diff] [review]
Enable pinning on spideroak (
Assignee: nobody → mmc
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Comment on attachment 8522542 [details] [diff] [review]
Enable pinning on spideroak (

Review of attachment 8522542 [details] [diff] [review]:
-----------------------------------------------------------------

This won't do anything until https://codereview.chromium.org/722813002/patch/20001/30003 makes it into the Chromium tree. Realistically, we won't be able to tell anything from the cert pinning metrics, because spideroak.com traffic volume will be completely quashed by Google/Facebook/Twitter. The only thing we'll be able to tell is from SSL error reporting. So there's nothing to wait for in this case, unless we want to wait for Chrome to canary for a little while first.
Attachment #8522542 - Flags: review?(dkeeler)
Comment on attachment 8522542 [details] [diff] [review]
Enable pinning on spideroak (

Review of attachment 8522542 [details] [diff] [review]:
-----------------------------------------------------------------

This won't do anything until https://codereview.chromium.org/722813002/patch/20001/30003 makes it into the Chromium tree. Realistically, we won't be able to tell anything from the cert pinning metrics, because spideroak.com traffic volume will be completely quashed by Google/Facebook/Twitter. The only thing we'll be able to tell is from SSL error reporting. So there's nothing to wait for in this case, unless we want to wait for Chrome to canary for a little while first.

::: security/manager/boot/src/StaticHPKPins.h
@@ -1124,5 @@
>  // Pinning Preload List Length = 348;
>  
>  static const int32_t kUnknownId = -1;
>  
> -static const PRTime kPreloadPKPinsExpirationTime = INT64_C(1423912295636000);

Oops, I meant to revert this file from this change. I would do that on checkin.
Comment on attachment 8522542 [details] [diff] [review]
Enable pinning on spideroak (

Review of attachment 8522542 [details] [diff] [review]:
-----------------------------------------------------------------

LGTM.
Attachment #8522542 - Flags: review?(dkeeler) → review+
https://hg.mozilla.org/mozilla-central/rev/fffebb4931b8
Status: ASSIGNED → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla36
You need to log in before you can comment on or make changes to this bug.