1098288 - Cert pinning for SpiderOak

Status: RESOLVED FIXED

(Core :: Security: PSM, defect)

Description

[Tomas Touceda]

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.111 Safari/537.36

Steps to reproduce:

N/A


Actual results:

N/A


Expected results:

Please add a pin for SpiderOak. It's ongoing for Chrome, here's the change where you should find all the information needed: https://codereview.chromium.org/722813002

Comment 1

[:Gijs (he/him)]

Monica, can you respond to this request? I don't know how we deal with requests for particular sites, and I've not found the relevant info after looking for a while now...

Comment 2

[[:mmc] Monica Chew (no longer reading bugmail)]

Hi Tomas,

As of FF 35, Firefox supports HPKP. We are trying to move away from static pins in favor of ones that the site operator can manage themselves. If you have a contact for SpiderOak, then you could point them at http://tools.ietf.org/html/draft-ietf-websec-key-pinning-21.

Thanks,
Monica

Comment 3

[[:mmc] Monica Chew (no longer reading bugmail)]

It turns out that Tomas is the site operator (sorry, Tomas, didn't realize that). He is checking with his team to see if the 14-20 week lead time for key changes in https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning/SiteOperators is acceptable. If so, then we can proceed in this case.

Comment 4

[Tomas Touceda]

We (SpiderOak) would like to proceed with this.

Comment 5

[[:mmc] Monica Chew (no longer reading bugmail)]

Attachment: Enable pinning on spideroak (

Comment 6

[[:mmc] Monica Chew (no longer reading bugmail)]

Comment on attachment 8522542 [details] [diff] [review]
Enable pinning on spideroak (

Review of attachment 8522542 [details] [diff] [review]:
-----------------------------------------------------------------

This won't do anything until https://codereview.chromium.org/722813002/patch/20001/30003 makes it into the Chromium tree. Realistically, we won't be able to tell anything from the cert pinning metrics, because spideroak.com traffic volume will be completely quashed by Google/Facebook/Twitter. The only thing we'll be able to tell is from SSL error reporting. So there's nothing to wait for in this case, unless we want to wait for Chrome to canary for a little while first.

Comment 7

[[:mmc] Monica Chew (no longer reading bugmail)]

Comment on attachment 8522542 [details] [diff] [review]
Enable pinning on spideroak (

Review of attachment 8522542 [details] [diff] [review]:
-----------------------------------------------------------------

This won't do anything until https://codereview.chromium.org/722813002/patch/20001/30003 makes it into the Chromium tree. Realistically, we won't be able to tell anything from the cert pinning metrics, because spideroak.com traffic volume will be completely quashed by Google/Facebook/Twitter. The only thing we'll be able to tell is from SSL error reporting. So there's nothing to wait for in this case, unless we want to wait for Chrome to canary for a little while first.

::: security/manager/boot/src/StaticHPKPins.h
@@ -1124,5 @@
>  // Pinning Preload List Length = 348;
>  
>  static const int32_t kUnknownId = -1;
>  
> -static const PRTime kPreloadPKPinsExpirationTime = INT64_C(1423912295636000);

Oops, I meant to revert this file from this change. I would do that on checkin.

Comment 8

[Dana Keeler (she/her) (use needinfo) [:keeler] (on leave)]

Comment on attachment 8522542 [details] [diff] [review]
Enable pinning on spideroak (

Review of attachment 8522542 [details] [diff] [review]:
-----------------------------------------------------------------

LGTM.

Comment 9

[[:mmc] Monica Chew (no longer reading bugmail)]

https://hg.mozilla.org/integration/mozilla-inbound/rev/fffebb4931b8

Comment 10

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/mozilla-central/rev/fffebb4931b8