Closed
Bug 1098288
Opened 10 years ago
Closed 10 years ago
Cert pinning for SpiderOak
Categories
(Core :: Security: PSM, defect)
Tracking
()
RESOLVED
FIXED
mozilla36
People
(Reporter: tomas, Assigned: mmc)
Details
Attachments
(1 file)
1.66 KB,
patch
|
keeler
:
review+
|
Details | Diff | Splinter Review |
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.111 Safari/537.36 Steps to reproduce: N/A Actual results: N/A Expected results: Please add a pin for SpiderOak. It's ongoing for Chrome, here's the change where you should find all the information needed: https://codereview.chromium.org/722813002
Reporter | ||
Updated•10 years ago
|
OS: Mac OS X → All
Comment 1•10 years ago
|
||
Monica, can you respond to this request? I don't know how we deal with requests for particular sites, and I've not found the relevant info after looking for a while now...
Component: Untriaged → Security: PSM
Flags: needinfo?(mmc)
Product: Firefox → Core
Assignee | ||
Comment 2•10 years ago
|
||
Hi Tomas, As of FF 35, Firefox supports HPKP. We are trying to move away from static pins in favor of ones that the site operator can manage themselves. If you have a contact for SpiderOak, then you could point them at http://tools.ietf.org/html/draft-ietf-websec-key-pinning-21. Thanks, Monica
Flags: needinfo?(mmc)
Assignee | ||
Comment 3•10 years ago
|
||
It turns out that Tomas is the site operator (sorry, Tomas, didn't realize that). He is checking with his team to see if the 14-20 week lead time for key changes in https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning/SiteOperators is acceptable. If so, then we can proceed in this case.
Reporter | ||
Comment 4•10 years ago
|
||
We (SpiderOak) would like to proceed with this.
Assignee | ||
Comment 5•10 years ago
|
||
Assignee | ||
Updated•10 years ago
|
Assignee: nobody → mmc
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Assignee | ||
Comment 6•10 years ago
|
||
Comment on attachment 8522542 [details] [diff] [review] Enable pinning on spideroak ( Review of attachment 8522542 [details] [diff] [review]: ----------------------------------------------------------------- This won't do anything until https://codereview.chromium.org/722813002/patch/20001/30003 makes it into the Chromium tree. Realistically, we won't be able to tell anything from the cert pinning metrics, because spideroak.com traffic volume will be completely quashed by Google/Facebook/Twitter. The only thing we'll be able to tell is from SSL error reporting. So there's nothing to wait for in this case, unless we want to wait for Chrome to canary for a little while first.
Attachment #8522542 -
Flags: review?(dkeeler)
Assignee | ||
Comment 7•10 years ago
|
||
Comment on attachment 8522542 [details] [diff] [review] Enable pinning on spideroak ( Review of attachment 8522542 [details] [diff] [review]: ----------------------------------------------------------------- This won't do anything until https://codereview.chromium.org/722813002/patch/20001/30003 makes it into the Chromium tree. Realistically, we won't be able to tell anything from the cert pinning metrics, because spideroak.com traffic volume will be completely quashed by Google/Facebook/Twitter. The only thing we'll be able to tell is from SSL error reporting. So there's nothing to wait for in this case, unless we want to wait for Chrome to canary for a little while first. ::: security/manager/boot/src/StaticHPKPins.h @@ -1124,5 @@ > // Pinning Preload List Length = 348; > > static const int32_t kUnknownId = -1; > > -static const PRTime kPreloadPKPinsExpirationTime = INT64_C(1423912295636000); Oops, I meant to revert this file from this change. I would do that on checkin.
Comment on attachment 8522542 [details] [diff] [review] Enable pinning on spideroak ( Review of attachment 8522542 [details] [diff] [review]: ----------------------------------------------------------------- LGTM.
Attachment #8522542 -
Flags: review?(dkeeler) → review+
Assignee | ||
Comment 9•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/fffebb4931b8
Comment 10•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/fffebb4931b8
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla36
You need to log in
before you can comment on or make changes to this bug.
Description
•