Closed
Bug 1157873
Opened 9 years ago
Closed 9 years ago
remove entries from the CNNIC whitelist that aren't in the certificate transparency log
Categories
(Core :: Security, defect)
Core
Security
Tracking
()
RESOLVED
FIXED
mozilla40
Tracking | Status | |
---|---|---|
firefox40 | --- | fixed |
People
(Reporter: keeler, Assigned: keeler)
References
Details
(Keywords: sec-other, Whiteboard: [adv-main40-])
Attachments
(1 file)
107.35 KB,
patch
|
rbarnes
:
review+
|
Details | Diff | Splinter Review |
The initial CNNIC whitelist landed with some certificates that aren't in the certificate transparency pilot log. We should remove those from the whitelist. We should also specifically check for and omit certificates with notBefore dates on or after 1 April 2015.
Assignee | ||
Comment 1•9 years ago
|
||
Comment 2•9 years ago
|
||
Comment on attachment 8596785 [details] [diff] [review] patch Review of attachment 8596785 [details] [diff] [review]: ----------------------------------------------------------------- Note: I only reviewed the JS. I did not check the changes to the hashes. ::: security/manager/tools/makeCNNICHashes.js @@ +133,5 @@ > + // If we can't verify the certificate, don't include it. Unfortunately, if > + // a CNNIC-issued certificate wasn't previously on the whitelist but it > + // otherwise verifies successfully, verifyCertNow will return > + // SEC_ERROR_REVOKED_CERTIFICATE, so we count that as verifying > + // successfully. Maybe add a note that if the certificate is actually revoked (in OCSP), then it will still show up as revoked if the browser encounters it, even though it's on the whitelist.
Attachment #8596785 -
Flags: review?(rlb) → review+
Assignee | ||
Comment 3•9 years ago
|
||
Great - thanks. https://hg.mozilla.org/integration/mozilla-inbound/rev/13f48b850248
Comment 4•9 years ago
|
||
(In reply to Richard Barnes [:rbarnes] from comment #2) > Maybe add a note that if the certificate is actually revoked (in OCSP), then > it will still show up as revoked if the browser encounters it, even though > it's on the whitelist. That doesn't sound awesome. Are we going to be checking the whitelisted certs regularly to see if they've been revoked, so we can unwhitelist them? Gerv
Comment 5•9 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/13f48b850248
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
status-firefox40:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla40
Updated•9 years ago
|
Whiteboard: [adv-main40-]
You need to log in
before you can comment on or make changes to this bug.
Description
•