Closed
Bug 1180411
Opened 10 years ago
Closed 10 years ago
Something expired on esr38, causing pinning test failures
Categories
(Core :: Security: PSM, defect)
Tracking
()
RESOLVED
FIXED
mozilla38
| Tracking | Status | |
|---|---|---|
| firefox39 | --- | unaffected |
| firefox40 | --- | unaffected |
| firefox41 | --- | unaffected |
| firefox42 | --- | unaffected |
| firefox-esr31 | --- | unaffected |
| firefox-esr38 | 40+ | fixed |
People
(Reporter: philor, Assigned: Cykesiopka)
References
Details
Attachments
(1 file)
|
7.05 KB,
patch
|
RyanVM
:
review+
|
Details | Diff | Splinter Review |
Things were fine on a push on June 30th, but this morning's automated blocklist/HSTS update (https://treeherder.mozilla.org/#/jobs?repo=mozilla-esr38&revision=6fa44d85f33c) failed in the pinning xpcshell and browser-chrome tests.
To verify that it was the date rather than the content of that push, I retriggered an xpcshell run on the previously good push, and https://treeherder.mozilla.org/#/jobs?repo=mozilla-esr38&revision=56c0c55aec7c&filter-searchStr=3f29983665f9ee76b027addc792257d671910bb3 agrees that it must have been that something expired after June 30th.
|
Assignee | |
Comment 1•10 years ago
|
||
Here's a patch that seems to fix the issue.
It updates StaticHPKPins.h to refresh the |kPreloadPKPinsExpirationTime| variable, which indeed currently indicates a time in the past.
It also picks up some new Google pinsets (I updated StaticHPKPins.h using genHPKPStaticPins.js).
Try push:
https://treeherder.mozilla.org/#/jobs?repo=try&revision=e1093ffef058
And because I am dumb and/or TryChooser hates me + the instructions on how to trigger jobs I didn't specify in my Try syntax are scary:
https://treeherder.mozilla.org/#/jobs?repo=try&revision=89f0d40f13cc
|
|
Assignee | |
Comment 2•10 years ago
|
||
According to https://hg.mozilla.org/releases/mozilla-esr38/filelog/6788058fa211/security/manager/boot/src/StaticHPKPins.h, the last time this file was updated was 2015-03-28, which is just before FF 38 moved to beta, if I'm reading https://wiki.mozilla.org/RapidRelease/Calendar correctly.
I'm unsure of what the policy is for updating pinsets, but maybe the HPKP update script just needs to run on esr38 as well?
|
Reporter | |
Comment 3•10 years ago
|
||
[Tracking Requested - why for this release]:
Someone with a better understanding of the feature will have to help you decide severity (since I didn't know what the acronym stood for until a few minute ago), but the layman's description, "up until 3:18am Pacific today, even if you hadn't yet connected to Facebook or Gmail in a new profile, you couldn't be MiTMed by a forged cert, but after 3:18am you could be" has a whiff of chemspill to me.
tracking-firefox-esr38:
--- → ?
|
|
Reporter | |
Comment 4•10 years ago
|
||
Though the urgency is considerably moderated by the fact that the only people affected went without this feature from the time it shipped in 32 last August until the first esr38 release shipped.
|
||
Comment 5•10 years ago
|
||
(In reply to Cykesiopka from comment #1)
> And because I am dumb and/or TryChooser hates me + the instructions on how
> to trigger jobs I didn't specify in my Try syntax are scary:
> https://treeherder.mozilla.org/#/jobs?repo=try&revision=89f0d40f13cc
FYI, mozci makes this way easier :)
https://mozilla-ci-tools.readthedocs.org/en/latest/project_definition.html
Assignee: nobody → cykesiopka.bmo
|
|
||
Comment 6•10 years ago
|
||
Comment on attachment 8629619 [details] [diff] [review]
bug1180411_update-StaticHPKPins.h_v1.patch
Review of attachment 8629619 [details] [diff] [review]:
-----------------------------------------------------------------
r+ based on the green Try runs and the patch looking like what we'd expect for such an update. Bug 1180453 tracks getting these updates automated in the future.
Attachment #8629619 -
Flags: review+
|
|
||
Comment 7•10 years ago
|
||
Status: NEW → RESOLVED
Closed: 10 years ago
status-firefox39:
--- → unaffected
status-firefox40:
--- → unaffected
status-firefox41:
--- → unaffected
status-firefox42:
--- → unaffected
status-firefox-esr31:
--- → unaffected
status-firefox-esr38:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla38
|
||
Comment 8•10 years ago
|
||
(In reply to Phil Ringnalda (:philor) from comment #3)
> Someone with a better understanding of the feature will have to help you
> decide severity (since I didn't know what the acronym stood for until a few
> minute ago), but the layman's description, "up until 3:18am Pacific today,
> even if you hadn't yet connected to Facebook or Gmail in a new profile, you
> couldn't be MiTMed by a forged cert, but after 3:18am you could be" has a
> whiff of chemspill to me.
It's not great that all the pre-loaded pins expired but no worse than not having the feature at all, and the feature itself is a second-line of defense against an attack performed through compromising a Certificate Authority. Users who have not visited those sites before, but who chose to visit them after July 4 will not be protected on that first visit. That's sad, but not chemspill-worthy.
Adding a tracking flag, this is already fixed in esr-38.
|
|
||
Comment 10•10 years ago
|
||
Corrected ESR tracking flag.
You need to log in
before you can comment on or make changes to this bug.
Description
•