Enable mar signing for all platforms and remove app.update.certs.* preferences

NEW
Unassigned

Status

defect
4 years ago
2 years ago

People

(Reporter: rstrong, Unassigned)

Tracking

Firefox Tracking Flags

(firefox42 affected)

Details

cc'ing kairo since I'm not sure who from SeaMonkey should be cc'd

The custom cert check used by app update will be removed during the 43 cycle. Instead, mar signing should be used since it provides much better security. This is already implemented on Firefox.

Configs For Firefox mar signing for reference
http://mxr.mozilla.org/mozilla-central/source/browser/confvars.sh#26

http://mxr.mozilla.org/mozilla-central/search?string=ac_add_options%20--enable-verify-mar

Bug 1182352 will remove the custom cert check code from app update. If this is not completed before the code is removed then Thunderbird will not have the security mitigation provided by the cert check.

If this bug is fixed before bug 1182352 then you should set the following prefs to false. If this is done afterwards then these prefs can be removed.
app.update.cert.checkAttributes
app.update.cert.requireBuiltIn

The related Thunderbird bug is bug 1189843
Ok, I want to leave this here:

SeaMonkey has no mar signing ability at present, per rstrong there is now official in-app cert pinning ability, at the networking layer, rather than at the aus layer which we can use.

A bug to add pinning to the aus server for Firefox was https://bugzilla.mozilla.org/show_bug.cgi?id=1063111 and security folks know more about this process.

I'd be interested to use a better, supported way going forward but we need to support the following:
* Cert pinned prior to first connection to aus2-community
* No immediate failures if we switch to a new cert (e.g. have a supportable fallback of some sort)
If for whatever reason mar signing is not implemented then real cert pinning should be implemented. We didn't do this for Firefox aus since it has the same problems as the custom cert check. See bug bug 1063111
Specifically, if mar signing was not used by Firefox we would have moved to using pinned certs.
I am planning on removing the hash checks in the near future in bug 1373267. It would be a good thing for SeaMonkey to get this bug fixed and to have mar signing.
You need to log in before you can comment on or make changes to this bug.