Closed Bug 1190127 Opened 6 years ago Closed 1 year ago

pinning implementation doesn't handle long HPKP headers


(Core :: Security: PSM, defect, P3)

39 Branch





(Reporter: chrodev2015, Unassigned)



(Whiteboard: [psm-backlog])

User Agent: Mozilla/5.0 (Windows NT 6.1; rv:39.0) Gecko/20100101 Firefox/39.0
Build ID: 20150630154324

Steps to reproduce:

1. Visit
2. Try to open

Actual results:

The site loads successfully.

Expected results:

An error occurred during a connection to The server uses key pinning (HPKP) but no trusted certificate chain could be constructed that matches the pinset. Key pinning violations cannot be overridden. (Error code: mozilla_pkix_error_key_pinning_failure)
Blocks: hpkp
Component: Untriaged → Security: PSM
Product: Firefox → Core
The backend restricts the storage space it uses for the security state of any given site. sends a long header ('pin-sha256="OIfOyh0t3fDi9OhthcB1tvG2x9hlSKJS6F6nDTfU06M="; pin-sha256="zYVmN2SmJk5Jo4hrJOEK4/43KzCS9Ne5fYuE4kzok2E="; pin-sha256="JsIzHjL+GzNoPLg9bMVah1pacOfntk2CrPl0BkBttkc="; pin-sha256="GbG532k8WC6OZpnjU6ONwKMr3LhSdjk6ZhwEsVHhgBE="; pin-sha256="CG/qev4gAXd3Mscc8VuS3w3hlYguKTxecz23YeD9pZA="; pin-sha256="MfFdEhtHwkisVDkQ9u9I4nKEEENqM0dagSAgQLD1zkQ="; pin-sha256="oYxDc4K35fcrLT8YPLKxG5wrc6e0os7gA8nr+lyQmzw="; pin-sha256="rZS5JHWhAMExpWG8KOZTGnufu4EVcjak6yBRqa6S6zA="; pin-sha256="rMxCv8znPWVu3nxjMxBUSqtbCYOGPVt/EQUG+kRoZzQ="; pin-sha256="J61DGT429L+x0XpXOY1gyYFSJ+fNMqOCgNYLkfb3leQ="; pin-sha256="yT0iaiK9uCqkAso/o1VR/qufhfcWf4aGkYdFTsYHorg="; pin-sha256="Fb6w3IAZsJFTRw0HvHiN4/OzDn+xNRF2/z06QfE0Kks="; pin-sha256="J/jnM3XWHJzBMrEMRm//Rd8RsMGm1G8lJynobIa/Z1g="; pin-sha256="NR0kHztPF2eRaYUHMUo4w8f/sSZHhAgeAHCUUGRuJHc="; pin-sha256="Y9GTsbjJn5VI4jhRZUpDvOTzyFfjpE9n01eE7wH1KTs="; pin-sha256="fYM6N/aqq6/gR2jrhGZuIhAVSH8B0VGy9TOumsusQz8="; pin-sha256="G96s8LDMdcDxOtAalXFsdzuXzDu8CsWrY8tqVnP5wjk="; pin-sha256="s0ByagdvLeURr/2dw51QiVRcEPBbK5NG8D1L0VizdkA="; pin-sha256="vOex9s62XXETm1G2Jh6MBW2fIYuxabhtStWP8A6r8rc="; pin-sha256="2w1DMHVJ2ACkz/GUfyqu3t6BlYFlQs5FMa4x09Tnxos="; pin-sha256="uMruvOi/OsLREG7/Tux/tUNzBawpINObj3V9mKFZnXA="; pin-sha256="XLWA0Hz3PhkDxqwo2OW2N54vOnqz154D2GjRKqfnjCw="; pin-sha256="lYYwQWCPLBycXNKrLKmQbdK7dCsFYFczm8YVFJj+EDk="; pin-sha256="o8UgXnsXRH/UZ9S/DKM01BKByPSPOsTQvBhIUF2QdbE="; pin-sha256="LzXpUII8GYYSZDVe2L0OrSEyl6c79AySVI66z38PL1o="; pin-sha256="5JGS5KldZw+8BBHhVGNmu+dpizZHjbfNiXkqnlHk1+4="; pin-sha256="f0JcQ/dVRUgRY2S5FbayzDbfV2lrUXGn8p7eyoX75iM="; max-age=630720000; includeSubDomains; report-uri=""') which it fails to store. Maybe we should up the limit. We should certainly be more clear in the error message to the console (see bug 1124649).
Summary: HPKP includeSubDomains doesn't work → pinning implementation doesn't handle long HPKP headers
Morgan, this is the bug I was talking about. Here's the specific check that is failing:

We can increase that limit, but it would be nice to also do something that will decrease the size of the data we're storing. One option would be to just gzip the file, but since the thing that will make it large is long lists of sha-256 hashes, we probably won't get great compression out of that. Another option would be to convert the file from text to binary. That is, currently we write out the representation of whatever data/metadata we're storing as human-readable text. We could significantly reduce the file size by using some binary format instead (maybe protobuf?).

Other files you'll have to have a look at:

Ever confirmed: true

Bug 1412438 disabled HPKP by default, so I don't think we'll address this.

Closed: 1 year ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.