Closed
Bug 1190127
Opened 9 years ago
Closed 5 years ago
pinning implementation doesn't handle long HPKP headers
Categories
(Core :: Security: PSM, defect, P3)
Tracking
()
RESOLVED
WONTFIX
People
(Reporter: chrodev2015, Unassigned)
References
Details
(Whiteboard: [psm-backlog])
User Agent: Mozilla/5.0 (Windows NT 6.1; rv:39.0) Gecko/20100101 Firefox/39.0
Build ID: 20150630154324
Steps to reproduce:
1. Visit https://rc4.io
2. Try to open https://pinningtest.rc4.io
Actual results:
The site loads successfully.
Expected results:
An error occurred during a connection to pinningtest.rc4.io. The server uses key pinning (HPKP) but no trusted certificate chain could be constructed that matches the pinset. Key pinning violations cannot be overridden. (Error code: mozilla_pkix_error_key_pinning_failure)
Comment 1•9 years ago
|
||
The backend restricts the storage space it uses for the security state of any given site. rc4.io sends a long header ('pin-sha256="OIfOyh0t3fDi9OhthcB1tvG2x9hlSKJS6F6nDTfU06M="; pin-sha256="zYVmN2SmJk5Jo4hrJOEK4/43KzCS9Ne5fYuE4kzok2E="; pin-sha256="JsIzHjL+GzNoPLg9bMVah1pacOfntk2CrPl0BkBttkc="; pin-sha256="GbG532k8WC6OZpnjU6ONwKMr3LhSdjk6ZhwEsVHhgBE="; pin-sha256="CG/qev4gAXd3Mscc8VuS3w3hlYguKTxecz23YeD9pZA="; pin-sha256="MfFdEhtHwkisVDkQ9u9I4nKEEENqM0dagSAgQLD1zkQ="; pin-sha256="oYxDc4K35fcrLT8YPLKxG5wrc6e0os7gA8nr+lyQmzw="; pin-sha256="rZS5JHWhAMExpWG8KOZTGnufu4EVcjak6yBRqa6S6zA="; pin-sha256="rMxCv8znPWVu3nxjMxBUSqtbCYOGPVt/EQUG+kRoZzQ="; pin-sha256="J61DGT429L+x0XpXOY1gyYFSJ+fNMqOCgNYLkfb3leQ="; pin-sha256="yT0iaiK9uCqkAso/o1VR/qufhfcWf4aGkYdFTsYHorg="; pin-sha256="Fb6w3IAZsJFTRw0HvHiN4/OzDn+xNRF2/z06QfE0Kks="; pin-sha256="J/jnM3XWHJzBMrEMRm//Rd8RsMGm1G8lJynobIa/Z1g="; pin-sha256="NR0kHztPF2eRaYUHMUo4w8f/sSZHhAgeAHCUUGRuJHc="; pin-sha256="Y9GTsbjJn5VI4jhRZUpDvOTzyFfjpE9n01eE7wH1KTs="; pin-sha256="fYM6N/aqq6/gR2jrhGZuIhAVSH8B0VGy9TOumsusQz8="; pin-sha256="G96s8LDMdcDxOtAalXFsdzuXzDu8CsWrY8tqVnP5wjk="; pin-sha256="s0ByagdvLeURr/2dw51QiVRcEPBbK5NG8D1L0VizdkA="; pin-sha256="vOex9s62XXETm1G2Jh6MBW2fIYuxabhtStWP8A6r8rc="; pin-sha256="2w1DMHVJ2ACkz/GUfyqu3t6BlYFlQs5FMa4x09Tnxos="; pin-sha256="uMruvOi/OsLREG7/Tux/tUNzBawpINObj3V9mKFZnXA="; pin-sha256="XLWA0Hz3PhkDxqwo2OW2N54vOnqz154D2GjRKqfnjCw="; pin-sha256="lYYwQWCPLBycXNKrLKmQbdK7dCsFYFczm8YVFJj+EDk="; pin-sha256="o8UgXnsXRH/UZ9S/DKM01BKByPSPOsTQvBhIUF2QdbE="; pin-sha256="LzXpUII8GYYSZDVe2L0OrSEyl6c79AySVI66z38PL1o="; pin-sha256="5JGS5KldZw+8BBHhVGNmu+dpizZHjbfNiXkqnlHk1+4="; pin-sha256="f0JcQ/dVRUgRY2S5FbayzDbfV2lrUXGn8p7eyoX75iM="; max-age=630720000; includeSubDomains; report-uri="https://report-uri.io/report/735cf8694efb3cb261f511e8c34ffdd2"') which it fails to store. Maybe we should up the limit. We should certainly be more clear in the error message to the console (see bug 1124649).
Summary: HPKP includeSubDomains doesn't work → pinning implementation doesn't handle long HPKP headers
Comment 2•9 years ago
|
||
Morgan, this is the bug I was talking about. Here's the specific check that is failing:
https://hg.mozilla.org/mozilla-central/file/2ddec2dedced/security/manager/ssl/DataStorage.cpp#l240
We can increase that limit, but it would be nice to also do something that will decrease the size of the data we're storing. One option would be to just gzip the file, but since the thing that will make it large is long lists of sha-256 hashes, we probably won't get great compression out of that. Another option would be to convert the file from text to binary. That is, currently we write out the representation of whatever data/metadata we're storing as human-readable text. We could significantly reduce the file size by using some binary format instead (maybe protobuf?).
Other files you'll have to have a look at:
https://dxr.mozilla.org/mozilla-central/source/security/manager/ssl/nsSiteSecurityService.cpp
https://dxr.mozilla.org/mozilla-central/source/security/manager/ssl/tests/unit/test_sss_readstate_huge.js
https://dxr.mozilla.org/mozilla-central/source/security/manager/ssl/tests/unit/test_sss_savestate.js
etc.
Updated•9 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
Updated•9 years ago
|
Whiteboard: [psm-backlog]
Updated•7 years ago
|
Priority: -- → P3
Comment 4•5 years ago
|
||
Bug 1412438 disabled HPKP by default, so I don't think we'll address this.
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•