Closed Bug 1190127 Opened 5 years ago Closed 6 months ago

pinning implementation doesn't handle long HPKP headers

Categories

(Core :: Security: PSM, defect, P3)

39 Branch
defect

Tracking

()

RESOLVED WONTFIX

People

(Reporter: chrodev2015, Unassigned)

References

Details

(Whiteboard: [psm-backlog])

User Agent: Mozilla/5.0 (Windows NT 6.1; rv:39.0) Gecko/20100101 Firefox/39.0
Build ID: 20150630154324

Steps to reproduce:

1. Visit https://rc4.io
2. Try to open https://pinningtest.rc4.io


Actual results:

The site loads successfully.


Expected results:

An error occurred during a connection to pinningtest.rc4.io. The server uses key pinning (HPKP) but no trusted certificate chain could be constructed that matches the pinset. Key pinning violations cannot be overridden. (Error code: mozilla_pkix_error_key_pinning_failure)
Blocks: hpkp
Component: Untriaged → Security: PSM
Product: Firefox → Core
The backend restricts the storage space it uses for the security state of any given site. rc4.io sends a long header ('pin-sha256="OIfOyh0t3fDi9OhthcB1tvG2x9hlSKJS6F6nDTfU06M="; pin-sha256="zYVmN2SmJk5Jo4hrJOEK4/43KzCS9Ne5fYuE4kzok2E="; pin-sha256="JsIzHjL+GzNoPLg9bMVah1pacOfntk2CrPl0BkBttkc="; pin-sha256="GbG532k8WC6OZpnjU6ONwKMr3LhSdjk6ZhwEsVHhgBE="; pin-sha256="CG/qev4gAXd3Mscc8VuS3w3hlYguKTxecz23YeD9pZA="; pin-sha256="MfFdEhtHwkisVDkQ9u9I4nKEEENqM0dagSAgQLD1zkQ="; pin-sha256="oYxDc4K35fcrLT8YPLKxG5wrc6e0os7gA8nr+lyQmzw="; pin-sha256="rZS5JHWhAMExpWG8KOZTGnufu4EVcjak6yBRqa6S6zA="; pin-sha256="rMxCv8znPWVu3nxjMxBUSqtbCYOGPVt/EQUG+kRoZzQ="; pin-sha256="J61DGT429L+x0XpXOY1gyYFSJ+fNMqOCgNYLkfb3leQ="; pin-sha256="yT0iaiK9uCqkAso/o1VR/qufhfcWf4aGkYdFTsYHorg="; pin-sha256="Fb6w3IAZsJFTRw0HvHiN4/OzDn+xNRF2/z06QfE0Kks="; pin-sha256="J/jnM3XWHJzBMrEMRm//Rd8RsMGm1G8lJynobIa/Z1g="; pin-sha256="NR0kHztPF2eRaYUHMUo4w8f/sSZHhAgeAHCUUGRuJHc="; pin-sha256="Y9GTsbjJn5VI4jhRZUpDvOTzyFfjpE9n01eE7wH1KTs="; pin-sha256="fYM6N/aqq6/gR2jrhGZuIhAVSH8B0VGy9TOumsusQz8="; pin-sha256="G96s8LDMdcDxOtAalXFsdzuXzDu8CsWrY8tqVnP5wjk="; pin-sha256="s0ByagdvLeURr/2dw51QiVRcEPBbK5NG8D1L0VizdkA="; pin-sha256="vOex9s62XXETm1G2Jh6MBW2fIYuxabhtStWP8A6r8rc="; pin-sha256="2w1DMHVJ2ACkz/GUfyqu3t6BlYFlQs5FMa4x09Tnxos="; pin-sha256="uMruvOi/OsLREG7/Tux/tUNzBawpINObj3V9mKFZnXA="; pin-sha256="XLWA0Hz3PhkDxqwo2OW2N54vOnqz154D2GjRKqfnjCw="; pin-sha256="lYYwQWCPLBycXNKrLKmQbdK7dCsFYFczm8YVFJj+EDk="; pin-sha256="o8UgXnsXRH/UZ9S/DKM01BKByPSPOsTQvBhIUF2QdbE="; pin-sha256="LzXpUII8GYYSZDVe2L0OrSEyl6c79AySVI66z38PL1o="; pin-sha256="5JGS5KldZw+8BBHhVGNmu+dpizZHjbfNiXkqnlHk1+4="; pin-sha256="f0JcQ/dVRUgRY2S5FbayzDbfV2lrUXGn8p7eyoX75iM="; max-age=630720000; includeSubDomains; report-uri="https://report-uri.io/report/735cf8694efb3cb261f511e8c34ffdd2"') which it fails to store. Maybe we should up the limit. We should certainly be more clear in the error message to the console (see bug 1124649).
Summary: HPKP includeSubDomains doesn't work → pinning implementation doesn't handle long HPKP headers
Morgan, this is the bug I was talking about. Here's the specific check that is failing:

https://hg.mozilla.org/mozilla-central/file/2ddec2dedced/security/manager/ssl/DataStorage.cpp#l240

We can increase that limit, but it would be nice to also do something that will decrease the size of the data we're storing. One option would be to just gzip the file, but since the thing that will make it large is long lists of sha-256 hashes, we probably won't get great compression out of that. Another option would be to convert the file from text to binary. That is, currently we write out the representation of whatever data/metadata we're storing as human-readable text. We could significantly reduce the file size by using some binary format instead (maybe protobuf?).

Other files you'll have to have a look at:

https://dxr.mozilla.org/mozilla-central/source/security/manager/ssl/nsSiteSecurityService.cpp
https://dxr.mozilla.org/mozilla-central/source/security/manager/ssl/tests/unit/test_sss_readstate_huge.js
https://dxr.mozilla.org/mozilla-central/source/security/manager/ssl/tests/unit/test_sss_savestate.js

etc.
Status: UNCONFIRMED → NEW
Ever confirmed: true

Bug 1412438 disabled HPKP by default, so I don't think we'll address this.

Status: NEW → RESOLVED
Closed: 6 months ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.