Closed
Bug 1195615
Opened 9 years ago
Closed 9 years ago
Log a web console warning when a HPKP header is ignored due to a non-built in root cert
Categories
(Core :: Security: PSM, defect)
Core
Security: PSM
Tracking
()
RESOLVED
FIXED
mozilla43
Tracking | Status | |
---|---|---|
firefox43 | --- | fixed |
People
(Reporter: Cykesiopka, Assigned: Cykesiopka)
References
()
Details
Attachments
(2 files, 2 obsolete files)
7.48 KB,
patch
|
Cykesiopka
:
review+
|
Details | Diff | Splinter Review |
2.60 KB,
patch
|
Cykesiopka
:
review+
|
Details | Diff | Splinter Review |
nsSiteSecurityService.cpp silently ignores the PKP header of a site if the cert for the site chained up to a non-built-in root. No error messages appear in either the web or browser console. Bug 1139505 demonstrates that this is unnecessarily confusing. A warning should be logged so that it's at least clear why Firefox is ignoring the header.
Assignee | ||
Comment 1•9 years ago
|
||
Bug 1195615 - Log a web console warning when a HPKP header is ignored due to a non-built in root cert.
Attachment #8649721 -
Flags: review?(dkeeler)
Assignee | ||
Comment 2•9 years ago
|
||
Bug 1195615 - Add web console test.
Attachment #8649722 -
Flags: review?(past)
Updated•9 years ago
|
Attachment #8649722 -
Flags: review?(past) → review+
Comment 3•9 years ago
|
||
Comment on attachment 8649722 [details] MozReview Request: Bug 1195615 - Add web console test. https://reviewboard.mozilla.org/r/16477/#review14759 Ship It!
Comment on attachment 8649721 [details] MozReview Request: Bug 1195615 - Log a web console warning when a HPKP header is ignored due to a non-built in root cert. https://reviewboard.mozilla.org/r/16475/#review14801 This looks good. It's unfortunate that it's necessary, but I don't really see a better way. My one suggestion would be to include a bit more detail in the error message. ::: dom/locales/en-US/chrome/security/security.properties:44 (Diff revision 1) > +PKPRootNotBuiltIn=Public-Key-Pins: The certificate used by the site chains up to a root certificate not in the root store, so the specified header was ignored. Maybe something like "The certificate used by the site was not issued by a certificate in the default root certificate store. To prevent accidental breakage, the specified header was ignored. To disable this protection, set the preference 'security.cert_pinning.process_headers_from_non_builtin_roots' to true." (although I realize how verbose that is...)
Attachment #8649721 -
Flags: review?(dkeeler) → review+
Assignee | ||
Comment 5•9 years ago
|
||
https://reviewboard.mozilla.org/r/16475/#review14801 > Maybe something like "The certificate used by the site was not issued by a certificate in the default root certificate store. To prevent accidental breakage, the specified header was ignored. To disable this protection, set the preference 'security.cert_pinning.process_headers_from_non_builtin_roots' to true." (although I realize how verbose that is...) I used the first part, but left out the second part about the pref: - To make the text shorter - Because I would rather have people flip that pref as a last resort (but I would still be OK either way)
Assignee | ||
Comment 6•9 years ago
|
||
+ Update string
Attachment #8649721 -
Attachment is obsolete: true
Attachment #8650468 -
Flags: review+
Assignee | ||
Comment 7•9 years ago
|
||
+ Update string
Attachment #8649722 -
Attachment is obsolete: true
Attachment #8650469 -
Flags: review+
Assignee | ||
Comment 8•9 years ago
|
||
Thanks for the reviews! https://treeherder.mozilla.org/#/jobs?repo=try&revision=53242d46fdaf
Keywords: checkin-needed
https://hg.mozilla.org/integration/mozilla-inbound/rev/c05219c4736d https://hg.mozilla.org/integration/mozilla-inbound/rev/0740e34249fe
Keywords: checkin-needed
Comment 10•9 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/c05219c4736d https://hg.mozilla.org/mozilla-central/rev/0740e34249fe
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
status-firefox43:
--- → fixed
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla43
Comment 11•9 years ago
|
||
I'm really confused by "The certificate used by the site was not issued by a certificate in the default root certificate store.". Can a certificate issue another certificate? As far as I can tell, a "certificate authority" – whose certificate is eventually in the root certificate store – can issue a certificate.
A certificate authority is a certificate. Some certificates can issue other certificates while others can not. It depends on the extensions a certificate has. This might be informative: https://developer.mozilla.org/en-US/docs/Mozilla/Security/x509_Certificates
Comment 13•9 years ago
|
||
(In reply to David Keeler [:keeler] (use needinfo?) from comment #12) > A certificate authority is a certificate. Some certificates can issue other > certificates while others can not. It depends on the extensions a > certificate has. This might be informative: > https://developer.mozilla.org/en-US/docs/Mozilla/Security/x509_Certificates I don't find anything indicating that certificate authority is a certificate on https://developer.mozilla.org/en-US/docs/Mozilla/Security/x509_Certificates - could you please clarify or fix PKPRootNotBuiltIn string?
Comment 14•9 years ago
|
||
More on PKPRootNotBuiltIn string ambiguity, is "non-built-in root" (mentioned in a bug) always equal to "default root" (form string) like when users adds cert to the store?
Updated•9 years ago
|
Flags: needinfo?(dkeeler)
See the basic constraints extension. The rfc may also be informative: https://tools.ietf.org/html/rfc5280#section-4.2.1.9 When a user adds a certificate authority to the certificate database, that certificate is a "non-built-in root". This is in contrast to the "default roots" or "built-in roots" that ship with the browser.
Flags: needinfo?(dkeeler)
You need to log in
before you can comment on or make changes to this bug.
Description
•