Closed Bug 1195615 Opened 6 years ago Closed 6 years ago

Log a web console warning when a HPKP header is ignored due to a non-built in root cert

Categories

(Core :: Security: PSM, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla43
Tracking Status
firefox43 --- fixed

People

(Reporter: Cykesiopka, Assigned: Cykesiopka)

References

()

Details

Attachments

(2 files, 2 obsolete files)

nsSiteSecurityService.cpp silently ignores the PKP header of a site if the cert for the site chained up to a non-built-in root. No error messages appear in either the web or browser console.

Bug 1139505 demonstrates that this is unnecessarily confusing.
A warning should be logged so that it's at least clear why Firefox is ignoring the header.
Bug 1195615 - Log a web console warning when a HPKP header is ignored due to a non-built in root cert.
Attachment #8649721 - Flags: review?(dkeeler)
Bug 1195615 - Add web console test.
Attachment #8649722 - Flags: review?(past)
Attachment #8649722 - Flags: review?(past) → review+
Comment on attachment 8649721 [details]
MozReview Request: Bug 1195615 - Log a web console warning when a HPKP header is ignored due to a non-built in root cert.

https://reviewboard.mozilla.org/r/16475/#review14801

This looks good. It's unfortunate that it's necessary, but I don't really see a better way. My one suggestion would be to include a bit more detail in the error message.

::: dom/locales/en-US/chrome/security/security.properties:44
(Diff revision 1)
> +PKPRootNotBuiltIn=Public-Key-Pins: The certificate used by the site chains up to a root certificate not in the root store, so the specified header was ignored.

Maybe something like "The certificate used by the site was not issued by a certificate in the default root certificate store. To prevent accidental breakage, the specified header was ignored. To disable this protection, set the preference 'security.cert_pinning.process_headers_from_non_builtin_roots' to true." (although I realize how verbose that is...)
Attachment #8649721 - Flags: review?(dkeeler) → review+
https://reviewboard.mozilla.org/r/16475/#review14801

> Maybe something like "The certificate used by the site was not issued by a certificate in the default root certificate store. To prevent accidental breakage, the specified header was ignored. To disable this protection, set the preference 'security.cert_pinning.process_headers_from_non_builtin_roots' to true." (although I realize how verbose that is...)

I used the first part, but left out the second part about the pref:
- To make the text shorter
- Because I would rather have people flip that pref as a last resort (but I would still be OK either way)
+ Update string
Attachment #8649721 - Attachment is obsolete: true
Attachment #8650468 - Flags: review+
+ Update string
Attachment #8649722 - Attachment is obsolete: true
Attachment #8650469 - Flags: review+
https://hg.mozilla.org/mozilla-central/rev/c05219c4736d
https://hg.mozilla.org/mozilla-central/rev/0740e34249fe
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla43
I'm really confused by "The certificate used by the site was not issued by a certificate in the default root certificate store.".

Can a certificate issue another certificate? As far as I can tell, a "certificate authority" – whose certificate is eventually in the root certificate store – can issue a certificate.
A certificate authority is a certificate. Some certificates can issue other certificates while others can not. It depends on the extensions a certificate has. This might be informative: https://developer.mozilla.org/en-US/docs/Mozilla/Security/x509_Certificates
(In reply to David Keeler [:keeler] (use needinfo?) from comment #12)
> A certificate authority is a certificate. Some certificates can issue other
> certificates while others can not. It depends on the extensions a
> certificate has. This might be informative:
> https://developer.mozilla.org/en-US/docs/Mozilla/Security/x509_Certificates

I don't find anything indicating that certificate authority is a certificate on https://developer.mozilla.org/en-US/docs/Mozilla/Security/x509_Certificates - could you please clarify or fix PKPRootNotBuiltIn string?
More on PKPRootNotBuiltIn string ambiguity, is "non-built-in root" (mentioned in a bug) always equal to "default root" (form string) like when users adds cert to the store?
Flags: needinfo?(dkeeler)
See the basic constraints extension. The rfc may also be informative: https://tools.ietf.org/html/rfc5280#section-4.2.1.9

When a user adds a certificate authority to the certificate database, that certificate is a "non-built-in root". This is in contrast to the "default roots" or "built-in roots" that ship with the browser.
Flags: needinfo?(dkeeler)
You need to log in before you can comment on or make changes to this bug.