Closed Bug 1218515 Opened 4 years ago Closed 4 years ago

Please preload pinning-test.badssl.com with a bogus pin.

Categories

(Core :: Security: PSM, defect)

41 Branch
defect
Not set

Tracking

()

RESOLVED FIXED
mozilla44
Tracking Status
firefox44 --- fixed

People

(Reporter: code, Assigned: keeler)

References

()

Details

(Whiteboard: [parity-chrome])

Attachments

(2 files)

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2541.0 Safari/537.36

Steps to reproduce:

1. Visit https://pinning-test.badssl.com/


Actual results:

The page loads.


Expected results:

Per [1], I'd like https://pinning-test.badssl.com to fail with an HPKP pinning failure (including subdomains).

(See screenshot for Chrome Canary behaviour.)

In Chrome, we use the bogus pin `sha1/AAAAAAAAAAAAAAAAAAAAAAAAAAA=` [2] (although I'm about to change this to SHA256 [3]) and include subdomains for this domain [4].

[1] https://github.com/lgarron/badssl.com/issues/15#issuecomment-151260202
[2] https://code.google.com/p/chromium/codesearch#chromium/src/net/http/transport_security_state_static.certs
[3] https://crbug.com/368878
[4] https://code.google.com/p/chromium/codesearch#chromium/src/net/http/transport_security_state_static.json&q=pinning-test.badssl.com&sq=package:chromium&l=185
Component: Untriaged → Security: PSM
OS: Unspecified → All
Product: Firefox → Core
Hardware: Unspecified → All
Whiteboard: [parity-chrome]
bug 1218515 - flip pinning-test.badssl.com into production mode r?jcj

pinning-test.badssl.com is a test domain for preloaded HPKP (HTTP Public Key
Pinning - see RFC 7469). By specifying a pinset corresponding to no known keys,
this domain should fail with a key pinning error by default. Also, the
includeSubdomains option is set, so any subdomains should fail as well.
Attachment #8679110 - Flags: review?(jjones)
Assignee: nobody → dkeeler
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Attachment #8679110 - Flags: review?(jjones) → review+
Comment on attachment 8679110 [details]
MozReview Request: bug 1218515 - flip pinning-test.badssl.com into production mode r?jcj

https://reviewboard.mozilla.org/r/23377/#review21033

LGTM
Thanks for the review!
(Just so anyone following this is aware: this patch changes the input to the automated script that will actually make the code change when it runs this Saturday.)
https://hg.mozilla.org/mozilla-central/rev/8431c19a4006
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla44
You need to log in before you can comment on or make changes to this bug.