1218888 - Security Issue: HPKP PINs not stored persistently in Firefox for Android

Status: RESOLVED INCOMPLETE

(Firefox for Android Graveyard :: General, defect, P2)

Description

[Martin]

User Agent: Mozilla/5.0 (X11; Linux i686; rv:41.0) Gecko/20100101 Firefox/41.0
Build ID: 20151014143721
Firefox for Android

Steps to reproduce:

1. Load a web page that has a HPKP certificate pin
2. Change the SSL certificate on the web server so it doesn't match the HPKP certificate sent to Firefox for Android in step 1.
3. Reload the web page, a security error message must be shown.
4. Close Firefox mobile via the task switcher so it is removed from memory
5. Open Firefox mobile again
6. Load page again, a security error message must be shown


Actual results:

In step 6. the web page is loaded without a certificate error message which means the HPKP PIN for the page was not stored across a Firefox mobile restart.


Expected results:

The security error message should have been shown again and the user should have been denied access to the page. 

(Note: This works correctly in Firefox on the PC so it is a Firefox for Android problem!)

Comment 1

[Andrei Bodea[:andrei]]

Hello Martin,

Can you please provide a web page that has a HPKP certificate pin?
Also, is this issue still reproducible to you? If you manage to reproduce it, please mention what device, android version and build you used.

Regards,
Andrei

Comment 2

[Stefan Deiac]

Due to the lack of additional info, I'll close this issue as Incomplete. If someone can provide more information regarding this issue, please feel free to reopen it, thanks.