Security Issue: HPKP PINs not stored persistently in Firefox for Android

RESOLVED INCOMPLETE

Status

()

P2
major
RESOLVED INCOMPLETE
3 years ago
3 months ago

People

(Reporter: max.culver, Unassigned, NeedInfo)

Tracking

41 Branch
Unspecified
Android
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

3 years ago
User Agent: Mozilla/5.0 (X11; Linux i686; rv:41.0) Gecko/20100101 Firefox/41.0
Build ID: 20151014143721
Firefox for Android

Steps to reproduce:

1. Load a web page that has a HPKP certificate pin
2. Change the SSL certificate on the web server so it doesn't match the HPKP certificate sent to Firefox for Android in step 1.
3. Reload the web page, a security error message must be shown.
4. Close Firefox mobile via the task switcher so it is removed from memory
5. Open Firefox mobile again
6. Load page again, a security error message must be shown


Actual results:

In step 6. the web page is loaded without a certificate error message which means the HPKP PIN for the page was not stored across a Firefox mobile restart.


Expected results:

The security error message should have been shown again and the user should have been denied access to the page. 

(Note: This works correctly in Firefox on the PC so it is a Firefox for Android problem!)
(Reporter)

Updated

3 years ago
Severity: normal → major
Component: Untriaged → General
OS: Unspecified → Android
Priority: -- → P2
Product: Firefox → Firefox for Android
Version: 41 Branch → Firefox 41

Comment 1

4 months ago
Hello Martin,

Can you please provide a web page that has a HPKP certificate pin?
Also, is this issue still reproducible to you? If you manage to reproduce it, please mention what device, android version and build you used.

Regards,
Andrei
Flags: needinfo?(max.culver)

Comment 2

3 months ago
Due to the lack of additional info, I'll close this issue as Incomplete. If someone can provide more information regarding this issue, please feel free to reopen it, thanks.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 3 months ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.