Devise special enterprise-focused solution for breaking HPKP pins

NEW
Unassigned

Status

()

3 years ago
3 years ago

People

(Reporter: greg, Unassigned)

Tracking

({sec-want})

42 Branch
sec-want
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

3 years ago
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:42.0) Gecko/20100101 Firefox/42.0
Build ID: 20151029151421
Firefox for Android

Steps to reproduce:

1. Visit a website that was pinned per the HPKP standard on a Dell


Actual results:

1. I was MITM'ed by a random stranger on the Internet who got ahold of the private key that's shipped on many Dells for a malicious CA that's installed on those Dells. My HPKP pins (all of them) became worthless and my life was ruined, possibly resulting in a breach of National Security.


Expected results:

Firefox should have protected me as per the HPKP RFC, which states that only the *USER* (me) should be allowed to override pins.

However someone other than me was able to do it.

This has now happened on 3 occasions, where random entities have been able to compromise users like me and hundreds of thousands of others:

http://blog.okturtles.com/2015/11/dells-tumble-googles-fumble-and-how-government-sabotage-of-internet-security-works/

We are still vulnerable to this day to this attack.

Firefox could have protected us by following the requirements of the HPKP RFC as specified in Section 2.6, that only *users* should be allowed to override the pins.

This can be done by:

- Removing the default of allowing any root CA in the cert store to override the pins.
- Adding a GUI for resetting pins individually

Now, as I also happen to run a business, I understand and sometimes need Firefox to be able to override the pins on my 100 corporate-owned machines so that we can use our DPKI software to monitor all of our employees traffic.

However, I want to do right by my employees (and by myself, my country, and all those other users out there), and not make it so that in solving this one problem I end up destroying the security of the entire world.

So I'm thinking maybe Firefox could create, for this *exceptional circumstance*, and *exceptional feature*, perhaps in the form of CorporateFox as a separate browser or extension that tells my employees that they are being monitored, and is not shipped by default with Firefox.

Thank you Mozilla for helping keeping us safe!
(Reporter)

Updated

3 years ago
Severity: normal → critical
(Reporter)

Comment 1

3 years ago
s/DPKI/DPI. lol. Been typing that acronym too much.
(Reporter)

Comment 2

3 years ago
Also, I ACK the fact that Dell did not take the time to mess with Firefox's cert store, but if I recall correctly Lenovo did.

Some have made the specious argument that a compromised host means that it's not worth trying to address this problem, but that isn't true, as in both the case of Dell and Lenovo, the would have been forced to write malware for their computers instead of using an "Officially Approved Backdoor Feature". That could result in lawsuits, a worthless stock, and even potentially jail time for the offenders. So addressing this issue would have a meaningful impact on the net's security, even in the case of a compromised or malicious hardware manufacturer.

Updated

3 years ago
Severity: critical → normal
Keywords: sec-want

Comment 3

3 years ago
There's a parallel here with what we're trying to do with add-ons: forcing bad actors to cross a line they are not willing to cross.
Status: UNCONFIRMED → NEW
Ever confirmed: true

Updated

3 years ago
Component: Untriaged → Security
OS: Unspecified → All
Product: Firefox → Core
Hardware: Unspecified → All
You need to log in before you can comment on or make changes to this bug.