1282008 - update the CNNIC whitelist to remove certificates that have expired since they were put on the list

Status: RESOLVED FIXED

(Core :: Security: PSM, defect, P1)

Description

[Xidorn Quan [:xidorn] UTC+11]

It seems to me that whitelist currently takes ~45KB codesize. The last update of that file is over a year ago, which indicates that more certificates inside may have expired.

I don't have the list of certificates, so I have no idea how much would it save.

Also I guess we can probably just remove the whole whitelist and disable CNNIC root directly for Fennec. I don't really believe that could have a big impact.

Comment 1

[Dana Keeler (she/her) (use needinfo) [:keeler] (on leave)]

This change will remove about 2/3 of the certificates on the list. Since there doesn't seem to be a huge drive towards disabling the list and root on Firefox for Android, I'll let that be dealt with separately if it's considered necessary.

Comment 2

[Dana Keeler (she/her) (use needinfo) [:keeler] (on leave)]

Attachment: bug 1282008 - update CNNIC whitelist to remove expired certificates

Review commit: https://reviewboard.mozilla.org/r/84022/diff/#index_header
See other reviews: https://reviewboard.mozilla.org/r/84022/

Comment 3

[Richard Barnes [:rbarnes]]

Comment on attachment 8798614 [details]
bug 1282008 - update CNNIC whitelist to remove expired certificates

https://reviewboard.mozilla.org/r/84022/#review82940

Comment 4

[Pulsebot]

Pushed by dkeeler@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/96f862cb3d91
update CNNIC whitelist to remove expired certificates r=rbarnes

Comment 5

[Carsten Book [:Tomcat]]

https://hg.mozilla.org/mozilla-central/rev/96f862cb3d91