Open
Bug 1303414
Opened 8 years ago
Updated 2 years ago
increase preloaded information lifetimes
Categories
(Core :: Security: PSM, defect, P3)
Core
Security: PSM
Tracking
()
NEW
| Tracking | Status | |
|---|---|---|
| firefox51 | --- | affected |
People
(Reporter: keeler, Unassigned)
References
Details
(Keywords: stale-bug, Whiteboard: [psm-backlog])
We need to increase the lifetime of preloaded security information (particularly pinning, but possibly also HSTS). Speaking mostly of pinning, the rationale was to prevent situations where a user has an old version of the browser and a site has (since the release of that version) rolled over its keys and/or CA, leading to a broken site. The current setup assumes 6 week release cycles and results in at best 2 weeks of leeway before the preloaded pins expire. Cycles can be longer than 6 weeks now (up to 8, I understand), and in any case 2 weeks of leeway isn't enough.
|
||
Updated•8 years ago
|
Blocks: CVE-2016-5284
|
Reporter | |
Updated•8 years ago
|
Assignee: nobody → dkeeler
Whiteboard: [psm-assigned]
|
|
||
Comment 1•7 years ago
|
||
Do we still intend to do this? Bug 1307530 ensures that the HPKP pinning expiration for Firefox 50 is after the release of Firefox 51, but it looks like we haven't done the same for 51 and 52. https://hg.mozilla.org/releases/mozilla-beta/file/95d20a617288dde9faff91e847d414bb3403c157/security/manager/ssl/StaticHPKPins.h#l1167: > static const PRTime kPreloadPKPinsExpirationTime = INT64_C(1487512954010000); = 2017-02-19 If I'm reading https://wiki.mozilla.org/RapidRelease/Calendar correctly, Firefox 52 will be released on 2017-03-07.
Flags: needinfo?(dkeeler)
|
|
Reporter | |
Comment 2•7 years ago
|
||
Thanks for reminding me. We probably still need to do something like this, but I keep having philosophical arguments with myself about if we can just change the lifetime without changing the max-age requirement on the header. In the meantime, JC is taking care of this particular instance in bug 1330446.
Flags: needinfo?(dkeeler)
|
|
Reporter | |
Comment 3•7 years ago
|
||
For posterity, as I noted in bug 1364240 comment 3: > (FWIW, I'm not sure bug 1303414 is quite the right approach. I think we need > to add a step somewhere in the release process where we go "ok, how long are > we expecting this to be live?" and set the expiration dates of the pinning > and strict-transport-security preload lists appropriately.)
| Comment hidden (obsolete) |
|
|
Reporter | |
Updated•7 years ago
|
Assignee: dkeeler → nobody
Priority: P1 → P3
Whiteboard: [psm-assigned] → [psm-backlog]
|
||
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•