1307530 - Ensure that the HPKP pinning expiration for Firefox 50 is after the release of Firefox 51

Status: RESOLVED FIXED

(Core :: Security: PSM, defect)

Description

[Ryan VanderMeulen [:RyanVM]]

[Tracking Requested - why for this release]: Possible MITM issue if not done before Fx50 ships.

Currently, the HPKP pins for Fx50 will expire at Sat, 07 Jan 2017 12:48:52 GMT. Firefox 51 isn't due to ship until January 24, so we've got a nearly 3 week gap between expiration and a new version shipping (not including throttling or other unforeseen delays).

We should ensure that the timestamp gets manually updated before the end of the cycle. Filing this to make sure it's on RelMan's radar.

Comment 1

[Ryan VanderMeulen [:RyanVM]]

Can we just change the timestamp now to something early February-ish or do we need to wait until the end of the cycle to do this?

Comment 2

[Dana Keeler (she/her) (use needinfo) [:keeler]]

On branches that aren't being auto-updated (so release and beta), it should be safe to just set the expiration date to a date by which we're confident enough users will have updated to the next version (which is arguably what we should be doing for all branches anyway...)

As a side-note, I imagine our preloaded HSTS data has a similar issue.

Comment 3

[Ryan VanderMeulen [:RyanVM]]

Attachment: Bump the pinned dates to 14-Feb, 2017

This sets the HPKP and HSTS expiration times to Tue, 14 Feb 2017 20:48:56 GMT. That gets us 3 weeks after Firefox 51 is released before there's an issue.

Comment 4

[Dana Keeler (she/her) (use needinfo) [:keeler]]

Comment on attachment 8797779 [details] [diff] [review]
Bump the pinned dates to 14-Feb, 2017

Review of attachment 8797779 [details] [diff] [review]:
-----------------------------------------------------------------

Thanks!

Comment 5

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/releases/mozilla-beta/rev/8035f2b48f0a