Closed Bug 1307530 Opened 3 years ago Closed 3 years ago

Ensure that the HPKP pinning expiration for Firefox 50 is after the release of Firefox 51

Categories

(Core :: Security: PSM, defect)

defect
Not set

Tracking

()

RESOLVED FIXED
mozilla50
Tracking Status
firefox50 + fixed
firefox51 --- unaffected
firefox52 --- unaffected

People

(Reporter: RyanVM, Assigned: RyanVM)

References

Details

Attachments

(1 file)

[Tracking Requested - why for this release]: Possible MITM issue if not done before Fx50 ships.

Currently, the HPKP pins for Fx50 will expire at Sat, 07 Jan 2017 12:48:52 GMT. Firefox 51 isn't due to ship until January 24, so we've got a nearly 3 week gap between expiration and a new version shipping (not including throttling or other unforeseen delays).

We should ensure that the timestamp gets manually updated before the end of the cycle. Filing this to make sure it's on RelMan's radar.
Can we just change the timestamp now to something early February-ish or do we need to wait until the end of the cycle to do this?
Flags: needinfo?(dkeeler)
On branches that aren't being auto-updated (so release and beta), it should be safe to just set the expiration date to a date by which we're confident enough users will have updated to the next version (which is arguably what we should be doing for all branches anyway...)

As a side-note, I imagine our preloaded HSTS data has a similar issue.
Flags: needinfo?(dkeeler)
This sets the HPKP and HSTS expiration times to Tue, 14 Feb 2017 20:48:56 GMT. That gets us 3 weeks after Firefox 51 is released before there's an issue.
Attachment #8797779 - Flags: review?(dkeeler)
Comment on attachment 8797779 [details] [diff] [review]
Bump the pinned dates to 14-Feb, 2017

Review of attachment 8797779 [details] [diff] [review]:
-----------------------------------------------------------------

Thanks!
Attachment #8797779 - Flags: review?(dkeeler) → review+
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla50
See Also: → 1330446
You need to log in before you can comment on or make changes to this bug.