add user interface for hpkp (http public key pinning)

UNCONFIRMED
Unassigned

Status

()

Firefox
Security
P3
enhancement
UNCONFIRMED
a year ago
5 months ago

People

(Reporter: keynet, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

a year ago
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0
Build ID: 20160922113459

Steps to reproduce:

Updated a website certificate using a NEW private key, which means a new HSTS pin required.



Actual results:

Website updated OK
Firefox fails with MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE
But Chrome works OK


Expected results:

Firefox should have option to delete out of date pin, and restart the pin learning process. At the moment there seems to be no UI (not in history etc) to do this in any reasonable way. It's quite likely that a new cert will involve a new private key (if you're being secure, that is). Timeouts are typically long.

In the end I had to mess about and manually edit SiteSecurityServiceState.txt to remove the old record per this
https://linux-audit.com/deleting-outdated-hpkp-key-pins-in-firefox/

Then it was OK!

Updated

a year ago
Component: Untriaged → Security: PSM
Product: Firefox → Core
The issue is that there's no user-friendly way to modify collected hpkp state in the browser. We could build some ui for this.
Component: Security: PSM → Preferences
Depends on: 1115712
Product: Core → Firefox
See Also: → bug 572803
Summary: MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE → add user interface for hpkp (http public key pinning)
Version: 49 Branch → unspecified
(Reporter)

Comment 2

a year ago
A couple more  points:
- Current Apple Safari like Chrome handles this correctly (without user intervention)
- I think the reported error is actually wrong.
"The server uses key pinning (HPKP) but no trusted certificate chain could be constructed that matches the pinset."
This is not true. There is a valid certificate chain, it's just that the browser is not using the current pin, it's sticking to the older one, and not replacing it with the current one. Fix this, and you don't need a UI to handle the situation.

Comment 3

a year ago
(In reply to keynet from comment #0)
> Actual results:
> 
> Website updated OK
> Firefox fails with MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE

I think it's right.

> But Chrome works OK

Maybe you did not reload this page to bypass the cache? I see this situation through use the https://chrome.google.com/webstore/detail/pinpatrol/jenmooahjheolakpacikdlloalfaihef/ and distort the dynamic_spki_hashes to simulate it. Chrome also provides an error page, default report the invalid cases (Firefox does it but not by default), and does not allow it to be overwritten.


> Expected results:
> 
> Firefox should have option to delete out of date pin, and restart the pin
> learning process. At the moment there seems to be no UI (not in history etc)
> to do this in any reasonable way. It's quite likely that a new cert will
> involve a new private key (if you're being secure, that is). Timeouts are
> typically long.

I think it will violate the HPKP / HSTS rules and increase the user's risk for misuse.

> In the end I had to mess about and manually edit
> SiteSecurityServiceState.txt to remove the old record per this
> https://linux-audit.com/deleting-outdated-hpkp-key-pins-in-firefox/
> 
> Then it was OK!

https://addons.mozilla.org/firefox/addon/enforce-encryption/ and future add-ons that works like the PinPatrol for Chrome.

I don't think it is a necessary UI for general user, because it is a security sensitive and rare demand.
Severity: normal → enhancement
Component: Preferences → Security
Priority: -- → P3
You need to log in before you can comment on or make changes to this bug.