disable ssl pinning for GMP updates

NEW
Unassigned

Status

()

Core
Audio/Video: GMP
P3
normal
Rank:
25
11 months ago
3 months ago

People

(Reporter: bhearsum, Unassigned)

Tracking

(Depends on: 1 bug)

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

11 months ago
We've long disabled cert pinning for Gecko updates because of the relatively high occurence of SSL MitM'ing that breaks it. Sometimes this is AV vendors, sometimes this is other things - but in all cases, any user whose connection to aus5.mozill.org is MitM'ed cannot install Gecko Media Plugins. This likely means that there's a significant number of people who cannot use Netflix in Firefox because Widevine won't install.

The route we've gone with Gecko and System Addon updates is to sign the payload instead. For Gecko and System Addons, this means signing the MAR or XPI with a key that only we have access to, and verifying that on the client side. For GMP this may look different because we're not always the ones building the plugins. In any case, we'd need to have all plugins signed by some key (doesn't have to be the same one), and verify them on the client side before running them. And once we disable pinning, signing a plugin would become prerequisite to shipping it to users.

Updated

11 months ago
Rank: 25
Priority: -- → P2
(Reporter)

Comment 1

4 months ago
It looks like the most likely way we'll get here is to sign the XML response from Balrog.
Depends on: 1304782
Mass change P2->P3 to align with new Mozilla triage process.
Priority: P2 → P3
You need to log in before you can comment on or make changes to this bug.