1330446 - Ensure that the HPKP pinning expiration for Firefox 51 is after the release of Firefox 52

Status: RESOLVED FIXED

(Core :: Security: PSM, defect, P1)

Description

[J.C. Jones [:jcj] (he/they)]

+++ This bug was initially created as a clone of Bug #1307530 +++

[Tracking Requested - why for this release]: Possible MITM issue if not done before Fx51 ships.

The core issue for Bug #1307530 is not resolved, so this bug is to do the same thing again for Fx51.

The expiry timestamp currently in beta [1] is for 19 February 2017 @ 2:02pm (UTC), or 16 days *prior* to the scheduled release of 52. Last time we extended the expiration to {release date}+21 days. Doing that again would be 28 March 2017, or timestamp=1490659200 . 

[1] https://hg.mozilla.org/releases/mozilla-beta/file/tip/security/manager/ssl/StaticHPKPins.h#l1167

Comment 1

[J.C. Jones [:jcj] (he/they)]

Attachment: Bump the HPKP and HSTS expiration dates to 28 March 2017

Comment 2

[J.C. Jones [:jcj] (he/they)]

Comment on attachment 8825976 [details] [diff] [review]
Bump the HPKP and HSTS expiration dates to 28 March 2017

[Feature/Bug causing the regression]: Repeat of Bug 1307530
[User impact if declined]: Possible MITM issue if not done before Fx51 ships.

This is pretty much the same as the pushes to nightly / aurora to move the expiry timestamp forward with a=hsts-update (etc).

(NIs per ritu's instructions on IRC.)

Comment 3

[Gerry Chang [:gchang]]

Comment on attachment 8825976 [details] [diff] [review]
Bump the HPKP and HSTS expiration dates to 28 March 2017

Bump the expiration date to avoid possible MITM issue. Beta51+. Should be in 51 Beta 14.

Comment 4

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/releases/mozilla-beta/rev/ef723be83d31