Deprecate SHA-1 to 50% of Beta Users

RESOLVED FIXED

Status

()

Core
Security: PSM
P1
enhancement
RESOLVED FIXED
7 months ago
6 months ago

People

(Reporter: jcj, Assigned: keeler)

Tracking

unspecified
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox52 fixed, firefox-esr52 fixed, firefox53 unaffected, firefox54 unaffected)

Details

(Whiteboard: [psm-assigned])

Attachments

(3 attachments)

(Reporter)

Description

7 months ago
Follow on to Bug 1328718:

Per the SHA-1 Shutoff Plan [1], we're going to update the system addon's Beta-channel test threshold to 50% for this coming week. The goal would be to include this into Beta 5, so that it lands on 8 February 2017.
(Reporter)

Comment 1

7 months ago
Oops, dangling reference: 

[1] https://wiki.mozilla.org/Security/CryptoEngineering/SHA-1
Assignee: nobody → dkeeler
Status: NEW → ASSIGNED
Priority: -- → P1
(Reporter)

Comment 2

7 months ago
For those following along: The shut-off is in effect in Beta 3, released today (Friday 3 Feb), and initial telemetry suggests it's working fine. (As of this writing, 28889 beta installations reported the add-on as executing, and 2957 flipped their preference. [1]) Telemetry at telemetry.mozilla.org hasn't picked up data from today, but we'll look at that before this lands next Wednesday.

[1] https://gist.github.com/jcjones/a73789205b007a57123740776761c50b
(Assignee)

Updated

7 months ago
Whiteboard: [psm-assigned]
(Assignee)

Comment 3

7 months ago
Created attachment 8833546 [details] [diff] [review]
1336616-disable-sha1-beta-50pct.diff

Going by bug 1312528, the process is maybe supposed to go like so:
* get r+ on a patch against the add-on as it is (or would be) in the tree
* create an xpi
* get the xpi signed
* QA the xpi
* get approval to land
* land
Attachment #8833546 - Flags: review?(jjones)
(Reporter)

Comment 4

7 months ago
Comment on attachment 8833546 [details] [diff] [review]
1336616-disable-sha1-beta-50pct.diff

Review of attachment 8833546 [details] [diff] [review]:
-----------------------------------------------------------------

LGTM
Attachment #8833546 - Flags: review?(jjones) → review+
(Assignee)

Comment 5

7 months ago
Created attachment 8833553 [details]
disableSHA1rollout.xpi

This is the add-on created from the updated bootstrap.js and install.rdf (although note that I had to base that off the install.rdf that shipped in the add-on in mozilla-beta, since it's post-processed).

Judging by bug 1312528 comment 13, Jason is the person to ask to sign an add-on.
Flags: needinfo?(jthomas)

Comment 6

6 months ago
Created attachment 8833995 [details]
disableSHA1rollout.xpi signed

Please see attached.
Flags: needinfo?(jthomas)
(Assignee)

Comment 7

6 months ago
Thanks!
Justin, if you could confirm attachment 8833995 [details] works as expected (it's supposed to disable SHA-1 50% of the time), that would be great. (Note that it looks like Firefox prevents installing the add-on update directly from bugzilla - I had to download it as a file and then open it to get it to work.)
Flags: needinfo?(jwilliams)
Hey David, Everything looks good on this end. 

security.pki.sha1_enforcement_level = 0, 1 (manually set) = Opt out
security.pki.sha1_enforcement_level = 3 = Test
security.pki.sha1_enforcement_level = 4 = Control

I never saw a disableSHA1.rollout.cohortSample less than .1 though
Flags: needinfo?(jwilliams)
(Reporter)

Comment 9

6 months ago
Comment on attachment 8833546 [details] [diff] [review]
1336616-disable-sha1-beta-50pct.diff

I'm guessing we need to get a beta approval again, despite the gofaster goals, so that Friday's build doesn't drop the % down again,

Approval Request Comment
[Feature/Bug causing the regression]: SHA-1 deprecation staged rollout
[User impact if declined]: users won't be protected against potential collisions found against certificates signed with SHA-1
[Is this code covered by automated tests?]: n/a
[Has the fix been verified in Nightly?]: yes
[Needs manual test from QE? If yes, steps to reproduce]: already done
[List of other uplifts needed for the feature/fix]: none
[Is the change risky?]: not very
[Why is the change risky/not risky?]: This a staged rollout update to the code in Bug 1328718.
[String changes made/needed]: none
Attachment #8833546 - Flags: approval-mozilla-beta?
Comment on attachment 8833546 [details] [diff] [review]
1336616-disable-sha1-beta-50pct.diff

disable sha1 for more users, beta52+
Attachment #8833546 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

Comment 11

6 months ago
bugherderuplift
https://hg.mozilla.org/releases/mozilla-beta/rev/429938019d58
status-firefox52: --- → fixed
Status: ASSIGNED → RESOLVED
Last Resolved: 6 months ago
status-firefox53: --- → unaffected
status-firefox54: --- → unaffected
Resolution: --- → FIXED
(Reporter)

Updated

6 months ago
Blocks: 1338228

Comment 12

6 months ago
bugherderuplift
https://hg.mozilla.org/releases/mozilla-esr52/rev/429938019d58
status-firefox-esr52: --- → fixed
(Reporter)

Updated

6 months ago
Blocks: 1339662
You need to log in before you can comment on or make changes to this bug.