Closed Bug 1336616 Opened 3 years ago Closed 3 years ago

Deprecate SHA-1 to 50% of Beta Users


(Core :: Security: PSM, enhancement, P1)




Tracking Status
firefox52 --- fixed
firefox-esr52 --- fixed
firefox53 --- unaffected
firefox54 --- unaffected


(Reporter: jcj, Assigned: keeler)



(Whiteboard: [psm-assigned])


(3 files)

Follow on to Bug 1328718:

Per the SHA-1 Shutoff Plan [1], we're going to update the system addon's Beta-channel test threshold to 50% for this coming week. The goal would be to include this into Beta 5, so that it lands on 8 February 2017.
Oops, dangling reference: 

Assignee: nobody → dkeeler
Priority: -- → P1
For those following along: The shut-off is in effect in Beta 3, released today (Friday 3 Feb), and initial telemetry suggests it's working fine. (As of this writing, 28889 beta installations reported the add-on as executing, and 2957 flipped their preference. [1]) Telemetry at hasn't picked up data from today, but we'll look at that before this lands next Wednesday.

Whiteboard: [psm-assigned]
Going by bug 1312528, the process is maybe supposed to go like so:
* get r+ on a patch against the add-on as it is (or would be) in the tree
* create an xpi
* get the xpi signed
* QA the xpi
* get approval to land
* land
Attachment #8833546 - Flags: review?(jjones)
Comment on attachment 8833546 [details] [diff] [review]

Review of attachment 8833546 [details] [diff] [review]:

Attachment #8833546 - Flags: review?(jjones) → review+
Attached file disableSHA1rollout.xpi
This is the add-on created from the updated bootstrap.js and install.rdf (although note that I had to base that off the install.rdf that shipped in the add-on in mozilla-beta, since it's post-processed).

Judging by bug 1312528 comment 13, Jason is the person to ask to sign an add-on.
Flags: needinfo?(jthomas)
Please see attached.
Flags: needinfo?(jthomas)
Justin, if you could confirm attachment 8833995 [details] works as expected (it's supposed to disable SHA-1 50% of the time), that would be great. (Note that it looks like Firefox prevents installing the add-on update directly from bugzilla - I had to download it as a file and then open it to get it to work.)
Flags: needinfo?(jwilliams)
Hey David, Everything looks good on this end. 

security.pki.sha1_enforcement_level = 0, 1 (manually set) = Opt out
security.pki.sha1_enforcement_level = 3 = Test
security.pki.sha1_enforcement_level = 4 = Control

I never saw a disableSHA1.rollout.cohortSample less than .1 though
Flags: needinfo?(jwilliams)
Comment on attachment 8833546 [details] [diff] [review]

I'm guessing we need to get a beta approval again, despite the gofaster goals, so that Friday's build doesn't drop the % down again,

Approval Request Comment
[Feature/Bug causing the regression]: SHA-1 deprecation staged rollout
[User impact if declined]: users won't be protected against potential collisions found against certificates signed with SHA-1
[Is this code covered by automated tests?]: n/a
[Has the fix been verified in Nightly?]: yes
[Needs manual test from QE? If yes, steps to reproduce]: already done
[List of other uplifts needed for the feature/fix]: none
[Is the change risky?]: not very
[Why is the change risky/not risky?]: This a staged rollout update to the code in Bug 1328718.
[String changes made/needed]: none
Attachment #8833546 - Flags: approval-mozilla-beta?
Comment on attachment 8833546 [details] [diff] [review]

disable sha1 for more users, beta52+
Attachment #8833546 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Closed: 3 years ago
Resolution: --- → FIXED
Blocks: 1338228
Blocks: 1339662
You need to log in before you can comment on or make changes to this bug.