Closed
Bug 1336616
Opened 7 years ago
Closed 7 years ago
Deprecate SHA-1 to 50% of Beta Users
Categories
(Core :: Security: PSM, enhancement, P1)
Core
Security: PSM
Tracking
()
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
firefox52 | --- | fixed |
firefox-esr52 | --- | fixed |
firefox53 | --- | unaffected |
firefox54 | --- | unaffected |
People
(Reporter: jcj, Assigned: keeler)
References
Details
(Whiteboard: [psm-assigned])
Attachments
(3 files)
2.16 KB,
patch
|
jcj
:
review+
jcristau
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
4.76 KB,
application/octet-stream
|
Details | |
8.64 KB,
application/x-xpinstall
|
Details |
Follow on to Bug 1328718: Per the SHA-1 Shutoff Plan [1], we're going to update the system addon's Beta-channel test threshold to 50% for this coming week. The goal would be to include this into Beta 5, so that it lands on 8 February 2017.
Reporter | ||
Comment 1•7 years ago
|
||
Oops, dangling reference: [1] https://wiki.mozilla.org/Security/CryptoEngineering/SHA-1
Assignee: nobody → dkeeler
Status: NEW → ASSIGNED
Priority: -- → P1
Reporter | ||
Comment 2•7 years ago
|
||
For those following along: The shut-off is in effect in Beta 3, released today (Friday 3 Feb), and initial telemetry suggests it's working fine. (As of this writing, 28889 beta installations reported the add-on as executing, and 2957 flipped their preference. [1]) Telemetry at telemetry.mozilla.org hasn't picked up data from today, but we'll look at that before this lands next Wednesday. [1] https://gist.github.com/jcjones/a73789205b007a57123740776761c50b
Assignee | ||
Updated•7 years ago
|
Whiteboard: [psm-assigned]
Assignee | ||
Comment 3•7 years ago
|
||
Going by bug 1312528, the process is maybe supposed to go like so: * get r+ on a patch against the add-on as it is (or would be) in the tree * create an xpi * get the xpi signed * QA the xpi * get approval to land * land
Attachment #8833546 -
Flags: review?(jjones)
Reporter | ||
Comment 4•7 years ago
|
||
Comment on attachment 8833546 [details] [diff] [review] 1336616-disable-sha1-beta-50pct.diff Review of attachment 8833546 [details] [diff] [review]: ----------------------------------------------------------------- LGTM
Attachment #8833546 -
Flags: review?(jjones) → review+
Assignee | ||
Comment 5•7 years ago
|
||
This is the add-on created from the updated bootstrap.js and install.rdf (although note that I had to base that off the install.rdf that shipped in the add-on in mozilla-beta, since it's post-processed). Judging by bug 1312528 comment 13, Jason is the person to ask to sign an add-on.
Flags: needinfo?(jthomas)
Assignee | ||
Comment 7•7 years ago
|
||
Thanks!
Justin, if you could confirm attachment 8833995 [details] works as expected (it's supposed to disable SHA-1 50% of the time), that would be great. (Note that it looks like Firefox prevents installing the add-on update directly from bugzilla - I had to download it as a file and then open it to get it to work.)
Flags: needinfo?(jwilliams)
Comment 8•7 years ago
|
||
Hey David, Everything looks good on this end. security.pki.sha1_enforcement_level = 0, 1 (manually set) = Opt out security.pki.sha1_enforcement_level = 3 = Test security.pki.sha1_enforcement_level = 4 = Control I never saw a disableSHA1.rollout.cohortSample less than .1 though
Flags: needinfo?(jwilliams)
Reporter | ||
Comment 9•7 years ago
|
||
Comment on attachment 8833546 [details] [diff] [review] 1336616-disable-sha1-beta-50pct.diff I'm guessing we need to get a beta approval again, despite the gofaster goals, so that Friday's build doesn't drop the % down again, Approval Request Comment [Feature/Bug causing the regression]: SHA-1 deprecation staged rollout [User impact if declined]: users won't be protected against potential collisions found against certificates signed with SHA-1 [Is this code covered by automated tests?]: n/a [Has the fix been verified in Nightly?]: yes [Needs manual test from QE? If yes, steps to reproduce]: already done [List of other uplifts needed for the feature/fix]: none [Is the change risky?]: not very [Why is the change risky/not risky?]: This a staged rollout update to the code in Bug 1328718. [String changes made/needed]: none
Attachment #8833546 -
Flags: approval-mozilla-beta?
Comment 10•7 years ago
|
||
Comment on attachment 8833546 [details] [diff] [review] 1336616-disable-sha1-beta-50pct.diff disable sha1 for more users, beta52+
Attachment #8833546 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
Comment 11•7 years ago
|
||
bugherder uplift |
https://hg.mozilla.org/releases/mozilla-beta/rev/429938019d58
status-firefox52:
--- → fixed
Updated•7 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
status-firefox53:
--- → unaffected
status-firefox54:
--- → unaffected
Resolution: --- → FIXED
Comment 12•7 years ago
|
||
bugherder uplift |
https://hg.mozilla.org/releases/mozilla-esr52/rev/429938019d58
status-firefox-esr52:
--- → fixed
You need to log in
before you can comment on or make changes to this bug.
Description
•