Deprecate SHA-1 to 100% of Beta Users and 25% of Release Users

RESOLVED FIXED

Status

()

Core
Security: PSM
P1
enhancement
RESOLVED FIXED
5 months ago
4 months ago

People

(Reporter: jcj, Assigned: keeler)

Tracking

unspecified
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox52 fixed, firefox-esr52 fixed)

Details

(Whiteboard: [psm-assigned], URL)

Attachments

(3 attachments, 1 obsolete attachment)

Follow on to Bug 1328718 and Bug 1336616:

Per the SHA-1 Shutoff Plan [1], we're going to update the system addon's Beta-channel test threshold to 100% for this coming week of 13 Feb. The goal would be to include this into Beta 7, so that it lands on 15 or 16 February 2017.

[1] https://wiki.mozilla.org/Security/CryptoEngineering/SHA-1
(Assignee)

Comment 1

5 months ago
Created attachment 8835675 [details] [diff] [review]
1338228-disable-sha1-beta-100pct.diff
Attachment #8835675 - Flags: review?(jjones)
Comment on attachment 8835675 [details] [diff] [review]
1338228-disable-sha1-beta-100pct.diff

Review of attachment 8835675 [details] [diff] [review]:
-----------------------------------------------------------------

Everything is proceeding as I have foreseen.
Attachment #8835675 - Flags: review?(jjones) → review+
Per our request to release-drivers and gofaster for an accelerated schedule, let's go ahead and include 25% of Release users in this change.

If we don't get approval to make that accelerated schedule, we need only ensure Gofaster doesn't push this one out to release.
Summary: Deprecate SHA-1 to 100% of Beta Users → Deprecate SHA-1 to 100% of Beta Users and 25% of Release Users
(Assignee)

Comment 4

5 months ago
Created attachment 8835728 [details] [diff] [review]
1338228-disable-sha1-beta-100pct-release-25pct.diff

It's over, SHA-1! I have the high ground!
Attachment #8835675 - Attachment is obsolete: true
Attachment #8835728 - Flags: review?(jjones)
Comment on attachment 8835728 [details] [diff] [review]
1338228-disable-sha1-beta-100pct-release-25pct.diff

Review of attachment 8835728 [details] [diff] [review]:
-----------------------------------------------------------------

SHA-1 is going to need some serious upgrades after the sabering that's coming to it.

Perhaps it'll need to be upgraded to... SHA-2.
Attachment #8835728 - Flags: review?(jjones) → review+
(Assignee)

Comment 6

5 months ago
Created attachment 8835735 [details]
disableSHA1rollout.xpi

Jason, if you could sign this, that would be great. Thanks!
Flags: needinfo?(jthomas)

Comment 7

5 months ago
Created attachment 8835774 [details]
disableSHA1rollout.xpi signed

Please see attached.
Flags: needinfo?(jthomas)
(Assignee)

Comment 8

5 months ago
Thanks!

Justin, using attachment 8835774 [details], could you please confirm that:
* security.pki.sha1_enforcement_level gets set to 3 100% of the time on beta/52 (given that the user hasn't opted out)
* security.pki.sha1_enforcement_level gets set to 3 25% of the time on release/51

Much appreciated!
Flags: needinfo?(jwilliams)
It looks good on Beta and Release
Flags: needinfo?(jwilliams)
Comment on attachment 8835728 [details] [diff] [review]
1338228-disable-sha1-beta-100pct-release-25pct.diff

Thanks!

(adapted from bug 1336616 comment 9)
Approval Request Comment
[Feature/Bug causing the regression]: SHA-1 deprecation staged rollout
[User impact if declined]: users won't be protected against potential collisions found against certificates signed with SHA-1
[Is this code covered by automated tests?]: n/a
[Has the fix been verified in Nightly?]: yes
[Needs manual test from QE? If yes, steps to reproduce]: QE done in comment 9
[List of other uplifts needed for the feature/fix]: none
[Is the change risky?]: not very
[Why is the change risky/not risky?]: This a staged rollout update to the code in Bug 1328718.
[String changes made/needed]: none
Attachment #8835728 - Flags: approval-mozilla-beta?
Comment on attachment 8835728 [details] [diff] [review]
1338228-disable-sha1-beta-100pct-release-25pct.diff

next step of sha1 deprecation for beta52.
Attachment #8835728 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

Comment 12

5 months ago
bugherderuplift
https://hg.mozilla.org/releases/mozilla-beta/rev/3a0e9dab3864
status-firefox52: --- → fixed

Comment 13

5 months ago
bugherderuplift
https://hg.mozilla.org/releases/mozilla-esr52/rev/3a0e9dab3864
status-firefox-esr52: --- → fixed
Blocks: 1339662
Manual testing is currently blocked here for the fact that a forced update check brings disableSHA1rollout v1.1 instead of v1.2 on the "release-sysaddon" update channel. Note that:

    * the update.xml associated to (e.g.) 51.0-build2-win32-en-US shows v1.2, see [1]
    
    * the patches pushed in this bug also show v1.2



Also, per my conversation with J.C. Jones, users should be seeing the following neterror messages, according to the system add-on's state:

    * SEC_ERROR_EXPIRED_CERTIFICATE
      when disableSHA1rollout is not in effect (i.e. SHA-1 was _not_ disabled

    * SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED
      when disableSHA1rollout is in effect (i.e. HSA-1 was actually disabled)

Justin, could you please confirm the above?


[1] https://aus5.-mozilla.org/update/3/SystemAddons/51.0/20170118123726/default/en-US/release-sysaddon/default/default/default/update.xml
Flags: needinfo?(jwilliams)
(In reply to Andrei Vaida, QA [:avaida] – please ni? me from comment #14)
> Manual testing is currently blocked here for the fact that a forced update
> check brings disableSHA1rollout v1.1 instead of v1.2 on the
> "release-sysaddon" update channel. Note that:
> 
>     * the update.xml associated to (e.g.) 51.0-build2-win32-en-US shows v1.2, see [1]
>     
>     * the patches pushed in this bug also show v1.2

Update: this turned out to be some sort of environment issue. The correct version (v1.2) of disableSHA1rollout is installed on 51.*, as expected. Manual testing has been resumed, we'll check our test results against Justin's feedback, but things seem to be working as intended so far.
(In reply to Andrei Vaida, QA [:avaida] – please ni? me from comment #14)
> Manual testing is currently blocked here for the fact that a forced update
> check brings disableSHA1rollout v1.1 instead of v1.2 on the
> "release-sysaddon" update channel. Note that:
> 
I am seeing v1.2 not v1.1.
> 
> 
> 
> Also, per my conversation with J.C. Jones, users should be seeing the
> following neterror messages, according to the system add-on's state:
> 
>     * SEC_ERROR_EXPIRED_CERTIFICATE
>       when disableSHA1rollout is not in effect (i.e. SHA-1 was _not_ disabled
> 
>     * SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED
>       when disableSHA1rollout is in effect (i.e. HSA-1 was actually disabled)
> 
I do not see any SEC_ERROR's in the Browser Console.
Flags: needinfo?(jwilliams)
This go-faster addon reached release Thursday/Friday last week, so going to close this.
Status: ASSIGNED → RESOLVED
Last Resolved: 4 months ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.