Closed Bug 1338228 Opened 8 years ago Closed 8 years ago

Deprecate SHA-1 to 100% of Beta Users and 25% of Release Users

Categories

(Core :: Security: PSM, enhancement, P1)

Product:
Core
Component:
Security: PSM
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox52 --- fixed
firefox-esr52 --- fixed

People

(Reporter: jcj, Assigned: keeler)

References

(
URL
)

Details

(Whiteboard: [psm-assigned])

Attachments

(3 files, 1 obsolete file)

1338228-disable-sha1-beta-100pct-release-25pct.diff
2.16 KB, patch
jcj
: review+
jcristau
: approval-mozilla-beta+
Details | Diff | Splinter Review
disableSHA1rollout.xpi
4.78 KB, application/octet-stream
Details
disableSHA1rollout.xpi signed
8.66 KB, application/x-xpinstall
Details
Follow on to Bug 1328718 and Bug 1336616: Per the SHA-1 Shutoff Plan [1], we're going to update the system addon's Beta-channel test threshold to 100% for this coming week of 13 Feb. The goal would be to include this into Beta 7, so that it lands on 15 or 16 February 2017. [1] https://wiki.mozilla.org/Security/CryptoEngineering/SHA-1
Attachment #8835675 - Flags: review?(jjones)
Comment on attachment 8835675 [details] [diff] [review] 1338228-disable-sha1-beta-100pct.diff Review of attachment 8835675 [details] [diff] [review]: ----------------------------------------------------------------- Everything is proceeding as I have foreseen.
Attachment #8835675 - Flags: review?(jjones) → review+
Per our request to release-drivers and gofaster for an accelerated schedule, let's go ahead and include 25% of Release users in this change. If we don't get approval to make that accelerated schedule, we need only ensure Gofaster doesn't push this one out to release.
Summary: Deprecate SHA-1 to 100% of Beta Users → Deprecate SHA-1 to 100% of Beta Users and 25% of Release Users
It's over, SHA-1! I have the high ground!
Attachment #8835675 - Attachment is obsolete: true
Attachment #8835728 - Flags: review?(jjones)
Comment on attachment 8835728 [details] [diff] [review] 1338228-disable-sha1-beta-100pct-release-25pct.diff Review of attachment 8835728 [details] [diff] [review]: ----------------------------------------------------------------- SHA-1 is going to need some serious upgrades after the sabering that's coming to it. Perhaps it'll need to be upgraded to... SHA-2.
Attachment #8835728 - Flags: review?(jjones) → review+
Attached file disableSHA1rollout.xpi
Jason, if you could sign this, that would be great. Thanks!
Flags: needinfo?(jthomas)
Please see attached.
Flags: needinfo?(jthomas)
Thanks! Justin, using attachment 8835774 [details], could you please confirm that: * security.pki.sha1_enforcement_level gets set to 3 100% of the time on beta/52 (given that the user hasn't opted out) * security.pki.sha1_enforcement_level gets set to 3 25% of the time on release/51 Much appreciated!
Flags: needinfo?(jwilliams)
It looks good on Beta and Release
Flags: needinfo?(jwilliams)
Comment on attachment 8835728 [details] [diff] [review] 1338228-disable-sha1-beta-100pct-release-25pct.diff Thanks! (adapted from bug 1336616 comment 9) Approval Request Comment [Feature/Bug causing the regression]: SHA-1 deprecation staged rollout [User impact if declined]: users won't be protected against potential collisions found against certificates signed with SHA-1 [Is this code covered by automated tests?]: n/a [Has the fix been verified in Nightly?]: yes [Needs manual test from QE? If yes, steps to reproduce]: QE done in comment 9 [List of other uplifts needed for the feature/fix]: none [Is the change risky?]: not very [Why is the change risky/not risky?]: This a staged rollout update to the code in Bug 1328718. [String changes made/needed]: none
Attachment #8835728 - Flags: approval-mozilla-beta?
Comment on attachment 8835728 [details] [diff] [review] 1338228-disable-sha1-beta-100pct-release-25pct.diff next step of sha1 deprecation for beta52.
Attachment #8835728 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Blocks: 1339662
Manual testing is currently blocked here for the fact that a forced update check brings disableSHA1rollout v1.1 instead of v1.2 on the "release-sysaddon" update channel. Note that: * the update.xml associated to (e.g.) 51.0-build2-win32-en-US shows v1.2, see [1] * the patches pushed in this bug also show v1.2 Also, per my conversation with J.C. Jones, users should be seeing the following neterror messages, according to the system add-on's state: * SEC_ERROR_EXPIRED_CERTIFICATE when disableSHA1rollout is not in effect (i.e. SHA-1 was _not_ disabled * SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED when disableSHA1rollout is in effect (i.e. HSA-1 was actually disabled) Justin, could you please confirm the above? [1] https://aus5.-mozilla.org/update/3/SystemAddons/51.0/20170118123726/default/en-US/release-sysaddon/default/default/default/update.xml
Flags: needinfo?(jwilliams)
(In reply to Andrei Vaida, QA [:avaida] – please ni? me from comment #14) > Manual testing is currently blocked here for the fact that a forced update > check brings disableSHA1rollout v1.1 instead of v1.2 on the > "release-sysaddon" update channel. Note that: > > * the update.xml associated to (e.g.) 51.0-build2-win32-en-US shows v1.2, see [1] > > * the patches pushed in this bug also show v1.2 Update: this turned out to be some sort of environment issue. The correct version (v1.2) of disableSHA1rollout is installed on 51.*, as expected. Manual testing has been resumed, we'll check our test results against Justin's feedback, but things seem to be working as intended so far.
(In reply to Andrei Vaida, QA [:avaida] – please ni? me from comment #14) > Manual testing is currently blocked here for the fact that a forced update > check brings disableSHA1rollout v1.1 instead of v1.2 on the > "release-sysaddon" update channel. Note that: > I am seeing v1.2 not v1.1. > > > > Also, per my conversation with J.C. Jones, users should be seeing the > following neterror messages, according to the system add-on's state: > > * SEC_ERROR_EXPIRED_CERTIFICATE > when disableSHA1rollout is not in effect (i.e. SHA-1 was _not_ disabled > > * SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED > when disableSHA1rollout is in effect (i.e. HSA-1 was actually disabled) > I do not see any SEC_ERROR's in the Browser Console.
Flags: needinfo?(jwilliams)
This go-faster addon reached release Thursday/Friday last week, so going to close this.
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: