Make sure HPKP preload expiration date is accurate for 54

RESOLVED FIXED in Firefox 54

Status

()

Core
Security: PSM
P1
normal
RESOLVED FIXED
5 months ago
5 months ago

People

(Reporter: jcj, Assigned: keeler)

Tracking

54 Branch
mozilla54
Points:
---
Bug Flags:
qe-verify -

Firefox Tracking Flags

(firefox54blocking fixed)

Details

(Whiteboard: [psm-assigned])

MozReview Requests

()

Submitter Diff Changes Open Issues Last Updated
Loading...
Error loading review requests:

Attachments

(1 attachment)

(Reporter)

Description

5 months ago
Confirm and patch security/manager/ssl/StaticHPKPins.h and security/manager/ssl/nsSTSPreloadList.inc in 54 to have sufficient lifetime on the preloaded HPKP and STS pins.
(Reporter)

Updated

5 months ago
See Also: → bug 1365791
Marking this as a blocker for 54 release to make sure we catch it.
status-firefox54: --- → affected
tracking-firefox54: --- → blocking
(Assignee)

Updated

5 months ago
Priority: -- → P2
Whiteboard: [psm-blocked]
Hi :jcj,
After checking the time, it seems HPKP is July 24. Is it correct? This might need your help to check? We need to extend the lifetime after August 8.
Flags: needinfo?(jjones)
(Reporter)

Comment 3

5 months ago
Gerry,

Yes, we should update mozilla-beta's StaticHPKPins.h and nsSTSPreloadList.inc files to 1506384000000000, which is 2017-09-26, the start of the 56 cycle (giving 1 whole cycle of overlap).

Assigning :keeler - we should get this done in the next week.
Assignee: nobody → dkeeler
Comment hidden (mozreview-request)
(Assignee)

Updated

5 months ago
Priority: P2 → P1
Whiteboard: [psm-blocked] → [psm-assigned]
(Reporter)

Comment 5

5 months ago
mozreview-review
Comment on attachment 8871939 [details]
bug 1365790 - bump security preload information expiration dates to 2017-09-26 for Firefox 54  a?gchang

https://reviewboard.mozilla.org/r/143450/#review147218

Verified as 2017-09-26
Attachment #8871939 - Flags: review?(jjones) → review+
(Assignee)

Comment 6

5 months ago
Comment on attachment 8871939 [details]
bug 1365790 - bump security preload information expiration dates to 2017-09-26 for Firefox 54  a?gchang

Approval Request Comment
[Feature/Bug causing the regression]: HSTS/HPKP preloading
[User impact if declined]: users may have out-of-date preloaded security information before they can update to the next version
[Is this code covered by automated tests?]: yes
[Has the fix been verified in Nightly?]: n/a - doesn't need to land in Nightly
[Needs manual test from QE? If yes, steps to reproduce]: no
[List of other uplifts needed for the feature/fix]: none
[Is the change risky?]: no
[Why is the change risky/not risky?]: we've done this a few times before
[String changes made/needed]: none
Attachment #8871939 - Flags: approval-mozilla-beta?
(Assignee)

Comment 7

5 months ago
(In reply to David Keeler [:keeler] (use needinfo?) from comment #6)
> [User impact if declined]: users may have out-of-date preloaded security
> information before they can update to the next version

Er, rather, the preloaded lists may turn themselves off before users update, leaving a window of vulnerability.
Comment on attachment 8871939 [details]
bug 1365790 - bump security preload information expiration dates to 2017-09-26 for Firefox 54  a?gchang

bump hpkp/hsts preload expiration dates, beta54+

Should be in 54.0b13
Flags: needinfo?(jjones)
Attachment #8871939 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

Comment 9

5 months ago
bugherderuplift
https://hg.mozilla.org/releases/mozilla-beta/rev/10cfa295a989
status-firefox54: affected → fixed
Status: NEW → RESOLVED
Last Resolved: 5 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla54
(In reply to David Keeler [:keeler] (use needinfo?) from comment #6)
> [Is this code covered by automated tests?]: yes
> [Has the fix been verified in Nightly?]: n/a - doesn't need to land in
> Nightly
> [Needs manual test from QE? If yes, steps to reproduce]: no

Setting qe-verify- based on David's assessment on manual testing needs and the fact that this fix has automated coverage.
Flags: qe-verify-
You need to log in before you can comment on or make changes to this bug.