Open
Bug 1366582
Opened 8 years ago
Updated 2 years ago
Remove "Enable FIPS" button
Categories
(Core :: Security: PSM, enhancement, P3)
Core
Security: PSM
Tracking
()
NEW
People
(Reporter: Cykesiopka, Unassigned)
References
Details
(Whiteboard: [psm-blocked])
Attachments
(1 file)
|
59 bytes,
text/x-review-board-request
|
Details |
This button doesn't really make sense anymore:
1. A. FIPS mode is currently broken on Mac (Bug 1223979) and on Windows (Bug 1337950).
B. Pressing the button will unsurprisingly always result in an error dialogue popping up.
2. A. We intend to remove support for FIPS in the future (Bug 1360692).
B. To reduce the amount of impact once we do this, we should disallow enabling FIPS mode for new profiles.
| Comment hidden (mozreview-request) |
|
||
Comment 2•8 years ago
|
||
| mozreview-review | ||
Comment on attachment 8870468 [details]
Bug 1366582 - Remove "Enable FIPS" button.
https://reviewboard.mozilla.org/r/141908/#review145666
I would r+ this, but our partners at RedHat have some concerns about the future of FIPS in Firefox that we're still working out, so I think we should hold off on this for now. We're potentially going to have a get-together near the end of June where we can discuss this, so we should have a better idea of what direction we're going in a little more than a month.
Attachment #8870468 -
Flags: review?(dkeeler)
|
|
Reporter | |
Comment 3•8 years ago
|
||
OK, let's hold off on this for now.
Assignee: cykesiopka.bmo → nobody
Status: ASSIGNED → NEW
Priority: P1 → P3
Whiteboard: [psm-assigned] → [psm-blocked]
|
||
Comment 4•7 years ago
|
||
The FIPS button is also broken in Linux but should not be removed. It is a good security feature.
|
||
Comment 5•7 years ago
|
||
Tim - The JS UI code for the FIPS button calls secmoddb.canToggleFIPS() [1]. Is it reasonable to expose something from NSS indicating whether the compiled NSS was built for FIPS mode?
If so, can you file some bugs? I'd like to get this broken window mended somehow, either by keeping it un-clickable when it won't work, or by removing it per Cykesiopka's patch.
[1] https://searchfox.org/mozilla-central/source/security/manager/ssl/PKCS11ModuleDB.cpp#223
Flags: needinfo?(ttaubert)
|
||
Comment 6•7 years ago
|
||
I filed bug 1419721 to make secmoddb.canToggleFIPS() or rather SECMOD_CanDeleteInternalModule() always return false if NSS wasn't build with FIPS support. Now we can either decide to not show the button at all if this is false, or to just let it be disabled. For the latter we probably wouldn't need to change anything in PSM.
Flags: needinfo?(ttaubert)
|
|
||
Comment 7•7 years ago
|
||
*wasn't built, gah
| Comment hidden (Intermittent Failures Robot) |
|
|
||
Comment 9•7 years ago
|
||
(In reply to OrangeFactor Robot from comment #8)
> 2 failures in 744 pushes (0.003 failures/push) were associated with this bug
> in the last 7 days.
>
Fixed by https://hg.mozilla.org/try/rev/d9c8a082eac8387df85f9553d8b7b9822ea256d9
|
||
Updated•2 years ago
|
Severity: minor → S4
You need to log in
before you can comment on or make changes to this bug.
Description
•