Closed Bug 1442075 Opened 3 years ago Closed 3 years ago

Enforce Symantec distrust in Firefox 60

Categories

(Core :: Security: PSM, defect, P1)

60 Branch
defect

Tracking

()

RESOLVED FIXED
mozilla60
Tracking Status
relnote-firefox --- 60+
firefox60 blocking fixed

People

(Reporter: jcj, Assigned: jcj)

References

(Blocks 1 open bug)

Details

(Keywords: site-compat)

Attachments

(1 file)

This bug is to flip the pref "security.pki.distrust_ca_policy" back to 1 (enable Symantec distrust) in Nightly approximately at the time that Chrome M66 moves to Beta (~Mar 15 - Mar 22, 2018) [1]. We disabled it in Bug 1437754 due to widespread compat issues, which we understand to be due to prior statements that sites had until March to make updates, as that was when we (and Chrome) were entering Beta with this change.

So this bug is to flip that pref in Nightly 61. About one week later we will want to uplift this to Beta 60 and let it ride the trains the rest of the way, per the consensus plan.

I'm marking this for tracking in 60 for the expected uplift. We still anticipate letting this ship in 60.

[1] https://www.chromestatus.com/features/schedule
Keywords: site-compat
marking as blocking for 60 to keep this high on my list.
Comment on attachment 8955358 [details]
Bug 1442075 - Enforce Symantec distrust in Firefox 60

https://reviewboard.mozilla.org/r/224540/#review230492

This might be the shortest patch I've ever reviewed.
Attachment #8955358 - Flags: review?(dkeeler) → review+
To stay in sync with Chrome Canary, I prefer we keep "security.pki.distrust_ca_policy" = 1 on Nightly. While the compat issues are real, they're the same on Nightly and Canary. Going forward we'll be taking this step together for every other channel. Please re-enable on Nightly as soon as possible.
Pushed by ttaubert@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/97eade2b82c7
Enforce Symantec distrust in Firefox 60 r=keeler
Keywords: checkin-needed
Be aware that this will directly get onto beta 60 with the next daily central to beta merge. Central is still on 60 (like beta) and will get its version bump on March 12.
Flags: needinfo?(jjones)
I think this is what we want. Selena and I are on PTO today, let me redirect this to Wayne.

The alternative would be to ifdef this to only occur on Nightly... which would then need to be un-done at a future date. But I think the intent is to ride the trains now where they lead.
Flags: needinfo?(jjones) → needinfo?(wthayer)
My understanding is that a decision of when and how to flow this into Beta is pending a conversation between Selena, Wennie, and J.C. next week. The concern is that 60 goes to Beta a few days before Chrome will push the change to their Beta channel, so we may see more impact from sites that have delayed until Chrome's 3/15 Beta date to swap out their affected certs.
Flags: needinfo?(wthayer)
https://hg.mozilla.org/mozilla-central/rev/97eade2b82c7
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla60
Depends on: 1449028
should we add a release note for this change?
relnote-firefox: --- → ?
(In reply to [:philipp] from comment #11)
> should we add a release note for this change?

I think the ESR release notes should mention this "security.pki.distrust_ca_policy" pref.

I think both Firefox and ESR release notes should mention the distrust of Symantec TLS Certificates, as described here:
https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/
Added to the 60.0 and 60.0esr release notes.

60.0: TLS certificates issued by Symantec before June 1st, 2016 are no longer trusted by Firefox

60.0esr: TLS certificates issued by Symantec before June 1st, 2016 are no longer trusted by Firefox. The "security.pki.distrust_ca_policy" preference can be set to 0 to reinstate trust in those certificates
See Also: → 1460062
You need to log in before you can comment on or make changes to this bug.