Enforce Symantec distrust in Firefox 63

RESOLVED FIXED in Firefox 63

Status

()

P1
major
RESOLVED FIXED
11 months ago
6 months ago

People

(Reporter: jcj, Assigned: keeler)

Tracking

(Blocks: 1 bug, {site-compat})

Trunk
mozilla63
site-compat
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(relnote-firefox 63+, firefox62 wontfix, firefox63blocking fixed)

Details

(Whiteboard: [psm-assigned])

Attachments

(1 attachment)

(Reporter)

Description

11 months ago
Similar to Bug 1442075, this bug is to change the default of the "security.pki.distrust_ca_policy" pref to the value of 2, introduced in Bug 1456112. This change should happen in the Firefox 63 branch.
Keywords: site-compat
We should add this to 63 release notes.
status-firefox62: affected → wontfix
relnote-firefox: --- → ?
status-firefox63: --- → affected
tracking-firefox63: --- → blocking
Severity: enhancement → major
relnote-firefox: ? → 63+
Canary went live with this enabled somewhere around 31-July. We should make this change in Nightly sometime around 10-13 August.

It should not ride the train to Beta initially. @pascalc suggested that we implement this as follows:

you don't need to revert it in beta, you can use an ifdef statement with the NIGHTLY_BUILD define
so as that the feature only targets nightly and does not affect beta.
Here is an example in our code:
https://searchfox.org/mozilla-central/source/browser/app/profile/firefox.js#1426-1430


Then during the 64 nightly cycle, the week of September 17, you remove
the ifdef statement and ask in bug 1460062 an uplift of this patch to 63
beta 9 which is planned for September 25.
Assignee: nobody → dkeeler
Priority: P3 → P1
Whiteboard: [psm-backlog] → [psm-assigned]
This patch implements the Symantec distrust plan on Nightly only for now.
Comment on attachment 8998635 [details]
bug 1460062 - Enforce Symantec distrust in Firefox 63 r?franziskus

Franziskus Kiefer [:fkiefer or :franziskus] has approved the revision.
Attachment #8998635 - Flags: review+

Comment 5

7 months ago
Pushed by dkeeler@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/6ef1b4f2756a
Enforce Symantec distrust in Firefox 63 r=franziskus

Comment 6

7 months ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/6ef1b4f2756a
Status: NEW → RESOLVED
Last Resolved: 7 months ago
status-firefox63: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla63
Depends on: 1484534
Firefox 63 Beta 9 is shipping next Tuesday. Time to request an uplift if Comment 2 is still the plan?
Flags: needinfo?(dkeeler)
We are not yet ready to enable this change in 63 Beta. Chrome has not yet enabled the distrust in their 70 Beta and the breakage caused by this change is still significant: http://tlscanary-plot-8e95d89854d73f4d.elb.us-west-2.amazonaws.com/ We'll continue to monitor this and determine when to move forward, but for now please do not uplift.
(see comment 9)
Flags: needinfo?(dkeeler)
You need to log in before you can comment on or make changes to this bug.