Closed
Bug 1460062
Opened 6 years ago
Closed 6 years ago
Enforce Symantec distrust in Firefox 63
Categories
(Core :: Security: PSM, defect, P1)
Core
Security: PSM
Tracking
()
RESOLVED
FIXED
mozilla63
People
(Reporter: jcj, Assigned: keeler)
References
Details
(Keywords: site-compat, Whiteboard: [psm-assigned])
Attachments
(1 file)
Similar to Bug 1442075, this bug is to change the default of the "security.pki.distrust_ca_policy" pref to the value of 2, introduced in Bug 1456112. This change should happen in the Firefox 63 branch.
|
||
Updated•6 years ago
|
Keywords: site-compat
|
||
Updated•6 years ago
|
status-firefox63:
--- → affected
tracking-firefox63:
--- → blocking
|
||
Updated•6 years ago
|
Severity: enhancement → major
|
|
||
Updated•6 years ago
|
|
||
Comment 2•6 years ago
|
||
Canary went live with this enabled somewhere around 31-July. We should make this change in Nightly sometime around 10-13 August. It should not ride the train to Beta initially. @pascalc suggested that we implement this as follows: you don't need to revert it in beta, you can use an ifdef statement with the NIGHTLY_BUILD define so as that the feature only targets nightly and does not affect beta. Here is an example in our code: https://searchfox.org/mozilla-central/source/browser/app/profile/firefox.js#1426-1430 Then during the 64 nightly cycle, the week of September 17, you remove the ifdef statement and ask in bug 1460062 an uplift of this patch to 63 beta 9 which is planned for September 25.
|
Assignee | |
Updated•6 years ago
|
Assignee: nobody → dkeeler
Priority: P3 → P1
Whiteboard: [psm-backlog] → [psm-assigned]
|
|
Assignee | |
Comment 3•6 years ago
|
||
This patch implements the Symantec distrust plan on Nightly only for now.
|
||
Comment 4•6 years ago
|
||
Comment on attachment 8998635 [details] bug 1460062 - Enforce Symantec distrust in Firefox 63 r?franziskus Franziskus Kiefer [:fkiefer or :franziskus] has approved the revision.
Attachment #8998635 -
Flags: review+
Pushed by dkeeler@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/6ef1b4f2756a Enforce Symantec distrust in Firefox 63 r=franziskus
|
||
Comment 6•6 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/6ef1b4f2756a
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla63
|
|
||
Comment 7•6 years ago
|
||
Posted the site compatibility note a while ago: https://www.fxsitecompat.com/en-CA/docs/2018/symantec-geotrust-rapidssl-thawte-verisign-certificates-will-all-be-distrusted-in-october-2018/
|
|
||
Comment 8•6 years ago
|
||
Firefox 63 Beta 9 is shipping next Tuesday. Time to request an uplift if Comment 2 is still the plan?
Flags: needinfo?(dkeeler)
|
|
||
Comment 9•6 years ago
|
||
We are not yet ready to enable this change in 63 Beta. Chrome has not yet enabled the distrust in their 70 Beta and the breakage caused by this change is still significant: http://tlscanary-plot-8e95d89854d73f4d.elb.us-west-2.amazonaws.com/ We'll continue to monitor this and determine when to move forward, but for now please do not uplift.
You need to log in
before you can comment on or make changes to this bug.
Description
•