Closed Bug 1478826 Opened 6 years ago Closed 5 years ago

consider limiting TrustLoaded3rdPartyRoots to only trusting self-signed certificates (i.e. roots)

Categories

(Core :: Security: PSM, enhancement, P2)

Product:
Core
Component:
Security: PSM
Type:
enhancement

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1526004

People

(Reporter: keeler, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [psm-backlog]) 

I'm fairly sure the OS X implementation of GatherEnterpriseRoots has the downside of returning intermediate certificates as well as roots. When we then call TrustLoaded3rdPartyRoots, we'll trust those intermediates as roots, which isn't a disaster but could have unexpected consequences (e.g. pinning failures, but this would require users setting security.cert_pinning.enforcement_level to 2 (i.e. not the default) and 
security.cert_pinning.process_headers_from_non_builtin_roots to true (also not the default) and having servers actually set hpkp).

If we instead only trusted roots as roots and left the intermediates as inherit-trust (and retained in memory so path-building can find them (NB: we have to test that this actually works)), this will more accurately reflect the expected PKI.

As an added bonus, we could potentially do the same thing on Windows and import intermediates as well (we've had more than one bug filed that boils down to "the server isn't sending the intermediate, why doesn't it work, chrome works fine").

Bug 1526004 fixed this behavior (and bug 1514118 removed TrustLoaded3rdPartyRoots anyway).

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.