Closed Bug 1547701 Opened 1 year ago Closed 1 year ago

Investigate if OCSPRequest::Run requires LOAD_BYPASS_URL_ClASSIFIER flag

Categories

(Toolkit :: Safe Browsing, task, P1)

task

Tracking

()

RESOLVED FIXED
mozilla68
Tracking Status
firefox68 --- fixed

People

(Reporter: dimi, Assigned: dimi)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

Check if OCSPRequest::Run[1] requires LOAD_BYPASS_URL_ClASSIFIER[2].
The question is, what happens if OCSPRequest request is blocked, is it a critical channel?

[1] https://searchfox.org/mozilla-central/rev/66086345467c69685434dd1c5177b30a7511b1a5/security/manager/ssl/nsNSSCallbacks.cpp#264

[2] https://searchfox.org/mozilla-central/rev/66086345467c69685434dd1c5177b30a7511b1a5/netwerk/base/nsIChannel.idl#255

Hi keeler,
We have recently changed the behavior of how URL Classifier determines whether a channel should be classified[1] by using the information in the channel.
To be extra careful for not blocking critical channel because of bugs, we added this LOAD_BYPASS_URL_ClASSIFIER flag as a safeguard, whenever we see this flag, we do not classify it no matter the information in the channel.

My question is, what happens if the OCSP request is mistakenly blocked, does it satisfies any of the rules here(this is just a reference to see if this is critical)?

  • channels related to an update
  • channels may cause security issues if blocked
  • channels may prevent the browser to launch if blocked
  • channels break basic functionality if blocked

Thank you for your help!

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1522412

Flags: needinfo?(dkeeler)

OCSP requests are important for certificate verification (specifically, getting revocation information), so it would be a security issue if we blocked them.

Flags: needinfo?(dkeeler)

If OCSP request is blocked, we can't get the certificate revocation
informatoin.
Add nsIChannel::LOAD_BYPASS_URL_ClASSIFIER to enfore URL classifier
bypasses OCSP request.

Pushed by dlee@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/aa674b410265
Use LOAD_BYPASS_URL_ClASSIFIER flag for OCSP request. r=keeler
Assignee: nobody → dlee
Status: NEW → ASSIGNED
Priority: -- → P1
Status: ASSIGNED → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla68
You need to log in before you can comment on or make changes to this bug.