preload pinning Key pinning for imap.gmail.com and smtp.gmail.com (HPKP)
Categories
(Thunderbird :: Security, defect)
Tracking
(Not tracked)
People
(Reporter: demiobenour, Unassigned)
References
Details
User Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:72.0) Gecko/20100101 Firefox/72.0
Steps to reproduce:
Tried to figure out if Thunderbird enforces certificate pinning smtp.gmail.com and imap.gmail.com.
Actual results:
Not able to find information
Expected results:
Both smtp.gmail.com and imap.gmail.com should be pinned to the correct (Google) certificate authority, and this should be documented.
Comment 1•5 years ago
|
||
Hi, what is certificate pinning? Do you mean HPKP (HTTP Public Key Pinning; RFC 7469)? If so, see https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning why this should not be implemented. Or that Google (who own GMail) removed it in their browser in https://www.chromestatus.com/feature/5903385005916160
Reporter | ||
Comment 2•5 years ago
|
||
No, I am referring to preloaded pinning, as is done for addons.mozilla.org
et al.
Updated•2 years ago
|
Comment 4•9 months ago
|
||
(In reply to Andre Klapper from comment #1)
Hi, what is certificate pinning? Do you mean HPKP (HTTP Public Key Pinning; RFC 7469)? If so, see https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning why this should not be implemented. Or that Google (who own GMail) removed it in their browser in https://www.chromestatus.com/feature/5903385005916160
FWIW, HPKP was removed in bug 1630038
(In reply to demiobenour from comment #2)
No, I am referring to preloaded pinning, as is done for
addons.mozilla.org
et al.
I don't see us doing this. Magnus what do you think?
Comment 5•9 months ago
|
||
I forget exactly how it's done, but I remember investigating some case where pinning caused issues for someone (due to wrong config), so I would assume the pinnings are currently shipped.
Reporter | ||
Comment 6•9 months ago
|
||
(In reply to Wayne Mery (:wsmwk) from comment #4)
(In reply to Andre Klapper from comment #1)
Hi, what is certificate pinning? Do you mean HPKP (HTTP Public Key Pinning; RFC 7469)? If so, see https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning why this should not be implemented. Or that Google (who own GMail) removed it in their browser in https://www.chromestatus.com/feature/5903385005916160
FWIW, HPKP was removed in bug 1630038
(In reply to demiobenour from comment #2)
No, I am referring to preloaded pinning, as is done for
addons.mozilla.org
et al.I don't see us doing this. Magnus what do you think?
My understanding is that Firefox has preloaded pins for other Google domains, so not having them for imap.gmail.com
and smtp.gmail.com
is inconsistent.
Description
•