Open Bug 1614215 Opened 5 years ago Updated 9 months ago

preload pinning Key pinning for imap.gmail.com and smtp.gmail.com (HPKP)

Categories

(Thunderbird :: Security, defect)

Product:
Thunderbird
Component:
Security
Type:
defect

Tracking

(Not tracked)

Status:
UNCONFIRMED

People

(Reporter: demiobenour, Unassigned)

References

Details

User Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:72.0) Gecko/20100101 Firefox/72.0

Steps to reproduce:

Tried to figure out if Thunderbird enforces certificate pinning smtp.gmail.com and imap.gmail.com.

Actual results:

Not able to find information

Expected results:

Both smtp.gmail.com and imap.gmail.com should be pinned to the correct (Google) certificate authority, and this should be documented.

Hi, what is certificate pinning? Do you mean HPKP (HTTP Public Key Pinning; RFC 7469)? If so, see https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning why this should not be implemented. Or that Google (who own GMail) removed it in their browser in https://www.chromestatus.com/feature/5903385005916160

Flags: needinfo?(demiobenour)

No, I am referring to preloaded pinning, as is done for addons.mozilla.org et al.

Flags: needinfo?(demiobenour)

Gene, do you know about this pinning?

Flags: needinfo?(gds)
Severity: normal → S3

(In reply to Andre Klapper from comment #1)

Hi, what is certificate pinning? Do you mean HPKP (HTTP Public Key Pinning; RFC 7469)? If so, see https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning why this should not be implemented. Or that Google (who own GMail) removed it in their browser in https://www.chromestatus.com/feature/5903385005916160

FWIW, HPKP was removed in bug 1630038

(In reply to demiobenour from comment #2)

No, I am referring to preloaded pinning, as is done for addons.mozilla.org et al.

I don't see us doing this. Magnus what do you think?

Flags: needinfo?(gds) → needinfo?(mkmelin+mozilla)
See Also: → 1630038
Summary: Key pinning for imap.gmail.com and smtp.gmail.com → preload pinning Key pinning for imap.gmail.com and smtp.gmail.com (HPKP)

I forget exactly how it's done, but I remember investigating some case where pinning caused issues for someone (due to wrong config), so I would assume the pinnings are currently shipped.

Flags: needinfo?(mkmelin+mozilla)

(In reply to Wayne Mery (:wsmwk) from comment #4)

(In reply to Andre Klapper from comment #1)

Hi, what is certificate pinning? Do you mean HPKP (HTTP Public Key Pinning; RFC 7469)? If so, see https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning why this should not be implemented. Or that Google (who own GMail) removed it in their browser in https://www.chromestatus.com/feature/5903385005916160

FWIW, HPKP was removed in bug 1630038

(In reply to demiobenour from comment #2)

No, I am referring to preloaded pinning, as is done for addons.mozilla.org et al.

I don't see us doing this. Magnus what do you think?

My understanding is that Firefox has preloaded pins for other Google domains, so not having them for imap.gmail.com and smtp.gmail.com is inconsistent.

You need to log in before you can comment on or make changes to this bug.