Closed Bug 1630038 Opened 5 years ago Closed 5 years ago

remove HPKP (http public key pinning) entirely (not built-in pins)

Categories

(Core :: Security: PSM, task, P1)

Product:
Core
Component:
Security: PSM
Type:
task

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla78
Tracking Flags:
Tracking Status
firefox-esr68 --- wontfix
firefox75 --- wontfix
firefox76 --- wontfix
firefox77 --- wontfix
firefox78 --- fixed

People

(Reporter: keeler, Assigned: keeler)

References

Details

(Whiteboard: [psm-assigned])

Attachments

(1 file)

Bug 1630038 - remove HPKP entirely r?kjacobs!,bbeurdouche!
47 bytes, text/x-phabricator-request
Details | Review

HPKP is disabled by default (bug 1412438). Due to socket process work, it has already become a maintenance burden (see bug 1485652). This bug will remove HPKP entirely. (NB: HPKP refers to "http public key pinning", which is the ability to set pins via a http header. Static pins shipped with the browser will not be affected by this.)

This removes processing of HTTP Public Key Pinning headers, remotely modifying
pinning information, and using cached pinning information, all of which was
already disabled in bug 1412438. Static pins that ship with the browser are
still enforced.

Pushed by dkeeler@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/924f613d68ab remove HPKP entirely r=kjacobs,bbeurdouche

https://hg.mozilla.org/mozilla-central/rev/924f613d68ab

Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox78: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla78
See Also: → 1614215
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: