https://firefox-settings-attachments.cdn.mozilla.net causess large number of request from single ip addresses on proxy
Categories
(Core :: Security: PSM, defect)
Tracking
()
People
(Reporter: stjepan.hrkac.posao, Unassigned)
Details
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Edg/87.0.664.75
Steps to reproduce:
Look at logs of proxy
Actual results:
My proxy cpu-s are very high and my service is disrupted. I found that 10% of all requests goes to https://firefox-settings-attachments.cdn.mozilla.net .
We have special ssl certificate (issued by our local CA) to do ssl inspection and antimalware scanning, and I thing that Firefox does not trust that certificate.
Expected results:
It should be normal ssl inspection for https://firefox-settings-attachments.cdn.mozilla.net
|
||
Comment 1•5 years ago
|
||
Bugbug thinks this bug should belong to this component, but please revert this change in case of error.
|
||
Comment 2•5 years ago
|
||
That's probably intermediate preloading data. Since you're running a TLS intercepting proxy, you could disable it altogether by setting security.remote_settings.intermediates.enabled to false in about:config. This means that for connections that aren't intercepted, there's an increased chance of seeing "unknown issuer" errors for misconfigured sites. If you want to keep it enabled but decrease the number of parallel requests, you can set security.remote_settings.intermediates.parallel_downloads to a lower value.
|
Reporter | |
Comment 3•5 years ago
|
||
Ok , thank you for you explanation , I will keep that in mind if problem happens in the future. Now, I did disable ssl inspection on proxy for firefox-settings-attachments.cdn.mozilla.net and right after that number of request has rapidly decreased. So it solved my problem .
|
|
||
Comment 4•5 years ago
|
||
Great - thanks!
Description
•