Closed Bug 686842 Opened 14 years ago Closed 8 years ago

Implement SSL certificate CA pinning for blocklist

Categories

(Toolkit :: Add-ons Manager, defect)

defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 1030135

People

(Reporter: briansmith, Unassigned)

References

Details

(Keywords: sec-moderate, Whiteboard: [sg:moderate])

+++ This bug was initially created as a clone of Bug #685064 +++ We need to implement the same kind of CA pinning mechanism for the blocklist that we have for AUS. This will reduce the risks associated with implementing the CA blocklist (bug 647868). The goal of the CA blocklist is to protect against certificates that were mis-issued by CAs. Twice this year, CAs have mis-issued certificates for addons.mozilla.org. Those certificates would thus have been able to modify the CA blocklist, if we had had the CA blocklisting feature in place at the time. Restricting the set of CAs that we would accept as CAs for the blocklist download would greatly reduce this attack surface--the attacker would have to compromise one of the two CAs that whitelist, instead of just the weakest CAs in our CA program.
sec review triage = flag removed
Pinning would happen in the client, not server: moving to Toolkit. Assuming this uses the same reviewed code we are using to pin other services it doesn't need a separate sec-review.
Group: client-services-security → core-security
Component: Blocklisting → Add-ons Manager
Product: addons.mozilla.org → Toolkit
QA Contact: blocklisting → add-ons.manager
Whiteboard: [sg:moderate]
Group: core-security → toolkit-core-security
It doesn't look like the blocklist domain is in our list of static key pins: https://searchfox.org/mozilla-central/source/security/manager/tools/PreloadedHPKPins.json#165-223 Keeler, would it be a good idea to add it? Andrew, what domain do we currently fetch blocklists from?
Flags: needinfo?(dkeeler)
Flags: needinfo?(aswan)
Ah, I missed that. Thanks.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
Group: toolkit-core-security
You need to log in before you can comment on or make changes to this bug.