Closed
Bug 686842
Opened 14 years ago
Closed 8 years ago
Implement SSL certificate CA pinning for blocklist
Categories
(Toolkit :: Add-ons Manager, defect)
Toolkit
Add-ons Manager
Tracking
()
RESOLVED
DUPLICATE
of bug 1030135
People
(Reporter: briansmith, Unassigned)
References
Details
(Keywords: sec-moderate, Whiteboard: [sg:moderate])
+++ This bug was initially created as a clone of Bug #685064 +++
We need to implement the same kind of CA pinning mechanism for the blocklist that we have for AUS. This will reduce the risks associated with implementing the CA blocklist (bug 647868).
The goal of the CA blocklist is to protect against certificates that were mis-issued by CAs. Twice this year, CAs have mis-issued certificates for addons.mozilla.org. Those certificates would thus have been able to modify the CA blocklist, if we had had the CA blocklisting feature in place at the time. Restricting the set of CAs that we would accept as CAs for the blocklist download would greatly reduce this attack surface--the attacker would have to compromise one of the two CAs that whitelist, instead of just the weakest CAs in our CA program.
sec review triage = flag removed
Keywords: sec-review-needed
Comment 2•14 years ago
|
||
Pinning would happen in the client, not server: moving to Toolkit. Assuming this uses the same reviewed code we are using to pin other services it doesn't need a separate sec-review.
Group: client-services-security → core-security
Component: Blocklisting → Add-ons Manager
Product: addons.mozilla.org → Toolkit
QA Contact: blocklisting → add-ons.manager
Updated•14 years ago
|
Whiteboard: [sg:moderate]
Updated•14 years ago
|
Keywords: sec-moderate
Updated•10 years ago
|
Group: core-security → toolkit-core-security
Comment 3•8 years ago
|
||
It doesn't look like the blocklist domain is in our list of static key pins:
https://searchfox.org/mozilla-central/source/security/manager/tools/PreloadedHPKPins.json#165-223
Keeler, would it be a good idea to add it?
Andrew, what domain do we currently fetch blocklists from?
Flags: needinfo?(dkeeler)
Flags: needinfo?(aswan)
Comment 4•8 years ago
|
||
I believe it comes from
https://searchfox.org/mozilla-central/rev/8976abf9cab8eb4661665cc86bd355cd08238011/modules/libpref/init/all.js#2702
https://blocklists.settings.services.mozilla.com/v1/blocklist/3/%APP_ID%/%APP_VERSION%/%PRODUCT%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/%PING_COUNT%/%TOTAL_PING_COUNT%/%DAYS_SINCE_LAST_PING%/
Flags: needinfo?(aswan)
Comment 5•8 years ago
|
||
This entry should cover it: https://searchfox.org/mozilla-central/rev/8976abf9cab8eb4661665cc86bd355cd08238011/security/manager/tools/PreloadedHPKPins.json#193 so we can probably close this as a duplicate of bug 1030135.
Flags: needinfo?(dkeeler)
Comment 6•8 years ago
|
||
Ah, I missed that. Thanks.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
Updated•5 years ago
|
Group: toolkit-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•