Closed Bug 776746 Opened 12 years ago Closed 12 years ago

Mozilla CA lists

Categories

(Infrastructure & Operations Graveyard :: WebOps: Other, task)

task
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: cviecco, Assigned: nmaul)

References

Details

Attachments

(1 file)

To improve security of our products we are implementing CA pinning (https://bugzilla.mozilla.org/show_bug.cgi?id=744204) (it is actually public key pinning). In its first stage (built-in pins only) we are hoping to include mozilla.org sites (including b2g and persona) into the built-in pin list. So I would like to know what CA do we use so that the list is both comprehensive of the sites that we would like to be pinned and to ensure we have flexibility (able to change CA) if necessary.
Depends on: 772756
Shyam, Do you have this list?
Webops handles SSL these days, but the 3 providers we buy certs from are : 1) Geotrust 2) Digicert (backup, not very frequent) 3) Thawte (backup, not very frequent) Do you need any more information?
Assignee: server-ops → server-ops-webops
Component: Server Operations → Server Operations: Web Operations
QA Contact: phong → cshields
OK to given those 3 vendors, the list of keys to be pinned is (by Cert name in the certdb is) : "Equifax Secure CA", "GeoTrust Primary Certification Authority", "GeoTrust Global CA", "GeoTrust Global CA 2", "GeoTrust Universal CA", "GeoTrust Universal CA 2", "GeoTrust Primary Certification Authority - G2", "GeoTrust Primary Certification Authority - G3", "DigiCert High Assurance EV Root CA", "DigiCert Assured ID Root CA", "DigiCert Global Root CA", "thawte Primary Root CA", "thawte Primary Root CA - G2", "thawte Primary Root CA - G3" I did not included the MD5 signed (1024) entries of "Thawthe Consulting cc". This list is kind of big (14 entries) but is a good place to start. Do you think of any of these keys that we can remove? (do we use ECC or plan to use it in the medium future 1-2 years?)
So I just found out that addons.mozilla.org does is not signed by this set. It is currently signed by verisign (VeriSign Class 3 Public Primary Certification Authority - G5). Similar with addons.mozilla.net which seems to be signed by 'GTE CyberTrust Global Root' (via akamai 'Akamai Subordinate CA '). So it seems the we have more vendors. So, expanding the question: what parts of our domains use cdn? and what cdns are these?
CC'ing Jake for CDNs and Jeremy for AMO
SSL CDNs are always Akamai or Edgecast (possibly Highwinds in the future). You could check the certs for them at the following hostnames: wildcard.cdn.mozilla.net.edgekey.net (Akamai) cs6.adn.edgecastcdn.net (Edgecast) We host static content on CDN (mostly: CSS, JS, Images). Nothing on our CDNs should require authentication or cookies to access. However, this is obviously quite enough to massively break a site if the CDN is unavailable for some reason. Note however that these certs are beyond our control. It's possible they could be changed to a new signing CA (or perhaps a new intermediate CA) without our direct involvement. One fear I have with this is what might happen if we change our cert vendor (or our CDN providers change theirs). If someone needs to be notified about that, we should do something to make sure it's very very obvious that that person/group needs to be notified. The expectation is that as long as a site has a valid/non-revoked certificate, it should work just fine. This sounds like it breaks that expectation... if so, we need to be exceedingly careful that any such change is well-planned-for.
I'm guessing you got the info you needed and this can be closed now... if not, please re-open. Thanks!
Assignee: server-ops-webops → nmaul
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
This is what we agreed upon.
Component: Server Operations: Web Operations → WebOps: Other
Product: mozilla.org → Infrastructure & Operations
Product: Infrastructure & Operations → Infrastructure & Operations Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: