Closed
Bug 776746
Opened 12 years ago
Closed 12 years ago
Mozilla CA lists
Categories
(Infrastructure & Operations Graveyard :: WebOps: Other, task)
Infrastructure & Operations Graveyard
WebOps: Other
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: cviecco, Assigned: nmaul)
References
Details
Attachments
(1 file)
6.33 KB,
application/json
|
Details |
To improve security of our products we are implementing CA pinning (https://bugzilla.mozilla.org/show_bug.cgi?id=744204) (it is actually public key pinning). In its first stage (built-in pins only) we are hoping to include mozilla.org sites (including b2g and persona) into the built-in pin list.
So I would like to know what CA do we use so that the list is both comprehensive of the sites that we would like to be pinned and to ensure we have flexibility (able to change CA) if necessary.
Comment 1•12 years ago
|
||
Shyam,
Do you have this list?
Comment 2•12 years ago
|
||
Webops handles SSL these days, but the 3 providers we buy certs from are :
1) Geotrust
2) Digicert (backup, not very frequent)
3) Thawte (backup, not very frequent)
Do you need any more information?
Updated•12 years ago
|
Assignee: server-ops → server-ops-webops
Component: Server Operations → Server Operations: Web Operations
QA Contact: phong → cshields
Reporter | ||
Comment 3•12 years ago
|
||
OK to given those 3 vendors, the list of keys to be pinned is (by Cert name in the certdb is) :
"Equifax Secure CA",
"GeoTrust Primary Certification Authority",
"GeoTrust Global CA",
"GeoTrust Global CA 2",
"GeoTrust Universal CA",
"GeoTrust Universal CA 2",
"GeoTrust Primary Certification Authority - G2",
"GeoTrust Primary Certification Authority - G3",
"DigiCert High Assurance EV Root CA",
"DigiCert Assured ID Root CA",
"DigiCert Global Root CA",
"thawte Primary Root CA",
"thawte Primary Root CA - G2",
"thawte Primary Root CA - G3"
I did not included the MD5 signed (1024) entries of "Thawthe Consulting cc". This list is kind of big (14 entries) but is a good place to start. Do you think of any of these keys that we can remove? (do we use ECC or plan to use it in the medium future 1-2 years?)
Reporter | ||
Comment 4•12 years ago
|
||
So I just found out that addons.mozilla.org does is not signed by this set. It is currently signed by verisign (VeriSign Class 3 Public Primary Certification Authority - G5).
Similar with addons.mozilla.net which seems to be signed by 'GTE CyberTrust Global Root' (via akamai 'Akamai Subordinate CA ').
So it seems the we have more vendors. So, expanding the question: what parts of our domains use cdn? and what cdns are these?
Comment 5•12 years ago
|
||
CC'ing Jake for CDNs and Jeremy for AMO
Assignee | ||
Comment 6•12 years ago
|
||
SSL CDNs are always Akamai or Edgecast (possibly Highwinds in the future). You could check the certs for them at the following hostnames:
wildcard.cdn.mozilla.net.edgekey.net (Akamai)
cs6.adn.edgecastcdn.net (Edgecast)
We host static content on CDN (mostly: CSS, JS, Images). Nothing on our CDNs should require authentication or cookies to access. However, this is obviously quite enough to massively break a site if the CDN is unavailable for some reason.
Note however that these certs are beyond our control. It's possible they could be changed to a new signing CA (or perhaps a new intermediate CA) without our direct involvement.
One fear I have with this is what might happen if we change our cert vendor (or our CDN providers change theirs). If someone needs to be notified about that, we should do something to make sure it's very very obvious that that person/group needs to be notified. The expectation is that as long as a site has a valid/non-revoked certificate, it should work just fine. This sounds like it breaks that expectation... if so, we need to be exceedingly careful that any such change is well-planned-for.
Assignee | ||
Comment 7•12 years ago
|
||
I'm guessing you got the info you needed and this can be closed now... if not, please re-open. Thanks!
Assignee: server-ops-webops → nmaul
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Reporter | ||
Comment 8•12 years ago
|
||
This is what we agreed upon.
Updated•11 years ago
|
Component: Server Operations: Web Operations → WebOps: Other
Product: mozilla.org → Infrastructure & Operations
Updated•6 years ago
|
Product: Infrastructure & Operations → Infrastructure & Operations Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•