Status

Infrastructure & Operations
WebOps: Other
RESOLVED FIXED
6 years ago
4 years ago

People

(Reporter: cviecco, Assigned: jakem)

Tracking

Details

Attachments

(1 attachment)

(Reporter)

Description

6 years ago
To improve security of our products we are implementing CA pinning (https://bugzilla.mozilla.org/show_bug.cgi?id=744204) (it is actually public key pinning). In its first stage (built-in pins only) we are hoping to include mozilla.org sites (including b2g and persona) into the built-in pin list.

So I would like to know what CA do we use so that the list is both comprehensive of the sites that we would like to be pinned and to ensure we have flexibility (able to change CA) if necessary.
(Reporter)

Updated

6 years ago
Depends on: 772756
Shyam,

Do you have this list?
Webops handles SSL these days, but the 3 providers we buy certs from are :

1) Geotrust
2) Digicert (backup, not very frequent)
3) Thawte (backup, not very frequent)

Do you need any more information?

Updated

6 years ago
Assignee: server-ops → server-ops-webops
Component: Server Operations → Server Operations: Web Operations
QA Contact: phong → cshields
(Reporter)

Comment 3

6 years ago
OK to given those 3 vendors, the list of keys to be pinned is (by Cert name in the certdb is) :
        "Equifax Secure CA",
        "GeoTrust Primary Certification Authority",
        "GeoTrust Global CA",
        "GeoTrust Global CA 2",
        "GeoTrust Universal CA",
        "GeoTrust Universal CA 2",
        "GeoTrust Primary Certification Authority - G2",
        "GeoTrust Primary Certification Authority - G3",
        "DigiCert High Assurance EV Root CA",
        "DigiCert Assured ID Root CA",
        "DigiCert Global Root CA",
        "thawte Primary Root CA",
        "thawte Primary Root CA - G2",
        "thawte Primary Root CA - G3"

I did not included the MD5 signed (1024) entries of "Thawthe Consulting cc". This list is kind of big (14 entries) but is a good place to start. Do you think of any of these keys that we can remove? (do we use ECC or plan to use it in the medium future 1-2 years?)
(Reporter)

Comment 4

6 years ago
So I just found out that addons.mozilla.org does is not signed by this set. It is currently signed by verisign (VeriSign Class 3 Public Primary Certification Authority - G5).

Similar with addons.mozilla.net which seems to be signed by 'GTE CyberTrust Global Root' (via akamai 'Akamai Subordinate CA ').

So it seems the we have more vendors. So, expanding the question: what parts of our domains use cdn? and what cdns are these?
CC'ing Jake for CDNs and Jeremy for AMO
(Assignee)

Comment 6

6 years ago
SSL CDNs are always Akamai or Edgecast (possibly Highwinds in the future). You could check the certs for them at the following hostnames:

wildcard.cdn.mozilla.net.edgekey.net (Akamai)
cs6.adn.edgecastcdn.net (Edgecast)

We host static content on CDN (mostly: CSS, JS, Images). Nothing on our CDNs should require authentication or cookies to access. However, this is obviously quite enough to massively break a site if the CDN is unavailable for some reason.

Note however that these certs are beyond our control. It's possible they could be changed to a new signing CA (or perhaps a new intermediate CA) without our direct involvement.


One fear I have with this is what might happen if we change our cert vendor (or our CDN providers change theirs). If someone needs to be notified about that, we should do something to make sure it's very very obvious that that person/group needs to be notified. The expectation is that as long as a site has a valid/non-revoked certificate, it should work just fine. This sounds like it breaks that expectation... if so, we need to be exceedingly careful that any such change is well-planned-for.
(Assignee)

Comment 7

6 years ago
I'm guessing you got the info you needed and this can be closed now... if not, please re-open. Thanks!
Assignee: server-ops-webops → nmaul
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
(Reporter)

Comment 8

6 years ago
Created attachment 653485 [details]
Current list list of dependencies.

This is what we agreed upon.
Component: Server Operations: Web Operations → WebOps: Other
Product: mozilla.org → Infrastructure & Operations
You need to log in before you can comment on or make changes to this bug.