Security/CryptoEngineering/Intermediate Preloading: Difference between revisions

Jump to navigation Jump to search

Security/CryptoEngineering/Intermediate Preloading (view source)

Revision as of 07:39, 2 May 2020

42 bytes added ,  2 May 2020
Updates for Firefox 75
(Fix kinto link and add a link to https://github.com/mozilla/moz_crlite_query/)
(Updates for Firefox 75)
Line 5: Line 5:
In [https://bugzilla.mozilla.org/show_bug.cgi?id=1404934 Bug 1404934] we've added support to download the Intermediate Certificate Authorities that have been disclosed to the [[CA|Mozilla CA Root Program]] from [https://www.kinto-storage.org/ Kinto] in the background during normal Firefox operation.  
In [https://bugzilla.mozilla.org/show_bug.cgi?id=1404934 Bug 1404934] we've added support to download the Intermediate Certificate Authorities that have been disclosed to the [[CA|Mozilla CA Root Program]] from [https://www.kinto-storage.org/ Kinto] in the background during normal Firefox operation.  


This is currently only enabled for Nightly and Beta users on desktop platforms. (January 2020)
This mechanism shipped to release on desktop platforms in Firefox 75.


Remaining work is being tracked by [https://bugzilla.mozilla.org/show_bug.cgi?id=1535662 Bug 1535662].
Follow-on work is being tracked by [https://bugzilla.mozilla.org/show_bug.cgi?id=1535662 Bug 1535662].


== What it does ==
== What it does ==
Line 31: Line 31:
== How it works ==
== How it works ==


Intermediate Preloading fetches ~100 intermediate certificate authorities' certificates once a day during the Kinto main update [2], and loads them into your profile, as if you had visited a site that used that intermediate. At 100 per day, summing to between 300-500 kB, it will take approximately three weeks for a Firefox profile to preload all intermediates [3]. We will likely increase the rate after the initial experiments.
Intermediate Preloading fetches ~100 intermediate certificate authorities' certificates once a day during the Kinto main update [2], and loads them into your profile, as if you had visited a site that used that intermediate. At 100 per day, summing to between 300-500 kB, it will take approximately three weeks for a Firefox profile to preload all intermediates [3]. We may increase the rate at a later time.


The certificate data is loaded into the NSS Certificate Database, as is done for normal web browsing. In the future, we will use the faster Rust "rkv" database, in [https://bugzilla.mozilla.org/show_bug.cgi?id=1530545 Bug 1530545].
The certificate data is loaded into the NSS Certificate Database, as is done for normal web browsing. In the future, we will use the faster Rust "rkv" database, in [https://bugzilla.mozilla.org/show_bug.cgi?id=1530545 Bug 1530545].


Currently preloading is only enabled for desktop users on Nightly. We will want to restrict the download to be only over WiFi before enabling on mobile.  
Currently preloading is only enabled for desktop users. We will want to restrict the download to be only over WiFi before enabling on mobile.  


== Expected Results ==
== Expected Results ==


Intermediate Preloading should reduce the number of SEC_ERROR_UNKNOWN_ISSUER errors seen by Firefox users over time, which is our most common error.  
Intermediate Preloading reduces the number of SEC_ERROR_UNKNOWN_ISSUER errors seen by Firefox users over time, which is our most common error.  


Telemetry for Intermediate Preloading is available in the histograms:
Telemetry for Intermediate Preloading is available in the histograms:
Line 53: Line 53:
[1] The WebPKI generally has one root CA certificate, one intermediate CA certificate, and then one end-entity (specific website) certificate. Sometimes there can be more than one intermediate CA certificate, potentially much more than one. (https://tls-observatory.services.mozilla.com/static/certsplainer.html?id=188088012)  
[1] The WebPKI generally has one root CA certificate, one intermediate CA certificate, and then one end-entity (specific website) certificate. Sometimes there can be more than one intermediate CA certificate, potentially much more than one. (https://tls-observatory.services.mozilla.com/static/certsplainer.html?id=188088012)  


[2] 100/day is configurable by a pref, it is likely to change. See https://searchfox.org/mozilla-central/source/security/manager/ssl/security-prefs.js#166 .
[2] 100/day is configurable by a pref (security.remote_settings.intermediates.downloads_per_poll), it is likely to change. See https://searchfox.org/mozilla-central/rev/710d6e1015d03343b067b92e6f1f775a0b1cad6f/security/manager/ssl/RemoteSecuritySettings.jsm#30 .


[3] The data is loaded from Kinto here:
[3] The data is loaded from Kinto here:
https://firefox.settings.services.mozilla.com/v1/buckets/security-state/collections/intermediates/records . This data is exported from the [https://ccadb.org/ Common CA Database] maintained by the Mozilla root program. The [https://github.com/mozilla/moz_crlite_query/ moz-crlite-query] Python tool downloads the Intermediate CA data and can be used as a quick reference.
https://firefox.settings.services.mozilla.com/v1/buckets/security-state/collections/intermediates/records . This data is exported from the [https://ccadb.org/ Common CA Database] maintained by the Mozilla root program. The [https://github.com/mozilla/moz_crlite_query/ moz-crlite-query] Python tool downloads the Intermediate CA data and can be used as a quick reference.
Jcjones
122

edits

Retrieved from "https://wiki.allizom.org/Special:MobileDiff/1226736"

Navigation menu