SecurityEngineering/Public Key Pinning/ReleaseEngineering: Difference between revisions

Latest revision as of 17:05, 21 April 2023

Pinning is enabled by default in Nightly 32.

AMO
aus4 is under question. We have a meeting with rstrong to discuss what, if any, benefits pinning provides over verifying the signature on the actual binaries and requiring those come from a known issuer. The drawback of pinning the updater is that we may break ourselves.

Pinning is controlled by a preference, security.cert_pinning.enforcement_level. To disable pinning, set this pref to 0. In case of emergency, we can

Push a hotfix to disable the pinning pref. In case pinning breaks AMO, this will not be possible.
Push a chemspill. In case pinning breaks aus4, this will not be possible.
bug 1012875 Wait 8 or 10 weeks until the pinset expires once it reaches stable, during which time users will not be able to reach sites that are pinned incorrectly.

In bug 1012882, we decided to not pin on b2g right now, and (maybe) to wait for a couple of cycles to pin on Fennec.

@@ Line 1: / Line 1: @@
 == Whom to contact in case of emergency ==
-* Mozilla: pinning@mozilla.org, seceng@mozilla.org, or security@mozilla.org (last resort)
+* Mozilla: pinning@mozilla.org or security@mozilla.org (last resort)
-* Twitter: ''need contact, Neil's not at Twitter'' <s>Neil Matatall</s>
 * Google: pki-contact@google.com or agl or security@google.com (last resort)
-* Dropbox: aprilking@dropbox.com
+* Dropbox: April King (aprilking@dropbox.com)
 * Facebook: Scott Renfro (srenfro@fb.com)