SecurityEngineering/Public Key Pinning/ReleaseEngineering: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
(remove stale references to Twitter, seceng@mozilla.org) |
||
| (19 intermediate revisions by 4 users not shown) | |||
| Line 1: | Line 1: | ||
== Whom to contact in case of emergency == | == Whom to contact in case of emergency == | ||
* Mozilla: pinning@mozilla.org or security@mozilla.org (last resort) | |||
* Google: pki-contact@google.com or agl or security@google.com (last resort) | |||
* Dropbox: April King (aprilking@dropbox.com) | |||
* Facebook: Scott Renfro (srenfro@fb.com) | |||
== Implementation status == | == Implementation status == | ||
| Line 7: | Line 10: | ||
== What critical Mozilla properties are we planning to pin? == | == What critical Mozilla properties are we planning to pin? == | ||
* AMO | * AMO | ||
* aus4 is under question. We have a meeting with rstrong to discuss what, if any, benefits pinning provides over verifying the signature on the actual binaries and requiring those come from a known issuer. The drawback of pinning the updater is that we may break ourselves. | |||
== How to rollback pinning for Firefox == | == How to rollback pinning for Firefox == | ||
Pinning is controlled by a preference, security.cert_pinning.enforcement_level. To disable pinning, set this pref to 0. In case of emergency, we can | |||
# Push a hotfix to disable the pinning pref. In case pinning breaks AMO, this will not be possible. | # Push a hotfix to disable the pinning pref. In case pinning breaks AMO, this will not be possible. | ||
# Push a chemspill. | # Push a chemspill. In case pinning breaks aus4, this will not be possible. | ||
# {{bug|1012875}} Wait 8 or 10 weeks until the pinset expires once it reaches stable, during which time users will not be able to reach sites that are pinned incorrectly. | |||
== How long do updates take? == | |||
* Hotfix: almost all users in 2 days | |||
* Chemspill: unknown | |||
* Fennec (Google play): Majority users in 2 days | |||
== What about other platforms besides desktop? == | |||
In {{bug|1012882}}, we decided to not pin on b2g right now, and (maybe) to wait for a couple of cycles to pin on Fennec. | |||
Latest revision as of 17:05, 21 April 2023
Whom to contact in case of emergency
- Mozilla: pinning@mozilla.org or security@mozilla.org (last resort)
- Google: pki-contact@google.com or agl or security@google.com (last resort)
- Dropbox: April King (aprilking@dropbox.com)
- Facebook: Scott Renfro (srenfro@fb.com)
Implementation status
Pinning is enabled by default in Nightly 32.
What critical Mozilla properties are we planning to pin?
- AMO
- aus4 is under question. We have a meeting with rstrong to discuss what, if any, benefits pinning provides over verifying the signature on the actual binaries and requiring those come from a known issuer. The drawback of pinning the updater is that we may break ourselves.
How to rollback pinning for Firefox
Pinning is controlled by a preference, security.cert_pinning.enforcement_level. To disable pinning, set this pref to 0. In case of emergency, we can
- Push a hotfix to disable the pinning pref. In case pinning breaks AMO, this will not be possible.
- Push a chemspill. In case pinning breaks aus4, this will not be possible.
- bug 1012875 Wait 8 or 10 weeks until the pinset expires once it reaches stable, during which time users will not be able to reach sites that are pinned incorrectly.
How long do updates take?
- Hotfix: almost all users in 2 days
- Chemspill: unknown
- Fennec (Google play): Majority users in 2 days
What about other platforms besides desktop?
In bug 1012882, we decided to not pin on b2g right now, and (maybe) to wait for a couple of cycles to pin on Fennec.