SecurityEngineering/Public Key Pinning: Difference between revisions

← Older edit

SecurityEngineering/Public Key Pinning (view source)

Revision as of 20:11, 23 May 2024

568 bytes removed , 23 May 2024

→‎Implementation status: remove no-longer-pinned sites

Dkeeler

Confirmed users

299

edits

@@ Line 6: / Line 6: @@
 == Implementation status ==
-Firefox 32 and later has the ability to enforce built-in pinsets, or mappings of public key information to domains ({{bug|744204}}).
+Firefox 32 on desktop and later has the ability to enforce built-in pinsets, or mappings of public key information to domains ({{bug|744204}}).
-We will:
+Pinning is supported in Firefox 34 and later on Android.
-# Pin all of the sites that Chrome already does (Google, Twitter) by importing chromium's pinset.
-# Pin our own sites after auditing them and cleaning them up, so that our users know that the updates we serve actually come from us. The list of initial mozilla sites that are pinned is being tracked at: https://mana.mozilla.org/wiki/display/services/Mozilla+sites+SSL+Certificate+Authority+roots+sync+with+Gecko+Built-In+Pins
+We currently:
+# Pin all of the sites that Chrome already does (mainly Google sites) by importing chromium's pinset.
+# Pin our own sites after auditing them and cleaning them up.
 # Pin other popular sites like Facebook that are in good shape already (with their cooperation, of course)
-=== New sites pinned in Firefox 32 ===
+=== Currently-pinned Sites ===
-* Twitter: twitter.com, api.twitter.com, business.twitter.com, dev.twitter.com, mobile.twitter.com, oauth.twitter.com, platform.twitter.com, twimg.com, www.twitter.com
 * AMO: *.addons.mozilla.org, *.addons.mozilla.net
+* Firefox accounts: *.accounts.firefox.com
 * Mozilla CDN: *.cdn.mozilla.{org,net}, *.media.mozilla.com
-=== New sites pinned in Firefox 33 ===
-* Twitter: *.twitter.com (expanded coverage from 32)
 * Google: too many to list (see everything from https://src.chromium.org/viewvc/chrome/trunk/src/net/http/transport_security_state_static.json with the "google" pinset)
-=== New sites pinned in Firefox 34 ===
-* Firefox accounts: *.accounts.firefox.com
 * TOR
-=== New sites pinned in Firefox 35 ===
-* Dropbox: www.dropbox.com, dropbox.com
 Tracking bug for pinning all the things: {{bug|1004350}}
@@ Line 34: / Line 27: @@
 Starting with FF 32, it's on by default, so you don't have to do anything. The pinning level is enforced by a pref, security.cert_pinning.enforcement_level
-. Pinning disabled
+* 0. Pinning disabled
-. Allow User MITM (pinning not enforced if the trust anchor is a user inserted CA, default)
+* 1. Allow User MITM (pinning not enforced if the trust anchor is a user inserted CA, default)
-. Strict. Pinning is always enforced.
+* 2. Strict. Pinning is always enforced.
-. Enforce test mode.
+* 3. Enforce test mode.
 == More information ==
-[[SecurityEngineering/Public_Key_Pinning/SiteOperators]]
+* [[SecurityEngineering/Public_Key_Pinning/SiteOperators]]
-[[SecurityEngineering/Public_Key_Pinning/ReleaseEngineering]]
+* [[SecurityEngineering/Public_Key_Pinning/ReleaseEngineering]]
-Pinning dashboard: http://people.mozilla.org/~mchew/pinning_dashboard
+* [[SecurityEngineering/Public_Key_Pinning/Implementation_Details]]
 == Public Key Pinning Extension for HTTP ==