SecurityEngineering/Public Key Pinning/SiteOperators: Difference between revisions
Jump to navigation
Jump to search
| Line 9: | Line 9: | ||
== How can you test your pins? == | == How can you test your pins? == | ||
# Go to about:config and make sure that security.cert_pinning.enforcement_level = 1 (allow user-specified trust anchors to override pinning checks) or 2 (strict mode) | # Go to about:config and make sure that security.cert_pinning.enforcement_level = 1 (allow user-specified trust anchors to override pinning checks) or 2 (strict mode). There is an additional enforcement level, 3, for enforcing test pins if you'd like to enable that instead. | ||
# Visit https://pinningtest.appspot.com to make sure you see a warning. | # Visit https://pinningtest.appspot.com to make sure you see a warning. | ||
# Visit all your sites! | # Visit all your sites! | ||
Revision as of 16:41, 27 May 2014
Help, I need to change my pinset!
File a bug under the Core::Security:PSM component with changes to your pinset: https://bugzilla.mozilla.org/enter_bug.cgi?product=Core&component=Security%3A%20PSM&short_desc=%28pinset%20change%20request%29
How much notice do I need to give for pinset changes?
Firefox is on a 6-week cycle, with 4 different trains: Nightly, Aurora, Beta, Release. For the next merge date, please see RapidRelease/Calendar. We prefer not to make changes once Firefox is in Beta, and the current lifetime of the pinset in Release is 8 weeks. Therefore we need at least 14 weeks notice for any pinset changes, preferably 20.
12 weeks is the absolute minimum amount of time we need to make changes.
How can you test your pins?
- Go to about:config and make sure that security.cert_pinning.enforcement_level = 1 (allow user-specified trust anchors to override pinning checks) or 2 (strict mode). There is an additional enforcement level, 3, for enforcing test pins if you'd like to enable that instead.
- Visit https://pinningtest.appspot.com to make sure you see a warning.
- Visit all your sites!