Security/Features/CA pinning functionality

From MozillaWiki
Jump to: navigation, search
Please use "Edit with form" above to edit this page.

Status

CA Pinning
Stage Development
Status In progress
Release target `
Health OK
Status note Depends on enabling libpkix by default. The feature will land one relase after the pkix landing.

Team

Product manager Sid Stamm
Directly Responsible Individual Camilo Viecco
Lead engineer Camilo Viecco
Security lead Curtis Koenig
Privacy lead Sid Stamm
Localization lead `
Accessibility lead `
QA lead `
UX lead `
Product marketing lead `
Operations lead `
Additional members Gervase Markham

Open issues/risks

`

Stage 1: Definition

1. Feature overview

Now they can require HTTPS connections (via HSTS), sites may want to also restrict the CAs who can issue certificates for their domain to a small number (> 1) that they trust. This can be accomplished via providing a list of certificate fingerprints, at least one of which must be present in any chain considered valid for the domain. This is rather like what Chrome has done [1] except we would not be managing a static list of anchors.

2. Users & use cases

CA Foo is compromised and grants a certificate for example.com to an attacker. The owners of example.com have their site pinned to certificates from CAs Bar and Baz, so when the attacker attempts to use the certificate from CA Foo, he fails to satisfy the pinning requirement. Any users presented with his certificate will not have access to the fraudulent connection (hard fail).

The spec does not necesaily ping the CA, it pins a subset of keys so that at least one of the keys pinned must be in the CA list of the certificate.

3. Dependencies

HSTS. This feature should not be tied to HSTS, but the two technologies should work together.

4. Requirements

Google has had CA pinning for a while; we should talk to them about their experience and any risks/problems with current proposals. (We need to separate issues with having a hard-coded list, which we aren't planning to do, from issues with the idea of pinning itself.)

Non-goals

  • Replacing the existing x.509 PKI infrastructure. (This is a refinement.)
  • Enabling pinning without also requiring HTTPS (see section 6.5 of spec)

Stage 2: Design

5. Functional specification

It will be deployed in two pushes:

  1. Do built in pins.
  2. Allow website pin data as the ietf draft

See https://tools.ietf.org/html/draft-evans-palmer-key-pinning .

However we need to get clarification on several issues including: 1. What do do when muliple headers are found (?) 2. What is the benefit for the requirement that the backup key must NOT be in the chain?

To allow for self MIM the pinning feature will provide three enforcement levels (it will always be calculated) 0: Ignore pinning, ie allow connectionw with failed pin data. (calculate but store result somewhere internally) Hopefully we can put some UX to reflect failed pins, but this is outside of the current scope. 1. (the default) Ignore Pinning IF the trust anchor is not a built in CA. 2. Strict enforcement.

6. User experience design

The draft recommends that users have ways of querying which domains are pinned. We need to consider whether we think this is necessary and, if so, how to do it. (Perhaps integrated with the history view?) No UI will be provided to change the enforcement level.

If site access is denied, we will need a screen explaining why. (There will be no override, as per spec.)

We should already have mechanisms for clearing stored HSTS information when the user clears their history; pin information should go with it.

Stage 3: Planning

7. Implementation plan

The pinning data will be stored as a site pref. And it will be implemented in a way similar to STS. The first stage would be to enhance the preferences to be able to store blobs or strings.

Shall this be included in the STS .idl file? Dont know yet.

We shall notice that this is an HTTP extension. Not an TLS/SSL extension.

There are 3 parts fo the implementation: 1. Enhance permission manager to include strings for storage (https://bugzilla.mozilla.org/show_bug.cgi?id=744212 ) 2. Ability to "Note" a pinning when presented over an error free TLS connection 3. Ability to use the permission manager at chain building time to ensure a valid (from the pinning perspective planner exists).

8. Reviews

Security review

`

Privacy review

`

Localization review

`

Accessibility

`

Quality Assurance review

This will require a lot of QA, in particular due to the built-in roots. Will need non trivial collaboration with QA.

Operations review

`

Stage 4: Development

9. Implementation

So we have two bugs created now: https://bugzilla.mozilla.org/show_bug.cgi?id=744212 (this one is waiting for review) and https://bugzilla.mozilla.org/show_bug.cgi?id=744204

Stage 5: Release

10. Landing criteria

This feature depends on using libpkix for functionality.


Feature details

Priority P1
Rank 999
Theme / Goal TLS Hardening
Roadmap Security
Secondary roadmap `
Feature list `
Project `
Engineering team Security

Team status notes

  status notes
Products ` `
Engineering ` `
Security ` `
Privacy ` `
Localization ` `
Accessibility ` `
Quality assurance ` `
User experience ` `
Product marketing ` `
Operations ` `