122
edits
Security/CryptoEngineering/Intermediate Preloading: Difference between revisions
Security/CryptoEngineering/Intermediate Preloading (view source)
Revision as of 03:54, 11 November 2020
, 11 November 2020Reference it being online for all users.
(Updates for Firefox 75) |
(Reference it being online for all users.) |
||
| Line 1: | Line 1: | ||
= Intermediate CA Preloading = | = Intermediate CA Preloading = | ||
In | In Firefox users are benefiting from a new feature called Intermediate CA Preloading which reduces the number of secure connection errors that users run into when web servers forget to properly configure their TLS response. | ||
In [https://bugzilla.mozilla.org/show_bug.cgi?id=1404934 Bug 1404934] we've added support to download the Intermediate Certificate Authorities that have been disclosed to the [[CA|Mozilla CA Root Program]] from [https://www.kinto-storage.org/ Kinto] in the background during normal Firefox operation. | In [https://bugzilla.mozilla.org/show_bug.cgi?id=1404934 Bug 1404934] we've added support to download the Intermediate Certificate Authorities that have been disclosed to the [[CA|Mozilla CA Root Program]] from [https://www.kinto-storage.org/ Kinto] in the background during normal Firefox operation. | ||
| Line 31: | Line 31: | ||
== How it works == | == How it works == | ||
Intermediate Preloading fetches | Intermediate Preloading fetches all new or updated intermediate certificate authorities' certificates once a day during the Kinto main update [2], and loads them into your profile, as if you had visited a site that used that intermediate [3]. | ||
The certificate data is loaded into the NSS Certificate Database, as is done for normal web browsing. In the future, we will use the faster Rust "rkv" database, in [https://bugzilla.mozilla.org/show_bug.cgi?id=1530545 Bug 1530545]. | The certificate data is loaded into the NSS Certificate Database, as is done for normal web browsing. In the future, we will use the faster Rust "rkv" database, in [https://bugzilla.mozilla.org/show_bug.cgi?id=1530545 Bug 1530545]. | ||
| Line 53: | Line 53: | ||
[1] The WebPKI generally has one root CA certificate, one intermediate CA certificate, and then one end-entity (specific website) certificate. Sometimes there can be more than one intermediate CA certificate, potentially much more than one. (https://tls-observatory.services.mozilla.com/static/certsplainer.html?id=188088012) | [1] The WebPKI generally has one root CA certificate, one intermediate CA certificate, and then one end-entity (specific website) certificate. Sometimes there can be more than one intermediate CA certificate, potentially much more than one. (https://tls-observatory.services.mozilla.com/static/certsplainer.html?id=188088012) | ||
[2] | [2] It's 5000/day is configurable by a pref (security.remote_settings.intermediates.downloads_per_poll). See https://bugzilla.mozilla.org/show_bug.cgi?id=1667930 for the update to 5000. | ||
[3] The data is loaded from Kinto here: | [3] The data is loaded from Kinto here: | ||
https://firefox.settings.services.mozilla.com/v1/buckets/security-state/collections/intermediates/records . This data is exported from the [https://ccadb.org/ Common CA Database] maintained by the Mozilla root program. The [https://github.com/mozilla/moz_crlite_query/ moz-crlite-query] Python tool downloads the Intermediate CA data and can be used as a quick reference. | https://firefox.settings.services.mozilla.com/v1/buckets/security-state/collections/intermediates/records . This data is exported from the [https://ccadb.org/ Common CA Database] maintained by the Mozilla root program. The [https://github.com/mozilla/moz_crlite_query/ moz-crlite-query] Python tool downloads the Intermediate CA data and can be used as a quick reference. | ||