Security/Features/SSL Error Reporting: Difference between revisions

Jump to navigation Jump to search

Security/Features/SSL Error Reporting (view source)

Revision as of 17:23, 21 May 2013

210 bytes added ,  21 May 2013
no edit summary
No edit summary
No edit summary
Line 16: Line 16:


Another use case will be when [https://wiki.mozilla.org/Security/Features/CA_pinning_functionality Certificate Pinning] is available. When the set of keys in the certificate chain do not intersect with the set of keys 'pinned' in the browser, then an alert will be generated and sent to Mozilla to be stored and analyzed. There may be some false alarms, but if a real issue (such as MITM) is identified, the security-group should be alerted for further action.
Another use case will be when [https://wiki.mozilla.org/Security/Features/CA_pinning_functionality Certificate Pinning] is available. When the set of keys in the certificate chain do not intersect with the set of keys 'pinned' in the browser, then an alert will be generated and sent to Mozilla to be stored and analyzed. There may be some false alarms, but if a real issue (such as MITM) is identified, the security-group should be alerted for further action.
|Feature dependencies=This feature is not dependent on anything else, but [https://wiki.mozilla.org/Security/Features/CA_pinning_functionality Certificate Pinning] will need this capability.
|Feature dependencies=Not necessarily a dependency, but need to keep in mind:
* There's an [http://tools.ietf.org/html/draft-ietf-websec-key-pinning-04#section-3 IETF key-pinning draft] in the works that can report pinning errors. See {{Bug|846501#c5}}.
* [https://wiki.mozilla.org/Security/Features/CA_pinning_functionality Certificate Pinning] will need this capability.
 
|Feature requirements=The user should opt-in to send the information to Mozilla.
|Feature requirements=The user should opt-in to send the information to Mozilla.
Enough information needs to be sent to Mozilla to reproduce or sufficiently analyze the problem.
Enough information needs to be sent to Mozilla to reproduce or sufficiently analyze the problem.
Line 25: Line 28:
# Update the "Untrusted Connection" error page to add the option to report the error to Mozilla.
# Update the "Untrusted Connection" error page to add the option to report the error to Mozilla.
# Possible separate user interface for when a [https://wiki.mozilla.org/Security/Features/CA_pinning_functionality Certificate Pinning] violation is caught?
# Possible separate user interface for when a [https://wiki.mozilla.org/Security/Features/CA_pinning_functionality Certificate Pinning] violation is caught?
|Feature implementation plan=# Look into using Bagheera to return the necessary information:
|Feature implementation plan=# Implement the capability to return the necessary information (Look into using Bagheera.)
#* Entire certificate chain as sent by server
#* Entire certificate chain as sent by server
#* Domain of bad connection
#* Domain of bad connection
Kathleen Wilson
Confirmed users, Administrators
5,526

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/658764"

Navigation menu