SecurityEngineering/Public Key Pinning/ReleaseEngineering

From MozillaWiki
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Whom to contact in case of emergency

  • Mozilla: pinning@mozilla.org or security@mozilla.org (last resort)
  • Google: pki-contact@google.com or agl or security@google.com (last resort)
  • Dropbox: April King (aprilking@dropbox.com)
  • Facebook: Scott Renfro (srenfro@fb.com)

Implementation status

Pinning is enabled by default in Nightly 32.

What critical Mozilla properties are we planning to pin?

  • AMO
  • aus4 is under question. We have a meeting with rstrong to discuss what, if any, benefits pinning provides over verifying the signature on the actual binaries and requiring those come from a known issuer. The drawback of pinning the updater is that we may break ourselves.

How to rollback pinning for Firefox

Pinning is controlled by a preference, security.cert_pinning.enforcement_level. To disable pinning, set this pref to 0. In case of emergency, we can

  1. Push a hotfix to disable the pinning pref. In case pinning breaks AMO, this will not be possible.
  2. Push a chemspill. In case pinning breaks aus4, this will not be possible.
  3. bug 1012875 Wait 8 or 10 weeks until the pinset expires once it reaches stable, during which time users will not be able to reach sites that are pinned incorrectly.

How long do updates take?

  • Hotfix: almost all users in 2 days
  • Chemspill: unknown
  • Fennec (Google play): Majority users in 2 days

What about other platforms besides desktop?

In bug 1012882, we decided to not pin on b2g right now, and (maybe) to wait for a couple of cycles to pin on Fennec.

Retrieved from "https://wiki.mozilla.org/index.php?title=SecurityEngineering/Public_Key_Pinning/ReleaseEngineering&oldid=1246191"