We have a fancy new cert pinning mechanism: https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning GMPInstallManager.jsm shouldn't be checking against manually pinned certs specified in prefs anymore.

Is the new cert-pinning system already fatal, or is it still in warning/advisory mode? We would need a proper fatal pin for aus4.mozilla.org, and per bug 1052374 we may not want to fatally pin app updates ever, certainly not yet.

Hi folks, Pinning is in test mode (not fatal) for aus4 currently. After talking to Robert Strong we decided to delay pinning any updaters. The message from him was that origin checks were sufficiently strong by delivering signed MAR files (not yet available on all platforms) and that additional pinning checks may cause more hassle than they were worth. Some people felt that pinning checks provided additional benefit in case where an attacker could suppress or fake empty update responses. However that's an incremental benefit at best over "you know who you are talking to". It might be worth revisiting this decision now that we are in 34 (we had that conversation in 32). You can see from http://people.mozilla.org/~mchew/pinning_dashboard/ how well aus4 is doing (between 1-3 in 10K failures in Nightly, significantly more in Aurora for some reason -- and I need to update the dashboard for Beta). However we are enforcing fatal pins starting in 34 for accounts.firefox.com which has similarly high violations rates and have had no complaints thus far. Thanks, Monica

Hey Robert, Maybe it's time to revisit the decision not to pin the updater. I still agree with you that the reduction on the attack surface is minimal considering that MARs are signed. However, if the alternative is that people roll their own (http://mxr.mozilla.org/mozilla-central/source/toolkit/modules/GMPInstallManager.jsm#520) then surely turning on proper pinning is better. There are around 1-3 failures/10K in Nightly. What do you think? Thanks, Monica

(In reply to [:mmc] Monica Chew (please use needinfo) from comment #3) > Hey Robert, > > Maybe it's time to revisit the decision not to pin the updater. I still > agree with you that the reduction on the attack surface is minimal > considering that MARs are signed. However, if the alternative is that people > roll their own > (http://mxr.mozilla.org/mozilla-central/source/toolkit/modules/ > GMPInstallManager.jsm#520) then surely turning on proper pinning is better. > There are around 1-3 failures/10K in Nightly. What do you think? > > Thanks, > Monica Hi Monica, I am fairly certain that I brought this up during the review or discussions for the GMP code and due to the timeframe that this needed to be done in it was decided to come back around and do this for GMP. As for app update, the plan as you and I discussed should still be the path forward. Brian, did you file a bug for using pinned certs for GMP? Thanks, Robert

Meh... this is the bug for that :)

(In reply to Robert Strong [:rstrong] (use needinfo to contact me) from comment #5) > Meh... this is the bug for that :) Filed https://bugzilla.mozilla.org/show_bug.cgi?id=1063111 anyway :)

(In reply to [:mmc] Monica Chew (please use needinfo) from comment #6) > (In reply to Robert Strong [:rstrong] (use needinfo to contact me) from > comment #5) > > Meh... this is the bug for that :) > > Filed https://bugzilla.mozilla.org/show_bug.cgi?id=1063111 anyway :) Sorry, I think I misunderstood what you meant. That bug will be a wontfix and we won't be taking comment 0's approach.

What approach should this bug take then?

We can either use a separate host for this and pin it separately from aus4.mozilla.org, or we can sign the update manifest as content instead of relying on SSL.

rhelmer, this is related to what we discussed over irc today.