+++ This bug was initially created as a clone of Bug #1088774 +++ Now that https://bugzilla.mozilla.org/show_bug.cgi?id=787133 is complete, Firefox 35 and higher supports public key pinning via the HPKP header. Jake Maul expressed a strong preference for this approach rather than the static pinning that we've had since FF 32. This is a request to collect root CAs used by input.mozilla.org and any subdomains that it uses, and send the HPKP header as described here: http://tools.ietf.org/html/draft-ietf-websec-key-pinning-12 For reference, our static pinning implementation is described here: https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning The difference between pinning statically and dynamically is that we (pinning team) would require a 14 week lead time before root CA changes for static pinning. For dynamic pinning, pinning information is sent as an HTTP header that includes things like TTL, and no changes are required to Firefox to deprecate pins.

What info is needed from me here? I'm suspecting that Ricky might be able to provide better answers here, but I didn't see the question so I'm not sure. Ricky, you've got the ball. It's a colorful and playful one. Thanks!

Passing this on to jakem because I see he was working on this for input. :)

Input is done, I'm setting this for SUMO dev/stage now.

Enabled on dev/stage, seems to be working for me, firefox console/network is happy with the pinning. @dougt: any comments here, or about HPKP in general? I'm not sure who in Engineering to talk to about this as :mmc is no longer with Mozilla... don't know if this was handed off to someone else, or if it's currently dead in the water. If the latter, I'd kinda like to roll it back off Input and SUMO and wait for Engineering to be interested in it again. I don't want those two sites to be "special" for no apparent reason. :)

Key pinning is a great feature to protect visitors to our websites. We should use it as much as possible (given the caveat that it can be easy to accidentally DoS users if it isn't set up properly). I can be a resource if you need further input.

I've enabled this on prod.