Open
Bug 1181975
Opened 9 years ago
Updated 2 years ago
Text explaining why HSTS errors can not be overridden should not be reused for pinning errors
Categories
(Firefox :: Security, defect, P3)
Firefox
Security
Tracking
()
REOPENED
People
(Reporter: Cykesiopka, Unassigned)
References
(Blocks 1 open bug)
Details
For the purpose of making the patch more uplift-friendly, the patch in Bug 1147497 reused the error text explaining why overrides for HSTS is not allowed.
However, HSTS and HPKP are different things, so a separate message should be used for HPKP.
Whiteboard: [psm-cleanup]
Priority: -- → P3
Component: Security: PSM → Security
Priority: P3 → --
Product: Core → Firefox
Whiteboard: [psm-cleanup]
|
||
Comment 1•5 years ago
|
||
I think we disabled public key pinning in bug 1412438, and tbh so much changed here that I think this can be seen as INVALID now.
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → INVALID
We still have the built-in static pins, though. I imagine most sites on that list are also on the HSTS preload list, but in theory a site could have a built-in pin set but not HSTS, and we should show the wrong error message. What do you think?
Flags: needinfo?(jhofmann)
Summary: Text explaining why HSTS errors can not be overridden should not be reused for HPKP errors → Text explaining why HSTS errors can not be overridden should not be reused for pinning errors
|
|
||
Comment 3•5 years ago
|
||
Fair enough :)
Blocks: better-cert-errors
Status: RESOLVED → REOPENED
Flags: needinfo?(jhofmann)
Priority: -- → P3
Resolution: INVALID → ---
|
||
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•