Open
Bug 1310959
Opened 8 years ago
Updated 2 years ago
add user interface for hpkp (http public key pinning)
Categories
(Firefox :: Security, enhancement, P3)
Firefox
Security
Tracking
()
UNCONFIRMED
People
(Reporter: lists, Unassigned)
References
Details
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0
Build ID: 20160922113459
Steps to reproduce:
Updated a website certificate using a NEW private key, which means a new HSTS pin required.
Actual results:
Website updated OK
Firefox fails with MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE
But Chrome works OK
Expected results:
Firefox should have option to delete out of date pin, and restart the pin learning process. At the moment there seems to be no UI (not in history etc) to do this in any reasonable way. It's quite likely that a new cert will involve a new private key (if you're being secure, that is). Timeouts are typically long.
In the end I had to mess about and manually edit SiteSecurityServiceState.txt to remove the old record per this
https://linux-audit.com/deleting-outdated-hpkp-key-pins-in-firefox/
Then it was OK!
The issue is that there's no user-friendly way to modify collected hpkp state in the browser. We could build some ui for this.
Component: Security: PSM → Preferences
Depends on: 1115712
Product: Core → Firefox
Summary: MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE → add user interface for hpkp (http public key pinning)
Version: 49 Branch → unspecified
A couple more points:
- Current Apple Safari like Chrome handles this correctly (without user intervention)
- I think the reported error is actually wrong.
"The server uses key pinning (HPKP) but no trusted certificate chain could be constructed that matches the pinset."
This is not true. There is a valid certificate chain, it's just that the browser is not using the current pin, it's sticking to the older one, and not replacing it with the current one. Fix this, and you don't need a UI to handle the situation.
(In reply to keynet from comment #0)
> Actual results:
>
> Website updated OK
> Firefox fails with MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE
I think it's right.
> But Chrome works OK
Maybe you did not reload this page to bypass the cache? I see this situation through use the https://chrome.google.com/webstore/detail/pinpatrol/jenmooahjheolakpacikdlloalfaihef/ and distort the dynamic_spki_hashes to simulate it. Chrome also provides an error page, default report the invalid cases (Firefox does it but not by default), and does not allow it to be overwritten.
> Expected results:
>
> Firefox should have option to delete out of date pin, and restart the pin
> learning process. At the moment there seems to be no UI (not in history etc)
> to do this in any reasonable way. It's quite likely that a new cert will
> involve a new private key (if you're being secure, that is). Timeouts are
> typically long.
I think it will violate the HPKP / HSTS rules and increase the user's risk for misuse.
> In the end I had to mess about and manually edit
> SiteSecurityServiceState.txt to remove the old record per this
> https://linux-audit.com/deleting-outdated-hpkp-key-pins-in-firefox/
>
> Then it was OK!
https://addons.mozilla.org/firefox/addon/enforce-encryption/ and future add-ons that works like the PinPatrol for Chrome.
I don't think it is a necessary UI for general user, because it is a security sensitive and rare demand.
Severity: normal → enhancement
Component: Preferences → Security
Updated•7 years ago
|
Priority: -- → P3
Comment 4•5 years ago
|
||
I think this can be closed because HPKP has been removed from Firefox, see bug #1412438.
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•