consider removal of HTTP Public Key Pinning (HPKP)
Categories
(Core :: Security: PSM, enhancement, P1)
Tracking
()
People
(Reporter: dbaron, Assigned: keeler)
References
Details
(Keywords: dev-doc-complete, site-compat, Whiteboard: [psm-assigned])
Attachments
(1 file)
(deleted),
text/x-phabricator-request
|
Details |
Comment 1•7 years ago
|
||
Assignee | ||
Comment 2•7 years ago
|
||
Comment 3•7 years ago
|
||
Comment 6•6 years ago
|
||
Comment 8•6 years ago
|
||
neutral-position |
Assignee | ||
Comment 9•6 years ago
|
||
Comment 11•6 years ago
|
||
Comment 12•6 years ago
|
||
It will be removed in Chrome 72: https://www.chromestatus.com/feature/5903385005916160
We're updating Chrome's compat data here: https://github.com/mdn/browser-compat-data/pull/3175
Adding ddn to track if/when Firefox removes this.
Comment 13•6 years ago
|
||
Hello! Chrome 72 is Stable now. :)
Comment 14•5 years ago
|
||
We're pulling our HPKP toolset from https://report-uri.com as we're no longer supporting adoption of HPKP.
We're also looking to pull support for HPKP reports to further simplify our app, but it seems Firefox still supports it.
Is there an ETA on when/if Firefox will drop support?
Comment 15•5 years ago
|
||
A prominent Twitter user who reports on data breaches is having a problem with HPKP in Firefox:
https://twitter.com/pogowasright/status/1192874027750178818?s=21
The site, databreaches.net, sets a PKP header. It's working for me in Firefox 70 right now, but I guess for some people there is Pin Validation failure.
Comment 16•5 years ago
|
||
For anyone interested: There is a workaround in Firefox. In about:config, there is a setting called security.cert_pinning.enforcement_level. The default is 1; if you set it to 0, Firefox will skip pin validation and bricked sites should work again.
Comment 17•5 years ago
|
||
(Although I think that means Firefox might not do pin validation for static PKP, as opposed to dynamic/HPKP, as well. And that would be bad; you want that protection. I really hope Mozilla will remove HPKP and keep static pins.)
Comment 18•5 years ago
|
||
Yes, that's what setting that pref to 0 means: the feature is 100% off including preloads. We don't currently have an option to turn off the header parsing. We should at least put a pref switch on it, even if we're not ready to rip it out. Somewhere around here:
Comment 19•5 years ago
|
||
Preffing off header parsing would still leave us honoring previously-parsed headers until they expire (max 60 or 90 days?). If we can't live with that, but still want to honor built-in pins, then we'd have to do more work in the enforcement code.
Or just turn it all off with the pref we already have. Does enforcing internal pins buy us very much?
Comment 20•5 years ago
|
||
[Tracking Requested - why for this release]:
This seems to be a footgun in practice, and not just theory, and when it breaks it's "I don't know why Firefox doesn't work on my site, use another browser".
Comment 21•5 years ago
|
||
I do think enforcing static pins is valuable, yes. We have no plans to remove it from Chrome any time soon, for what it's worth.
Comment 22•5 years ago
|
||
I am going to defer the final decision on this to Dana, but my opinion is in favor of :
- adding a pref to disable HPKP
- announcing an intent-to-unship to set said pref to disable HPKP
Assignee | ||
Comment 23•5 years ago
|
||
As Chrome has removed support for the HPKP (HTTP Public Key Pinning) header,
continuing to support it in Firefox is a compatibility risk. This patch adds
the preference "security.cert_pinning.hpkp.enabled" and sets it to false by
default. As such, the platform will no longer process the HPKP header nor
consult any cached HPKP information for certificate pins.
Preloaded (statically-compiled) pins are still enabled in Firefox by default.
This patch also disables dynamically setting pins via our remote security
settings infrastructure, as it uses the same backend and represents similar
compatibility risk.
Assignee | ||
Updated•5 years ago
|
Updated•5 years ago
|
Comment 24•5 years ago
|
||
Please send an "Intent to unship" mail for this.
Assignee | ||
Comment 25•5 years ago
|
||
Yes, I'm intending (heh) to.
Comment 26•5 years ago
|
||
Updated•5 years ago
|
Comment 27•5 years ago
|
||
bugherder |
Comment 28•5 years ago
|
||
Posted site compatibility note: https://www.fxsitecompat.dev/en-CA/docs/2019/http-public-key-pinning-is-no-longer-supported/
Assignee | ||
Comment 29•5 years ago
|
||
Comment 32•5 years ago
|
||
Google is a well known voluntary partner of the NSA and their motivation for removing this feature was likely by request of the NSA because it interferes with the NSA's interception hardware that they secretly force companies to use.
Other actions that Chrome has taken like removing P-521 is also very suspicious since ECC is very vulnerable to quantum computers and P-521 will be broken years before RSA-2048. The most common reason presented was "It's not in Suite B" so if the NSA would of put 3DES in Suite B then we'd using 3DES now. Right now, with Google themselves having a quantum computer and the NSA having one for at least 10 years, P-521 isn't enough.
There has not been a single legitimate reason presented for removing this feature that was not already known before becoming an IETF standard.
I believe this should be reconsidered or a browser fork needs to take place.
Updated•5 years ago
|
Comment 33•5 years ago
|
||
(In reply to Bob Nelson from comment #32)
Google is a well known voluntary partner of the NSA and their motivation for removing this feature was likely by request of the NSA because it interferes with the NSA's interception hardware that they secretly force companies to use.
Other actions that Chrome has taken like removing P-521 is also very suspicious since ECC is very vulnerable to quantum computers and P-521 will be broken years before RSA-2048. The most common reason presented was "It's not in Suite B" so if the NSA would of put 3DES in Suite B then we'd using 3DES now. Right now, with Google themselves having a quantum computer and the NSA having one for at least 10 years, P-521 isn't enough.
There has not been a single legitimate reason presented for removing this feature that was not already known before becoming an IETF standard.
I believe this should be reconsidered or a browser fork needs to take place.
There is waterfox that enables HPKP by default. But a fork is useless, since the major part of firefox users will have hpkp disabled by default and webmasters who don't trust CAs will discard this function anyway, since only a minority will benefit from it. I don't see any other function that can satisfy a webmaster who doesn't trust CAs. Unfortunately, those who possess most of the users have the power in this case, and there are no good powers.
Comment 35•5 years ago
|
||
Firefox 72 for developers:
https://developer.mozilla.org/en-US/docs/Mozilla/Firefox/Releases/72#Security
Deprecation warnings in reference docs:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Public-Key-Pins
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Public-Key-Pins-Report-Only
Description
•