Opened 4 years ago

Closed 4 years ago

#16206 closed defect (fixed)

set security.cert_pinning.enforcement_level to 2 ("Strict. Pinning is always enforced")

Reported by: dkg Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Keywords: hpkp, TorBrowserTeam201506R, tbb-5.0a-highrisk, ff38-esr
Cc: sajolida@… Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

see: https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning

Please set security.cert_pinning.enforcement_level to 2 ("Strict. Pinning is always enforced").

This will become more relevant as Tor moves to a more recent version of firefox (31 only has minimal built-in pinning support, and 35 introduces HPKP), but without setting the level to 2, users who are phished with an external root CA (admittedly a bad situation, but not uncommon) will lose all pinning protection against that root CA (see https://bugzilla.mozilla.org/show_bug.cgi?id=1168603 for more details about this risk and circumstances where it might legitimately arise)

Child Tickets

Change History (7)

comment:1 Changed 4 years ago by gk

Keywords: TorBrowserTeam201505 added

There is actually https://bugzilla.mozilla.org/show_bug.cgi?id=1059392 proposing to switch to level 2 by default. As we have backported cert pinning for our updater we might want to have that earlier than August when the move to ESR 38 is planned.

comment:2 Changed 4 years ago by sajolida

Cc: sajolida@… added

comment:3 Changed 4 years ago by mikeperry

Keywords: TorBrowserTeam201506 added; TorBrowserTeam201505 removed

comment:4 Changed 4 years ago by mikeperry

Keywords: tbb-5.0a-highrisk ff38-esr added

If we're going to deviate from the Mozilla default, we should test this in an alpha before tossing it out as TBB-5.0-stable.

comment:5 Changed 4 years ago by gk

Keywords: TorBrowserTeam201506R added; TorBrowserTeam201506 removed
Status: newneeds_review

I've been testing this pref change for a while now and I did not notice any issues. bug_16206 (https://gitweb.torproject.org/user/gk/tor-browser.git/commit/?h=bug_16206) in my public tor-browser repo has the fix.

comment:6 Changed 4 years ago by mcs

r=mcs
Thanks for testing. Unless someone else objects, let's make this change for 5.0a3.

comment:7 Changed 4 years ago by arthuredelstein

Resolution: fixed
Status: needs_reviewclosed
Note: See TracTickets for help on using tickets.