Opened 15 months ago

Closed 5 weeks ago

#25146 closed task (wontfix)

Enable HPKP for aus1

Reported by: gk Owned by: tpa
Priority: Medium Milestone:
Component: Internal Services/Tor Sysadmin Team Version:
Severity: Normal Keywords: tbb-update
Cc: brade, mcs Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

So, this seems to have been fallen through the cracks. A while ago I got asked to ask Mozilla how to get subdomains added to the HPKP list. I got the info and tried to move that forward in #tor-project but that failed. So, here is where we are

18:01 < GeKo> so i asked around a bit a while back wrt getting more tpo 
              subdomains in the static firefox pin list.
18:02 < GeKo> and the answer was basically to open a ticket on bugzilla
18:02 < GeKo> probably similar to 
              https://bugzilla.mozilla.org/show_bug.cgi?id=1219185
18:03 < GeKo> or maybe even better as a child bug to the pin all the things one: 
              https://bugzilla.mozilla.org/show_bug.cgi?id=1004350
18:03 < GeKo> i'd be especially interested in static pins for the updater related 
              subdomains
18:04 < GeKo> what's the process for getting this moved forward?

One thing to consider is that Google is deprecating HPKP and pushing for CT. Not sure how that influences our decision for supporting HPKP ourselves

Child Tickets

Change History (12)

comment:1 Changed 15 months ago by mcs

Cc: brade mcs added

comment:2 Changed 12 months ago by weasel

Yeah, I'm really not sure what our HPKP plan should be.

comment:3 Changed 7 months ago by releng

It should be to add your sensitive subdomains to the browsers' HPKP built-in preload list (and to do nothing with HPKP itself).
See 'More information' section in https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning

comment:4 Changed 6 months ago by micah

Google announced it is deprecating HPKP: https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/he9tr7p3rZ8/eNMwKPmUBAAJ

I believe in general HPKP is going away because it is extremely risky. A trivial mistake will brick your site, but google says its too hard to build a pin-set that’s guaranteed to work and the risk of hostile pinning. Hostile pinning hasn’t been observed yet, but it’s an attack that allows someone to take your site hostage should they somehow be able to obtain a valid certificate for your domain.

Adoption rate of HPKP has been very low, and because of that browser vendors are looking to replace it. Right now the alternatives are Expect-CT and CAA. I don't think it makes a lot of sense to pursue HPKP right now.

comment:5 Changed 6 months ago by releng

What is this stupid comment posted for?
HPKP is unusable on stateless browsers anyway and isn't discussed here.
Citing your precious google:

Note that we're keeping static/preloaded key pins for the time being. Many high-value target sites are thus still protected.

comment:6 Changed 6 months ago by nickm

Hey, let's try to be polite here, please? I know it's frustrating to communicate sometimes, but everybody involved with this project is a human being.

comment:7 in reply to:  6 Changed 6 months ago by releng

Replying to nickm:

Hey, let's try to be polite here, please?

Hey, Nick! Let's try, but it's not the best strategy ever.

I know it's frustrating to communicate sometimes, but everybody involved with this project is a human being.

Communicate? After sunsetting Tor Messenger without a replacement, restricting IRC channels, disabling cypherpunks account, etc? It's hard to believe somebody here wants to communicate...

comment:8 Changed 6 months ago by releng

https://blog.mozilla.org/security/2018/10/09/trusting-the-delivery-of-firefox-updates/

The files were downloaded via HTTPS, but the server certificates or public keys were not pinned.

https://bugzilla.mozilla.org/show_bug.cgi?id=1468525

Last edited 6 months ago by releng (previous) (diff)

comment:9 Changed 3 months ago by gk

Cc: tbb-updater added

comment:10 Changed 3 months ago by gk

Cc: tbb-updater removed
Keywords: tbb-updater added

comment:11 Changed 3 months ago by gk

Keywords: tbb-update added; tbb-updater removed

Renaming keyword to make it a bit broader

comment:12 Changed 5 weeks ago by gk

Resolution: wontfix
Status: newclosed

I think we can do better than trying to get the update check pinned in Firefox by making them to a .onion. However, we are not there yet (see: #17216). Meanwhile we patch our Tor Browser to add a static pin ourselves (#29811).

Note: See TracTickets for help on using tickets.