Difference between revisions of "SecurityEngineering/Public Key Pinning/ReleaseEngineering"

Latest revision as of 17:05, 21 April 2023

Whom to contact in case of emergency

• Mozilla: pinning@mozilla.org or security@mozilla.org (last resort)
• Google: pki-contact@google.com or agl or security@google.com (last resort)
• Dropbox: April King (aprilking@dropbox.com)
• Facebook: Scott Renfro (srenfro@fb.com)

Implementation status

Pinning is enabled by default in Nightly 32.

What critical Mozilla properties are we planning to pin?

• AMO
• aus4 is under question. We have a meeting with rstrong to discuss what, if any, benefits pinning provides over verifying the signature on the actual binaries and requiring those come from a known issuer. The drawback of pinning the updater is that we may break ourselves.

How to rollback pinning for Firefox

Pinning is controlled by a preference, security.cert_pinning.enforcement_level. To disable pinning, set this pref to 0. In case of emergency, we can

1. Push a hotfix to disable the pinning pref. In case pinning breaks AMO, this will not be possible.
2. Push a chemspill. In case pinning breaks aus4, this will not be possible.
3. bug 1012875 Wait 8 or 10 weeks until the pinset expires once it reaches stable, during which time users will not be able to reach sites that are pinned incorrectly.

How long do updates take?

• Hotfix: almost all users in 2 days
• Chemspill: unknown
• Fennec (Google play): Majority users in 2 days

What about other platforms besides desktop?

In bug 1012882, we decided to not pin on b2g right now, and (maybe) to wait for a couple of cycles to pin on Fennec.