SecurityEngineering/Public Key Pinning

From MozillaWiki
< SecurityEngineering
Revision as of 20:11, 23 May 2024 by Dkeeler (talk | contribs) (Implementation status: remove no-longer-pinned sites)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Background

Public Key Pinning is a mechanism for sites to specify which certificate authorities have issued valid certs for that site, and for user-agents to reject TLS connections to those sites if the certificate is not issued by a known-good CA. Public key pinning prevents man-in-the-middle attacks due to rogue CAs not on the site's list (see the Diginotar attack which Chrome detected and we did not: https://blog.mozilla.org/security/2011/08/29/fraudulent-google-com-certificate/).

The feature binds a set of hashes public keys to a domain name such that when connecting to a site using TLS the browser ensures that there is an intersection between the public keys in the computed trust chain and the set of fingerprints associated with that domain. This check is done during the certificate verification phase of the connection, before any data is sent or processed by the browser. In particular we are pinning the sha256 digest of the der encoded subject public key info. In order to reduce rejections, Firefox computes all potential trust chains before deciding that are no valid pins.

Implementation status

Firefox 32 on desktop and later has the ability to enforce built-in pinsets, or mappings of public key information to domains (bug 744204).

Pinning is supported in Firefox 34 and later on Android.

We currently:

  1. Pin all of the sites that Chrome already does (mainly Google sites) by importing chromium's pinset.
  2. Pin our own sites after auditing them and cleaning them up.
  3. Pin other popular sites like Facebook that are in good shape already (with their cooperation, of course)

Currently-pinned Sites

Tracking bug for pinning all the things: bug 1004350

How to use pinning

Starting with FF 32, it's on by default, so you don't have to do anything. The pinning level is enforced by a pref, security.cert_pinning.enforcement_level

  • 0. Pinning disabled
  • 1. Allow User MITM (pinning not enforced if the trust anchor is a user inserted CA, default)
  • 2. Strict. Pinning is always enforced.
  • 3. Enforce test mode.

More information

Public Key Pinning Extension for HTTP

In the future, we would like to support dynamic pinsets rather than relying on built-in ones. HTTP Public Key Pinning (HPKP) [1] is an HTTP header that allows sites to announce their pinset. It relies on "clean load" in order to provide a similar level of assurance as built-in pins.

Tracking bug: bug 787133