I think it's worth bring in +opsec to help investigate here. Context: We've enabled cert pinning in Nightly for FxA and are seeing more violations than we're comfortable with.
-chris On Jun 26, 2014, at 2:45 PM, Monica Chew <[email protected]> wrote: > +keeler > > Still not looking awesome -- but if the DNS cache is borking certs that is a > much bigger problem. > > ----- Original Message ----- >> From gavin on IRC: >> >> ckarlof: re: high rate of pinning violations for fxa, is is possible the DNS >> cache/AWS infra IP switch issues are to blame? >> >> -chris >> >> On Jun 18, 2014, at 11:38 AM, Monica Chew <[email protected]> wrote: >> >>> Please take a look at https://pinningtest.appspot.com in FF 32 or higher >>> and use your best judgment of whether FxA users on Nightly would be able >>> to file an appropriate bug if they see one of the 10-20 violations per day >>> that we're getting now. >>> >>> This bug is to improve the UI to be more informative: >>> https://bugzilla.mozilla.org/show_bug.cgi?id=1011638 >>> >>> And this bug is to report the entire certificate chain, including the >>> complete domain, back to us for remediation: >>> https://bugzilla.mozilla.org/show_bug.cgi?id=846489 >>> >>> I don't think it makes sense to block a decision on either one of these, >>> because they don't have firm end dates. From the violation rate, I doubt >>> that the pinset is incorrect, most violations are probably from captive >>> portal. However, this assumption is incorrect if people are hitting a >>> rarely used subdomain on accounts.firefox.com that is using an unknown >>> cert issuer. >>> >>> If this is not the case and the pinset is correct, we could go ahead and >>> start enforcing pin violations and count on bugzilla reports to find >>> errors. It's also reasonable to wait a week and see if the numbers improve >>> (telemetry data lags 4-5 days, dates are by build date, not submission >>> date). >>> >>> Thanks, >>> Monica >>> >>> ----- Original Message ----- >>>> http://people.mozilla.org/~mchew/pinning_dashboard/ >>>> >>>> The violation rate is a little higher than mmc would expect to see. (We're >>>> still in reporting only mode, though.) >>>> >>>> We're seeing 10-20 (would be) violations per day. The rate is higher than >>>> other Moz services, but the sample size is also much smaller. >>>> >>>> Any thoughts? >>>> >>>> -chris >>>> >> >> _______________________________________________ Dev-fxacct mailing list [email protected] https://mail.mozilla.org/listinfo/dev-fxacct
