Patrick McManus set the DNS cache to 60 seconds a few months back. It shouldn't be an issue anymore. https://bugzilla.mozilla.org/show_bug.cgi?id=981447
On Thu 26.Jun'14 at 15:33:09 -0700, Chris Karlof wrote: > I think it's worth bring in +opsec to help investigate here. > > Context: We've enabled cert pinning in Nightly for FxA and are seeing more > violations than we're comfortable with. > > -chris > > > On Jun 26, 2014, at 2:45 PM, Monica Chew <[email protected]> wrote: > > > +keeler > > > > Still not looking awesome -- but if the DNS cache is borking certs that is > > a much bigger problem. > > > > ----- Original Message ----- > >> From gavin on IRC: > >> > >> ckarlof: re: high rate of pinning violations for fxa, is is possible the > >> DNS > >> cache/AWS infra IP switch issues are to blame? > >> > >> -chris > >> > >> On Jun 18, 2014, at 11:38 AM, Monica Chew <[email protected]> wrote: > >> > >>> Please take a look at https://pinningtest.appspot.com in FF 32 or higher > >>> and use your best judgment of whether FxA users on Nightly would be able > >>> to file an appropriate bug if they see one of the 10-20 violations per day > >>> that we're getting now. > >>> > >>> This bug is to improve the UI to be more informative: > >>> https://bugzilla.mozilla.org/show_bug.cgi?id=1011638 > >>> > >>> And this bug is to report the entire certificate chain, including the > >>> complete domain, back to us for remediation: > >>> https://bugzilla.mozilla.org/show_bug.cgi?id=846489 > >>> > >>> I don't think it makes sense to block a decision on either one of these, > >>> because they don't have firm end dates. From the violation rate, I doubt > >>> that the pinset is incorrect, most violations are probably from captive > >>> portal. However, this assumption is incorrect if people are hitting a > >>> rarely used subdomain on accounts.firefox.com that is using an unknown > >>> cert issuer. > >>> > >>> If this is not the case and the pinset is correct, we could go ahead and > >>> start enforcing pin violations and count on bugzilla reports to find > >>> errors. It's also reasonable to wait a week and see if the numbers improve > >>> (telemetry data lags 4-5 days, dates are by build date, not submission > >>> date). > >>> > >>> Thanks, > >>> Monica > >>> > >>> ----- Original Message ----- > >>>> http://people.mozilla.org/~mchew/pinning_dashboard/ > >>>> > >>>> The violation rate is a little higher than mmc would expect to see. > >>>> (We're > >>>> still in reporting only mode, though.) > >>>> > >>>> We're seeing 10-20 (would be) violations per day. The rate is higher than > >>>> other Moz services, but the sample size is also much smaller. > >>>> > >>>> Any thoughts? > >>>> > >>>> -chris > >>>> > >> > >> > _______________________________________________ Dev-fxacct mailing list [email protected] https://mail.mozilla.org/listinfo/dev-fxacct
