60 seconds is still a large enough window for some users to be affected by DNS changes, right? We're just looking for a reason why fxa might be more affected than our other properties, and "it's the only service with such frequent DNS changes" seems like a decent one.
Gavin On Thu, Jun 26, 2014 at 3:51 PM, Julien Vehent <[email protected]> wrote: > Patrick McManus set the DNS cache to 60 seconds a few months back. It > shouldn't be an issue anymore. > https://bugzilla.mozilla.org/show_bug.cgi?id=981447 > > On Thu 26.Jun'14 at 15:33:09 -0700, Chris Karlof wrote: >> I think it's worth bring in +opsec to help investigate here. >> >> Context: We've enabled cert pinning in Nightly for FxA and are seeing more >> violations than we're comfortable with. >> >> -chris >> >> >> On Jun 26, 2014, at 2:45 PM, Monica Chew <[email protected]> wrote: >> >> > +keeler >> > >> > Still not looking awesome -- but if the DNS cache is borking certs that is >> > a much bigger problem. >> > >> > ----- Original Message ----- >> >> From gavin on IRC: >> >> >> >> ckarlof: re: high rate of pinning violations for fxa, is is possible the >> >> DNS >> >> cache/AWS infra IP switch issues are to blame? >> >> >> >> -chris >> >> >> >> On Jun 18, 2014, at 11:38 AM, Monica Chew <[email protected]> wrote: >> >> >> >>> Please take a look at https://pinningtest.appspot.com in FF 32 or higher >> >>> and use your best judgment of whether FxA users on Nightly would be able >> >>> to file an appropriate bug if they see one of the 10-20 violations per >> >>> day >> >>> that we're getting now. >> >>> >> >>> This bug is to improve the UI to be more informative: >> >>> https://bugzilla.mozilla.org/show_bug.cgi?id=1011638 >> >>> >> >>> And this bug is to report the entire certificate chain, including the >> >>> complete domain, back to us for remediation: >> >>> https://bugzilla.mozilla.org/show_bug.cgi?id=846489 >> >>> >> >>> I don't think it makes sense to block a decision on either one of these, >> >>> because they don't have firm end dates. From the violation rate, I doubt >> >>> that the pinset is incorrect, most violations are probably from captive >> >>> portal. However, this assumption is incorrect if people are hitting a >> >>> rarely used subdomain on accounts.firefox.com that is using an unknown >> >>> cert issuer. >> >>> >> >>> If this is not the case and the pinset is correct, we could go ahead and >> >>> start enforcing pin violations and count on bugzilla reports to find >> >>> errors. It's also reasonable to wait a week and see if the numbers >> >>> improve >> >>> (telemetry data lags 4-5 days, dates are by build date, not submission >> >>> date). >> >>> >> >>> Thanks, >> >>> Monica >> >>> >> >>> ----- Original Message ----- >> >>>> http://people.mozilla.org/~mchew/pinning_dashboard/ >> >>>> >> >>>> The violation rate is a little higher than mmc would expect to see. >> >>>> (We're >> >>>> still in reporting only mode, though.) >> >>>> >> >>>> We're seeing 10-20 (would be) violations per day. The rate is higher >> >>>> than >> >>>> other Moz services, but the sample size is also much smaller. >> >>>> >> >>>> Any thoughts? >> >>>> >> >>>> -chris >> >>>> >> >> >> >> >> > _______________________________________________ > Dev-fxacct mailing list > [email protected] > https://mail.mozilla.org/listinfo/dev-fxacct _______________________________________________ Dev-fxacct mailing list [email protected] https://mail.mozilla.org/listinfo/dev-fxacct
