Re: Heads-up: SHA1 deprecation (for newly issued certs) causes trouble with local ssl-proxy mitm spyware

Mon, 04 Jan 2016 13:28:30 -0800 

In any case, the pin check doesn't matter.  The certificate verification
will have failed well before the pin checks are done.

On Mon, Jan 4, 2016 at 4:14 PM, David Keeler <dkee...@mozilla.com> wrote:

> > { "aus5.mozilla.org", true, true, true, 7, &kPinset_mozilla },
>
> Just for clarification and future reference, the second "true" means this
> entry is in test mode, so it's not actually enforced by default.
>
> On Mon, Jan 4, 2016 at 1:08 PM, Dave Townsend <dtowns...@mozilla.com>
> wrote:
>
> > aus5 (the server the app updater checks) is still pinned:
> >
> >
> https://dxr.mozilla.org/mozilla-central/source/security/manager/ssl/StaticHPKPins.h#739
> >
> > On Mon, Jan 4, 2016 at 12:54 PM, Robert Strong <rstr...@mozilla.com>
> > wrote:
> > > On Mon, Jan 4, 2016 at 12:46 PM, Jesper Kristensen <
> > > moznewsgro...@something.to.remove.jesperkristensen.dk> wrote:
> > >
> > >> Den 04-01-2016 kl. 19:45 skrev Daniel Holbert:
> > >>
> > >>> On 01/04/2016 10:33 AM, Josh Matthews wrote:
> > >>>
> > >>>> Wouldn't the SSL cert failures also prevent submitting the telemetry
> > >>>> payload to Mozilla's servers?
> > >>>>
> > >>>
> > >>> Hmm... actually, I'll bet the cert errors will prevent Firefox
> updates,
> > >>> for that matter! (I'm assuming the update-check is performed over
> > HTTPS.)
> > >>>
> > >>
> > >> If I remember correctly, update checks are pinned to a specific CA, so
> > >> updates for users with software that MITM AUS would already be broken?
> > >
> > > That was removed awhile ago in favor of using mar signing as an exploit
> > > mitigation.
> > >
> > >
> > >
> > >>
> > >> _______________________________________________
> > >> dev-platform mailing list
> > >> dev-platform@lists.mozilla.org
> > >> https://lists.mozilla.org/listinfo/dev-platform
> > >>
> > > _______________________________________________
> > > dev-platform mailing list
> > > dev-platform@lists.mozilla.org
> > > https://lists.mozilla.org/listinfo/dev-platform
> > _______________________________________________
> > dev-platform mailing list
> > dev-platform@lists.mozilla.org
> > https://lists.mozilla.org/listinfo/dev-platform
> >
> _______________________________________________
> dev-platform mailing list
> dev-platform@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-platform
>
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Reply via email to