Will non-mozilla websites be eligible to be added into our preload list, or is it restricted to our own properties?
On Sun, Nov 17, 2019, 8:17 PM Dana Keeler <dkee...@mozilla.com> wrote: > The breadth of the web public key infrastructure (PKI) is both an asset > and a risk. Websites have a wide range of certificate authorities (CAs) > to choose from to obtain certificates for their domains. As a > consequence, attackers also have a wide range of potential targets to > try to exploit to get a mis-issued certificate. The HTTP Public Key > Pinning (HPKP) [0] header was intended to allow individual sites to > restrict the web PKI to a subset as it applies to their domains, thus > decreasing their exposure to compromised CAs. > Unfortunately, HPKP has seen little adoption, largely because it has > proved to be too dangerous to use. There are a number of scenarios that > can render websites inoperable, even if they themselves don't use the > header. Chrome removed support for it in version 72 in January of this > year [1]. According to our compatibility information, Opera, Android > webview, and Samsung Internet are the only other implementations that > support the header [2]. At this point, it represents too much of a risk > to continue to enable in Firefox. > A related mechanism, DNS Certification Authority Authorization (CAA) > [3], also allows websites to restrict which CAs can issue certificates > for their domains. This has seen much larger adoption and does not > suffer from the drawbacks of HPKP. > Earlier today, bug 1412438 [4] landed in Firefox Nightly [5] to disable > HPKP via a preference. New HPKP headers will not be processed, and > previously-cached HPKP information will not be consulted. > The static list of key pinning information that ships with Firefox is > still enabled, and these pins will still be enforced. > > [0] https://tools.ietf.org/html/rfc7469 > [1] https://www.chromestatus.com/feature/5903385005916160 > [2] https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning > [3] https://tools.ietf.org/html/rfc6844 > [4] https://bugzilla.mozilla.org/show_bug.cgi?id=1412438 > [5] Coincidentally, version 72 > _______________________________________________ > dev-platform mailing list > dev-platform@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-platform > _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
