Certificate pinning in A. Kalla build 2.46
-
- Posts: 8
- Joined: March 12th, 2015, 12:22 pm
Certificate pinning in A. Kalla build 2.46
The latest A. Kalla build (2.46) for 32-bit Windows does not pass the certificate pinning test at https://pinning-test.badssl.com/ Firefox 49.0 does pass (site blocked with warning) but Firefox 48 did not pass. Does this mean the recently disclosed Firefox certificate pinning flaw (article here) is not fixed in this SM build?
-
- Posts: 1504
- Joined: October 1st, 2014, 3:25 pm
Re: Certificate pinning in A. Kalla build 2.46
What is the value of about:config > security.cert_pinning.enforcement_level ?
- therube
- Posts: 21703
- Joined: March 10th, 2004, 9:59 pm
- Location: Maryland USA
Re: Certificate pinning in A. Kalla build 2.46
What should happen when you go to that site?
Should it fail to load with a "Secure Connection Failed", "MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE" message?
Should it fail to load with a "Secure Connection Failed", "MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE" message?
Fire 750, bring back 250.
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript
-
- Posts: 1361
- Joined: December 15th, 2015, 1:20 pm
Re: Certificate pinning in A. Kalla build 2.46
0 in SeaMonkey. 1 in Firefox. If you set it to 1 SeaMonkey behaves like Firefox so fixed but the default might need an additional adjustment.
-
- Posts: 8
- Joined: March 12th, 2015, 12:22 pm
Re: Certificate pinning in A. Kalla build 2.46
The value was 0. When I set it to 1, the test site worked correctly.
Thanks to all for the info.
(Test site should show "MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE")
Thanks to all for the info.
(Test site should show "MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE")
-
- Moderator
- Posts: 14404
- Joined: May 3rd, 2007, 7:40 am
- Location: US
Re: Certificate pinning in A. Kalla build 2.46
What exactly is that "pinning" doing? Apparently it's initializied with 0 by default on purpose per bug 1019259 and needs to be enabled explicitly by each application. A quick search with https://dxr.mozilla.org/comm-central/se ... rect=false shows that some applications are setting it to 1 (including Firefox, but it's 2 for b2g), which applies to instant messaging (im/) in comm-central only. I don't see anything set for either mail/ or suite/ (so, should it?).
Edit: Callek's post (comment #1) in that bug report gives some background, but there seems to be some legalese involved, whatever that SLA is.
Edit: Callek's post (comment #1) in that bug report gives some background, but there seems to be some legalese involved, whatever that SLA is.
- therube
- Posts: 21703
- Joined: March 10th, 2004, 9:59 pm
- Location: Maryland USA
Re: Certificate pinning in A. Kalla build 2.46
Fire 750, bring back 250.
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript
-
- Moderator
- Posts: 14404
- Joined: May 3rd, 2007, 7:40 am
- Location: US
Re: Certificate pinning in A. Kalla build 2.46
I've filed bug 1305902 to keep this on the radar.