Certificate pinning in A. Kalla build 2.46

Discussion about Seamonkey builds
Post Reply
Sportsfan
Posts: 8
Joined: March 12th, 2015, 12:22 pm

Certificate pinning in A. Kalla build 2.46

Post by Sportsfan »

The latest A. Kalla build (2.46) for 32-bit Windows does not pass the certificate pinning test at https://pinning-test.badssl.com/ Firefox 49.0 does pass (site blocked with warning) but Firefox 48 did not pass. Does this mean the recently disclosed Firefox certificate pinning flaw (article here) is not fixed in this SM build?
barbaz
Posts: 1504
Joined: October 1st, 2014, 3:25 pm

Re: Certificate pinning in A. Kalla build 2.46

Post by barbaz »

What is the value of about:config > security.cert_pinning.enforcement_level ?
User avatar
therube
Posts: 21703
Joined: March 10th, 2004, 9:59 pm
Location: Maryland USA

Re: Certificate pinning in A. Kalla build 2.46

Post by therube »

What should happen when you go to that site?
Should it fail to load with a "Secure Connection Failed", "MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE" message?
Fire 750, bring back 250.
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript
frg
Posts: 1361
Joined: December 15th, 2015, 1:20 pm

Re: Certificate pinning in A. Kalla build 2.46

Post by frg »

0 in SeaMonkey. 1 in Firefox. If you set it to 1 SeaMonkey behaves like Firefox so fixed but the default might need an additional adjustment.
Sportsfan
Posts: 8
Joined: March 12th, 2015, 12:22 pm

Re: Certificate pinning in A. Kalla build 2.46

Post by Sportsfan »

The value was 0. When I set it to 1, the test site worked correctly.

Thanks to all for the info.

(Test site should show "MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE")
rsx11m
Moderator
Posts: 14404
Joined: May 3rd, 2007, 7:40 am
Location: US

Re: Certificate pinning in A. Kalla build 2.46

Post by rsx11m »

What exactly is that "pinning" doing? Apparently it's initializied with 0 by default on purpose per bug 1019259 and needs to be enabled explicitly by each application. A quick search with https://dxr.mozilla.org/comm-central/se ... rect=false shows that some applications are setting it to 1 (including Firefox, but it's 2 for b2g), which applies to instant messaging (im/) in comm-central only. I don't see anything set for either mail/ or suite/ (so, should it?).

Edit: Callek's post (comment #1) in that bug report gives some background, but there seems to be some legalese involved, whatever that SLA is. :-k
User avatar
therube
Posts: 21703
Joined: March 10th, 2004, 9:59 pm
Location: Maryland USA

Re: Certificate pinning in A. Kalla build 2.46

Post by therube »

Fire 750, bring back 250.
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript
rsx11m
Moderator
Posts: 14404
Joined: May 3rd, 2007, 7:40 am
Location: US

Re: Certificate pinning in A. Kalla build 2.46

Post by rsx11m »

I've filed bug 1305902 to keep this on the radar.
Post Reply