MozillaZine

Certificate pinning in A. Kalla build 2.46

Discussion about Seamonkey builds
Sportsfan
 
Posts: 8
Joined: March 12th, 2015, 12:22 pm

Post Posted September 23rd, 2016, 10:57 am

The latest A. Kalla build (2.46) for 32-bit Windows does not pass the certificate pinning test at https://pinning-test.badssl.com/ Firefox 49.0 does pass (site blocked with warning) but Firefox 48 did not pass. Does this mean the recently disclosed Firefox certificate pinning flaw (article here) is not fixed in this SM build?

barbaz
 
Posts: 1650
Joined: October 1st, 2014, 3:25 pm

Post Posted September 23rd, 2016, 11:08 am

What is the value of about:config > security.cert_pinning.enforcement_level ?
*Always* check the changelogs BEFORE updating that important software!

therube

User avatar
 
Posts: 17419
Joined: March 10th, 2004, 9:59 pm
Location: Maryland USA

Post Posted September 23rd, 2016, 1:23 pm

What should happen when you go to that site?
Should it fail to load with a "Secure Connection Failed", "MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE" message?
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript

frg
 
Posts: 382
Joined: December 15th, 2015, 1:20 pm

Post Posted September 23rd, 2016, 2:27 pm

0 in SeaMonkey. 1 in Firefox. If you set it to 1 SeaMonkey behaves like Firefox so fixed but the default might need an additional adjustment.

Sportsfan
 
Posts: 8
Joined: March 12th, 2015, 12:22 pm

Post Posted September 23rd, 2016, 6:15 pm

The value was 0. When I set it to 1, the test site worked correctly.

Thanks to all for the info.

(Test site should show "MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE")

rsx11m
Moderator
 
Posts: 14412
Joined: May 3rd, 2007, 7:40 am
Location: US

Post Posted September 24th, 2016, 7:26 am

What exactly is that "pinning" doing? Apparently it's initializied with 0 by default on purpose per bug 1019259 and needs to be enabled explicitly by each application. A quick search with https://dxr.mozilla.org/comm-central/se ... rect=false shows that some applications are setting it to 1 (including Firefox, but it's 2 for b2g), which applies to instant messaging (im/) in comm-central only. I don't see anything set for either mail/ or suite/ (so, should it?).

Edit: Callek's post (comment #1) in that bug report gives some background, but there seems to be some legalese involved, whatever that SLA is. :-k

therube

User avatar
 
Posts: 17419
Joined: March 10th, 2004, 9:59 pm
Location: Maryland USA

Post Posted September 26th, 2016, 9:18 am

Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript

rsx11m
Moderator
 
Posts: 14412
Joined: May 3rd, 2007, 7:40 am
Location: US

Post Posted September 28th, 2016, 7:25 pm

I've filed bug 1305902 to keep this on the radar.

Return to SeaMonkey Builds


Who is online

Users browsing this forum: No registered users and 2 guests