aus5 (the server the app updater checks) is still pinned: https://dxr.mozilla.org/mozilla-central/source/security/manager/ssl/StaticHPKPins.h#739
On Mon, Jan 4, 2016 at 12:54 PM, Robert Strong <[email protected]> wrote: > On Mon, Jan 4, 2016 at 12:46 PM, Jesper Kristensen < > [email protected]> wrote: > >> Den 04-01-2016 kl. 19:45 skrev Daniel Holbert: >> >>> On 01/04/2016 10:33 AM, Josh Matthews wrote: >>> >>>> Wouldn't the SSL cert failures also prevent submitting the telemetry >>>> payload to Mozilla's servers? >>>> >>> >>> Hmm... actually, I'll bet the cert errors will prevent Firefox updates, >>> for that matter! (I'm assuming the update-check is performed over HTTPS.) >>> >> >> If I remember correctly, update checks are pinned to a specific CA, so >> updates for users with software that MITM AUS would already be broken? > > That was removed awhile ago in favor of using mar signing as an exploit > mitigation. > > > >> >> _______________________________________________ >> dev-platform mailing list >> [email protected] >> https://lists.mozilla.org/listinfo/dev-platform >> > _______________________________________________ > dev-platform mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-platform _______________________________________________ dev-platform mailing list [email protected] https://lists.mozilla.org/listinfo/dev-platform
