aus5 (the server the app updater checks) is still pinned: https://dxr.mozilla.org/mozilla-central/source/security/manager/ssl/StaticHPKPins.h#739
On Mon, Jan 4, 2016 at 12:54 PM, Robert Strong <rstr...@mozilla.com> wrote: > On Mon, Jan 4, 2016 at 12:46 PM, Jesper Kristensen < > moznewsgro...@something.to.remove.jesperkristensen.dk> wrote: > >> Den 04-01-2016 kl. 19:45 skrev Daniel Holbert: >> >>> On 01/04/2016 10:33 AM, Josh Matthews wrote: >>> >>>> Wouldn't the SSL cert failures also prevent submitting the telemetry >>>> payload to Mozilla's servers? >>>> >>> >>> Hmm... actually, I'll bet the cert errors will prevent Firefox updates, >>> for that matter! (I'm assuming the update-check is performed over HTTPS.) >>> >> >> If I remember correctly, update checks are pinned to a specific CA, so >> updates for users with software that MITM AUS would already be broken? > > That was removed awhile ago in favor of using mar signing as an exploit > mitigation. > > > >> >> _______________________________________________ >> dev-platform mailing list >> dev-platform@lists.mozilla.org >> https://lists.mozilla.org/listinfo/dev-platform >> > _______________________________________________ > dev-platform mailing list > dev-platform@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-platform _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
