I was under the impression (perhaps falsely) that the params for those entries made it so that aus4 and aus5 don't enforce pinning.
On Mon, Jan 4, 2016 at 1:08 PM, Dave Townsend <dtowns...@mozilla.com> wrote: > aus5 (the server the app updater checks) is still pinned: > > https://dxr.mozilla.org/mozilla-central/source/security/manager/ssl/StaticHPKPins.h#739 > > On Mon, Jan 4, 2016 at 12:54 PM, Robert Strong <rstr...@mozilla.com> > wrote: > > On Mon, Jan 4, 2016 at 12:46 PM, Jesper Kristensen < > > moznewsgro...@something.to.remove.jesperkristensen.dk> wrote: > > > >> Den 04-01-2016 kl. 19:45 skrev Daniel Holbert: > >> > >>> On 01/04/2016 10:33 AM, Josh Matthews wrote: > >>> > >>>> Wouldn't the SSL cert failures also prevent submitting the telemetry > >>>> payload to Mozilla's servers? > >>>> > >>> > >>> Hmm... actually, I'll bet the cert errors will prevent Firefox updates, > >>> for that matter! (I'm assuming the update-check is performed over > HTTPS.) > >>> > >> > >> If I remember correctly, update checks are pinned to a specific CA, so > >> updates for users with software that MITM AUS would already be broken? > > > > That was removed awhile ago in favor of using mar signing as an exploit > > mitigation. > > > > > > > >> > >> _______________________________________________ > >> dev-platform mailing list > >> dev-platform@lists.mozilla.org > >> https://lists.mozilla.org/listinfo/dev-platform > >> > > _______________________________________________ > > dev-platform mailing list > > dev-platform@lists.mozilla.org > > https://lists.mozilla.org/listinfo/dev-platform > _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
