On Mon, Jan 4, 2016 at 1:11 PM, Robert Strong <[email protected]> wrote:
> I was under the impression (perhaps falsely) that the params for those > entries made it so that aus4 and aus5 don't enforce pinning. > and the pinning hack I added years ago was removed. > > > > On Mon, Jan 4, 2016 at 1:08 PM, Dave Townsend <[email protected]> > wrote: > >> aus5 (the server the app updater checks) is still pinned: >> >> https://dxr.mozilla.org/mozilla-central/source/security/manager/ssl/StaticHPKPins.h#739 >> >> On Mon, Jan 4, 2016 at 12:54 PM, Robert Strong <[email protected]> >> wrote: >> > On Mon, Jan 4, 2016 at 12:46 PM, Jesper Kristensen < >> > [email protected]> wrote: >> > >> >> Den 04-01-2016 kl. 19:45 skrev Daniel Holbert: >> >> >> >>> On 01/04/2016 10:33 AM, Josh Matthews wrote: >> >>> >> >>>> Wouldn't the SSL cert failures also prevent submitting the telemetry >> >>>> payload to Mozilla's servers? >> >>>> >> >>> >> >>> Hmm... actually, I'll bet the cert errors will prevent Firefox >> updates, >> >>> for that matter! (I'm assuming the update-check is performed over >> HTTPS.) >> >>> >> >> >> >> If I remember correctly, update checks are pinned to a specific CA, so >> >> updates for users with software that MITM AUS would already be broken? >> > >> > That was removed awhile ago in favor of using mar signing as an exploit >> > mitigation. >> > >> > >> > >> >> >> >> _______________________________________________ >> >> dev-platform mailing list >> >> [email protected] >> >> https://lists.mozilla.org/listinfo/dev-platform >> >> >> > _______________________________________________ >> > dev-platform mailing list >> > [email protected] >> > https://lists.mozilla.org/listinfo/dev-platform >> > > _______________________________________________ dev-platform mailing list [email protected] https://lists.mozilla.org/listinfo/dev-platform
