New issue
Advanced search Search tips

Issue 863877 link

Starred by 2 users
Status: Fixed
Owner:
nhar...@chromium.org
Closed: Sep 27
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug



Sign in to add a comment

Update static HPKP pins for Yahoo

Reported by j...@oath.com, Jul 16 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

(This isn't really a security _issue_, but a change
request relating to security.  The ticket templates
didn't offer anything more appropriate seeming than
this category, however.)

I'd like to request a change to the HPKP pinsets for
Yahoo to exclude the old Symantec/Verisign roots and
add the GlobalSign roots.

You can verify the authenticity of this request by
emailing me at jans@yahoo-inc.com or jans@oath.com or
by reaching out to security@yahoo.com; this text is
signed by my PGP key 4C6D6D21 available at e.g.
http://pgp.mit.edu/pks/lookup?op=get&search=0x1F2EDA914C6D6D21

Below is a diff of the change to
transport_security_state_static.json:

diff --git a/net/http/transport_security_state_static.json b/net/http/transport_security_state_static.json
index f35ae0800709..5a6fec7bed2b 100644
- --- a/net/http/transport_security_state_static.json
+++ b/net/http/transport_security_state_static.json
@@ -201,8 +201,12 @@
          "DigiCertGlobalRootG3",
          "DigiCertTrustedRootG4",
          "DigiCertEVRoot",
- -         "GlobalSignRootCA",
- -         "GlobalSignRootCA_R3",
+         "VeriSignClass2_G2",
+         "VeriSignClass2_G3",
+         "VeriSignClass3_G3",
+         "VeriSignClass3_G4",
+         "VeriSignClass3_G5",
+         "VeriSignUniversal",
          "YahooBackup1",
          "YahooBackup2"
       ],
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJbTKgmAAoJEB8u2pFMbW0hQmQP/iws1elCDDhbmi6Qpu3LJksg
pb7beTjzZqYK1HNo333gqYCH45TFdWCP0Fon3691Q+JsOgH4aRy8DIAMFpp7WF3W
Wcj2UNqGRkbIvhRzYhhIlUlrX3RIOIxkl1pqhvr2LlVul9Rj/Ujmn4Dprg2p5yYs
1hVGNngPqYtdLyOkM3zNNOCp7jUWOHtopXKqRZwwAws7EvLvT+wGSvDjVUYeEzZf
oNTc2Iffoniln7CEgJKBmxEOSUvPgwk6T12YvDWxiI3Sp6cfWPsZ5tWEFE/PFHVn
hQOdjsAvw//h/S6otG/m63yjPaiXqWkEEdFHW/c/QU3NxqaghMFsC3JWsDdMCxSv
XLc99exoetYYndOV4pqSs+Ck/+FRbL+YMLl3n6C1S1R1coOhmI4EabBNIL50QmIp
LsV6neKzJsH1TLLlaLTk2UytKG36UlEO2ZzB4d3FM6DwXKqm4FI67LZiXhoJl2RZ
CI9PNt0Vg1cXObdCwPaxCdtRtjJt67X/90EjaHccgHWoy/fKxckJICB+p01QyEmX
s4jiaaWOB9gx7GBNOhMXxWyYNKw6bqMesAT49HlQM7X6PKO7GHWIeoKXpF/ENq05
Z6TSt3Gy5cWG+3V/fUCcnAfCIHy1ibFWLibfdIb9O94sgjVl9FEFMEytzv/Gpkiq
qTH2cUUyIq7zJe2dK8JL
=OPvf
-----END PGP SIGNATURE-----

Comment 1 by est...@chromium.org, Jul 16

Components: Internals>Network>DomainSecurityPolicy
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Restrict-View-SecurityEmbargo Type-Bug
Owner: nhar...@chromium.org
Status: Assigned (was: Unconfirmed)
(leaving SecurityEmbargo label rather than making public because of personal contact details)

Comment 2 by j...@oath.com, Jul 16 

Thanks for your concern about the personal contact details.  This ticket can be made public, which would actually be helpful as it's referenced from the respective Mozilla ticket: https://bugzilla.mozilla.org/show_bug.cgi?id=1475299

(I had commented to this extent via email, but it seems that didn't make it back into the ticket here.)

Comment 3 by nhar...@chromium.org, Jul 17

Labels: -Restrict-View-SecurityEmbargo

Comment 4 by nhar...@chromium.org, Sep 24

Labels: Needs-Feedback
The diff mentioned here doesn't seem to match what's currently in the chromium repo. The yahoo pinset is currently the following:

    {
      "name": "yahoo",
      "static_spki_hashes": [
         "DigiCertAssuredIDRoot",
         "DigiCertGlobalRoot",
         "DigiCertGlobalRootG2",
         "DigiCertGlobalRootG3",
         "DigiCertTrustedRootG4",
         "DigiCertEVRoot",
         "VeriSignClass2_G2",
         "VeriSignClass2_G3",
         "VeriSignClass3_G3",
         "VeriSignClass3_G4",
         "VeriSignClass3_G5",
         "VeriSignUniversal",
         "YahooBackup1",
         "YahooBackup2"
      ],
      "report_uri": "http://csp.yahoo.com/beacon/csp?src=yahoocom-hpkp-report-only"
    },

Could you let me know if there's any action that needs to be taken here, or is this pinset correct?

Comment 5 by j...@oath.com, Sep 25 

We want to:

- add GlobalSignRootCA
- add GlobalSignRootCA_R3
- remove VeriSignClass2_G2
- remove VeriSignClass2_G3
- remove VeriSignClass3_G3
- remove VeriSignClass3_G4
- remove VeriSignClass3_G5

For the json, that would look like this:

--- current 2018-09-24 22:12:28.000000000 -0400
+++ new 2018-09-24 22:15:07.000000000 -0400
@@ -7,12 +7,8 @@
          "DigiCertGlobalRootG3",
          "DigiCertTrustedRootG4",
          "DigiCertEVRoot",
-         "VeriSignClass2_G2",
-         "VeriSignClass2_G3",
-         "VeriSignClass3_G3",
-         "VeriSignClass3_G4",
-         "VeriSignClass3_G5",
-         "VeriSignUniversal",
+         "GlobalSignRootCA",
+         "GlobalSignRootCA_R3",
          "YahooBackup1",
          "YahooBackup2"
       ],

Comment 6 by nhar...@chromium.org, Sep 25 

I have a pending change for this and sent an email to security@yahoo.com to confirm that it is correct.
Project Member

Comment 7 by bugdroid1@chromium.org, Sep 27 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/5ac26f721f95d3d15fddee8865436af88a3d813b

commit 5ac26f721f95d3d15fddee8865436af88a3d813b
Author: Nick Harper <nharper@chromium.org>
Date: Thu Sep 27 02:34:50 2018

Update static Yahoo PKP pins

Bug:  863877 
Change-Id: I15547be6d4ab6367ca5c84f6b7e0b70f7bb70734
Reviewed-on: https://chromium-review.googlesource.com/1244576
Reviewed-by: Bence Béky <bnc@chromium.org>
Commit-Queue: Nick Harper <nharper@chromium.org>
Cr-Commit-Position: refs/heads/master@{#594570}
[modify] https://crrev.com/5ac26f721f95d3d15fddee8865436af88a3d813b/net/http/transport_security_state_static.json

Comment 8 by nhar...@chromium.org, Sep 27

Status: Fixed (was: Assigned)

Comment 9 by j...@oath.com, Sep 27 

Thanks!

Sign in to add a comment