mozilla
/
gecko-dev
зеркало из https://github.com/mozilla/gecko-dev.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
gecko-dev/security/manager/tools/PreloadedHPKPins.json

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

243 строки
14 KiB
JSON
Исходник Обычный вид История

Bug 744204 - Allow Key pining part 1 - Built-in Pinning Service. r=keeler
2013-06-20 21:35:43 +04:00
// -*- Mode: javascript; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
// This Source Code Form is subject to the terms of the Mozilla Public
// License, v. 2.0. If a copy of the MPL was not distributed with this
// file, You can obtain one at http://mozilla.org/MPL/2.0/.
// The top-level element is a dictionary with two keys: "pinsets" maps details
// of certificate pinning to a name and "entries" contains the HPKP details for
// each host.
//
// "pinsets" is a list of objects. Each object has the following members:
// name: (string) the name of the pinset
Bug 1020485: Enable pinning in test mode for accounts.firefox.com (r=keeler)
2014-06-07 00:44:59 +04:00
// sha256_hashes: (list of strings) the set of allowed SPKIs hashes
Bug 744204 - Allow Key pining part 1 - Built-in Pinning Service. r=keeler
2013-06-20 21:35:43 +04:00
//
Bug 998057: Add test pinset to the pin generator (r=cviecco) --HG-- rename : security/manager/ssl/tests/unit/tlsserver/default-ee.der => security/manager/boot/src/default-ee.der
2014-05-01 02:30:44 +04:00
// For a given pinset, a certificate is accepted if at least one of the
Bug 1020485: Enable pinning in test mode for accounts.firefox.com (r=keeler)
2014-06-07 00:44:59 +04:00
// Subject Public Key Infos (SPKIs) is found in the chain. SPKIs are specified
// as names, which must match up with the name given in the Mozilla root store.
Bug 744204 - Allow Key pining part 1 - Built-in Pinning Service. r=keeler
2013-06-20 21:35:43 +04:00
//
// "entries" is a list of objects. Each object has the following members:
// name: (string) the DNS name of the host in question
// include_subdomains: (optional bool) whether subdomains of |name| are also covered
// pins: (string) the |name| member of an object in |pinsets|
bug 1004781 - follow-up to add "DigiCert ECC Secure Server CA" to Facebook's pinset r=mmc
2014-09-08 20:33:03 +04:00
//
bug 1301956 - add more Mozilla resources to preloaded pins r=keeler,rbarnes DONTBUILD NPOTB Also trims the pinset for said Mozilla resources to just DigiCert and Let's Encrypt (as a backup).
2016-11-30 00:15:32 +03:00
// "extra_certificates" is a list of base64-encoded certificates. These are used in
bug 1004781 - follow-up to add "DigiCert ECC Secure Server CA" to Facebook's pinset r=mmc
2014-09-08 20:33:03 +04:00
// pinsets that reference certificates not in our root program (for example,
bug 1301956 - add more Mozilla resources to preloaded pins r=keeler,rbarnes DONTBUILD NPOTB Also trims the pinset for said Mozilla resources to just DigiCert and Let's Encrypt (as a backup).
2016-11-30 00:15:32 +03:00
// Facebook or intermediate CA certs).
Bug 744204 - Allow Key pining part 1 - Built-in Pinning Service. r=keeler
2013-06-20 21:35:43 +04:00
{
Bug 1009635 - PreloadedHPKP.json should also contain production/exclusion lists. r=keeler --HG-- extra : rebase_source : 46c13e490358f26b21191d6d783d795897ceea63
2014-05-15 19:04:54 +04:00
"chromium_data" : {
Bug 1280331 - Update HPKP preload script URL to deal with renaming of transport_security_state_static.certs. r=keeler https://chromium.googlesource.com/chromium/src/net/+/4361f2ad66b6af0a8acfb42f34b95bfbcad3926a renamed transport_security_state_static.certs to transport_security_state_static.pins, so the URL needs to be updated to avoid a 404. MozReview-Commit-ID: 1FmYdi0mMcI --HG-- extra : rebase_source : 25ebf2290cab6ee12f98bc65972b696c45d506d0
2016-06-22 02:11:57 +03:00
"cert_file_url": "https://chromium.googlesource.com/chromium/src/net/+/master/http/transport_security_state_static.pins?format=TEXT",
bug 1083085 - update where getHSTSPreloadList.js and genHPKPStaticPins.js think Chromium's lists are r=mmc DONTBUILD NPOTB
2014-10-22 02:20:02 +04:00
"json_file_url": "https://chromium.googlesource.com/chromium/src/net/+/master/http/transport_security_state_static.json?format=TEXT",
Bug 1014344: Use Google's root pems in addition to their intermediate certs (r=keeler)
2014-05-23 02:09:45 +04:00
"substitute_pinsets": {
// Use the larger google_root_pems pinset instead of google
"google": "google_root_pems"
},
Bug 1004352: Enable pinning for Google in production mode (r=keeler)
2014-06-12 02:32:37 +04:00
"production_pinsets": [
Bug 1004781: Enable pinning for facebook in production mode (r=keeler)
2014-12-12 20:10:53 +03:00
"google_root_pems",
bug 1356499 - put NCSCCS pins into production mode r=mgoodwin As requested by James Burton<jb@0.me.uk> and vouched for (via email) by Lucas Garron <lgarron@google.com>. MozReview-Commit-ID: HD9laXzJpRg --HG-- extra : rebase_source : 7c632c6772509a3c4c03cf971ee0f62ad5225275
2017-04-26 00:33:07 +03:00
"facebook",
"ncsccs"
Bug 1004352: Enable pinning for Google in production mode (r=keeler)
2014-06-12 02:32:37 +04:00
],
Bug 1009635 - PreloadedHPKP.json should also contain production/exclusion lists. r=keeler --HG-- extra : rebase_source : 46c13e490358f26b21191d6d783d795897ceea63
2014-05-15 19:04:54 +04:00
"production_domains": [
bug 1218515 - flip pinning-test.badssl.com into production mode r=jcj DONTBUILD NPOTB pinning-test.badssl.com is a test domain for preloaded HPKP (HTTP Public Key Pinning - see RFC 7469). By specifying a pinset corresponding to no known keys, this domain should fail with a key pinning error by default. Also, the includeSubdomains option is set, so any subdomains should fail as well. Since Gecko incorporates preloaded pinsets from Chromium, this pinset is already defined. This patch merely switches it from test mode to production mode (well, to be more accurate, this patch sets up the input for the automated script that will make the code change that will put the pinset into production mode).
2015-10-27 00:39:25 +03:00
// Chrome's test domains.
Bug 1004351: Enable production mode for twitter pins (r=keeler)
2014-05-23 02:11:07 +04:00
"pinningtest.appspot.com",
bug 1218515 - flip pinning-test.badssl.com into production mode r=jcj DONTBUILD NPOTB pinning-test.badssl.com is a test domain for preloaded HPKP (HTTP Public Key Pinning - see RFC 7469). By specifying a pinset corresponding to no known keys, this domain should fail with a key pinning error by default. Also, the includeSubdomains option is set, so any subdomains should fail as well. Since Gecko incorporates preloaded pinsets from Chromium, this pinset is already defined. This patch merely switches it from test mode to production mode (well, to be more accurate, this patch sets up the input for the automated script that will make the code change that will put the pinset into production mode).
2015-10-27 00:39:25 +03:00
"pinning-test.badssl.com",
Bug 1047560: Enable pinning on dropbox (r=keeler)
2014-08-02 00:12:38 +04:00
// Dropbox
"dropbox.com",
"www.dropbox.com",
Bug 1004351: Enable production mode for twitter pins (r=keeler)
2014-05-23 02:11:07 +04:00
// Twitter
"api.twitter.com",
"business.twitter.com",
"dev.twitter.com",
"mobile.twitter.com",
"oauth.twitter.com",
"platform.twitter.com",
"twimg.com",
Bug 1004353 - Enable pinning for TOR websites. r=mmc --HG-- extra : rebase_source : d880368dd9eaaafcde353ce187438ae074994bfa
2014-07-23 01:28:52 +04:00
"www.twitter.com",
// Tor
"torproject.org",
"blog.torproject.org",
"check.torproject.org",
"dist.torproject.org",
Bug 1098288: Enable pinning on spideroak (r=keeler)
2014-11-14 22:17:40 +03:00
"www.torproject.org",
// SpiderOak
"spideroak.com"
Bug 1027133: Enable test mode for *.twitter.com (r=keeler)
2014-06-19 00:23:13 +04:00
],
"exclude_domains" : [
// Chrome's entry for twitter.com doesn't include subdomains, so replace
// it with our own entry below which also uses an expanded pinset.
"twitter.com"
Bug 1009635 - PreloadedHPKP.json should also contain production/exclusion lists. r=keeler --HG-- extra : rebase_source : 46c13e490358f26b21191d6d783d795897ceea63
2014-05-15 19:04:54 +04:00
]
},
Bug 744204 - Allow Key pining part 1 - Built-in Pinning Service. r=keeler
2013-06-20 21:35:43 +04:00
"pinsets": [
{
bug 1301956 - add more Mozilla resources to preloaded pins r=keeler,rbarnes DONTBUILD NPOTB Also trims the pinset for said Mozilla resources to just DigiCert and Let's Encrypt (as a backup).
2016-11-30 00:15:32 +03:00
"name": "mozilla_services",
Bug 772756: Implement sha1 support, import Chrome's pinsets wholesale, add test mode (r=cviecco,keeler)
2014-05-09 04:18:50 +04:00
"sha256_hashes": [
"DigiCert Global Root CA",
"DigiCert High Assurance EV Root CA",
bug 1301956 - add more Mozilla resources to preloaded pins r=keeler,rbarnes DONTBUILD NPOTB Also trims the pinset for said Mozilla resources to just DigiCert and Let's Encrypt (as a backup).
2016-11-30 00:15:32 +03:00
// Backup intermediates with Let's Encrypt are not normally
// in use and require disabling Mozilla's sites blacklisting
"Let's Encrypt Authority X3",
"Let's Encrypt Authority X4"
Bug 1020485: Enable pinning in test mode for accounts.firefox.com (r=keeler)
2014-06-07 00:44:59 +04:00
]
},
Bug 998057: Add tests for certificate pinning (r=cviecco,dkeeler)
2014-05-01 07:11:35 +04:00
// For pinning tests on pinning.example.com, the certificate must be 'End
// Entity Test Cert'
Bug 998057: Add test pinset to the pin generator (r=cviecco) --HG-- rename : security/manager/ssl/tests/unit/tlsserver/default-ee.der => security/manager/boot/src/default-ee.der
2014-05-01 02:30:44 +04:00
{
"name": "mozilla_test",
Bug 772756: Implement sha1 support, import Chrome's pinsets wholesale, add test mode (r=cviecco,keeler)
2014-05-09 04:18:50 +04:00
"sha256_hashes": [
Bug 998057: Add test pinset to the pin generator (r=cviecco) --HG-- rename : security/manager/ssl/tests/unit/tlsserver/default-ee.der => security/manager/boot/src/default-ee.der
2014-05-01 02:30:44 +04:00
"End Entity Test Cert"
]
Bug 1014344: Use Google's root pems in addition to their intermediate certs (r=keeler)
2014-05-23 02:09:45 +04:00
},
// Google's root PEMs. Chrome pins only to their intermediate certs, but
// they'd like us to be more liberal. For the initial list, we are using
// the certs from http://pki.google.com/roots.pem.
Bug 1035923: Remove deprecated certs from google_root_pems (r=keeler)
2014-07-09 03:01:29 +04:00
// We have no built-in for commented out CAs.
Bug 1387853 - Update Google roots in PreloadedHPKPins.json to fix periodic Static HPKP updates. r=keeler Some entries in the existing list referred to roots that were removed from in upstream NSS in Bug 1380941 (the equivalent change landed in Firefox's copy of NSS in Bug 1370890). This broke the periodic HPKP script because it would still try to find the roots within our built-in roots. Running dumpGoogleRoots.js and pasting the output into the appropriate section of PreloadedHPKPins.json fixes this. MozReview-Commit-ID: Ck6WobCk9gl --HG-- extra : rebase_source : 676e39c7e447f8e2db2cdb52bacaa57d20088a46
2017-08-08 02:38:23 +03:00
// This list should be updated via the dumpGoogleRoots.js script.
Bug 1014344: Use Google's root pems in addition to their intermediate certs (r=keeler)
2014-05-23 02:09:45 +04:00
{
"name": "google_root_pems",
"sha256_hashes": [
"AddTrust External Root",
"AddTrust Low-Value Services Root",
Bug 1387853 - Update Google roots in PreloadedHPKPins.json to fix periodic Static HPKP updates. r=keeler Some entries in the existing list referred to roots that were removed from in upstream NSS in Bug 1380941 (the equivalent change landed in Firefox's copy of NSS in Bug 1370890). This broke the periodic HPKP script because it would still try to find the roots within our built-in roots. Running dumpGoogleRoots.js and pasting the output into the appropriate section of PreloadedHPKPins.json fixes this. MozReview-Commit-ID: Ck6WobCk9gl --HG-- extra : rebase_source : 676e39c7e447f8e2db2cdb52bacaa57d20088a46
2017-08-08 02:38:23 +03:00
// "AddTrust Public CA Root",
// "AddTrust Qualified CA Root",
Bug 1014344: Use Google's root pems in addition to their intermediate certs (r=keeler)
2014-05-23 02:09:45 +04:00
"AffirmTrust Commercial",
"AffirmTrust Networking",
"AffirmTrust Premium",
"AffirmTrust Premium ECC",
"Baltimore CyberTrust Root",
"Comodo AAA Services root",
"COMODO Certification Authority",
"COMODO ECC Certification Authority",
bug 1232766 - update the preloaded pinset for Google domains r=rbarnes Also includes a script for making this process faster in the future.
2015-12-28 23:30:14 +03:00
"COMODO RSA Certification Authority",
Bug 1014344: Use Google's root pems in addition to their intermediate certs (r=keeler)
2014-05-23 02:09:45 +04:00
"Cybertrust Global Root",
"DigiCert Assured ID Root CA",
bug 1232766 - update the preloaded pinset for Google domains r=rbarnes Also includes a script for making this process faster in the future.
2015-12-28 23:30:14 +03:00
"DigiCert Assured ID Root G2",
"DigiCert Assured ID Root G3",
Bug 1014344: Use Google's root pems in addition to their intermediate certs (r=keeler)
2014-05-23 02:09:45 +04:00
"DigiCert Global Root CA",
bug 1232766 - update the preloaded pinset for Google domains r=rbarnes Also includes a script for making this process faster in the future.
2015-12-28 23:30:14 +03:00
"DigiCert Global Root G2",
"DigiCert Global Root G3",
Bug 1014344: Use Google's root pems in addition to their intermediate certs (r=keeler)
2014-05-23 02:09:45 +04:00
"DigiCert High Assurance EV Root CA",
bug 1232766 - update the preloaded pinset for Google domains r=rbarnes Also includes a script for making this process faster in the future.
2015-12-28 23:30:14 +03:00
"DigiCert Trusted Root G4",
Bug 1014344: Use Google's root pems in addition to their intermediate certs (r=keeler)
2014-05-23 02:09:45 +04:00
"Entrust Root Certification Authority",
bug 1232766 - update the preloaded pinset for Google domains r=rbarnes Also includes a script for making this process faster in the future.
2015-12-28 23:30:14 +03:00
"Entrust Root Certification Authority - EC1",
"Entrust Root Certification Authority - G2",
"Entrust.net Premium 2048 Secure Server CA",
bug 1300305 - update preloaded HPKP information to deal with "Equifax Secure CA" removal DONTBUILD NPOTB r=Cykesiopka The root with the nickname "Equifax Secure CA" was removed from NSS in bug 1296689 (confusingly, "Equifax Secure CA" doesn't appear in the subject DN of that certificate, which is "OU=Equifax Secure Certificate Authority,O=Equifax,C=US"). This removes the dependency on that root as well as fixes dumpGoogleRoots.js to automatically handle this sort of thing in the future. MozReview-Commit-ID: KIEPBnliufX --HG-- extra : rebase_source : 819b0168e28d73c66f2e23d19f513cce214bcc78
2016-09-06 20:45:48 +03:00
// "Equifax Secure Certificate Authority",
Bug 1014344: Use Google's root pems in addition to their intermediate certs (r=keeler)
2014-05-23 02:09:45 +04:00
"GeoTrust Global CA",
Bug 1387853 - Update Google roots in PreloadedHPKPins.json to fix periodic Static HPKP updates. r=keeler Some entries in the existing list referred to roots that were removed from in upstream NSS in Bug 1380941 (the equivalent change landed in Firefox's copy of NSS in Bug 1370890). This broke the periodic HPKP script because it would still try to find the roots within our built-in roots. Running dumpGoogleRoots.js and pasting the output into the appropriate section of PreloadedHPKPins.json fixes this. MozReview-Commit-ID: Ck6WobCk9gl --HG-- extra : rebase_source : 676e39c7e447f8e2db2cdb52bacaa57d20088a46
2017-08-08 02:38:23 +03:00
// "GeoTrust Global CA 2",
Bug 1014344: Use Google's root pems in addition to their intermediate certs (r=keeler)
2014-05-23 02:09:45 +04:00
"GeoTrust Primary Certification Authority",
"GeoTrust Primary Certification Authority - G2",
"GeoTrust Primary Certification Authority - G3",
"GeoTrust Universal CA",
"GeoTrust Universal CA 2",
Bug 1387853 - Update Google roots in PreloadedHPKPins.json to fix periodic Static HPKP updates. r=keeler Some entries in the existing list referred to roots that were removed from in upstream NSS in Bug 1380941 (the equivalent change landed in Firefox's copy of NSS in Bug 1370890). This broke the periodic HPKP script because it would still try to find the roots within our built-in roots. Running dumpGoogleRoots.js and pasting the output into the appropriate section of PreloadedHPKPins.json fixes this. MozReview-Commit-ID: Ck6WobCk9gl --HG-- extra : rebase_source : 676e39c7e447f8e2db2cdb52bacaa57d20088a46
2017-08-08 02:38:23 +03:00
// "GlobalSign",
bug 1232766 - update the preloaded pinset for Google domains r=rbarnes Also includes a script for making this process faster in the future.
2015-12-28 23:30:14 +03:00
"GlobalSign ECC Root CA - R4",
"GlobalSign ECC Root CA - R5",
Bug 1014344: Use Google's root pems in addition to their intermediate certs (r=keeler)
2014-05-23 02:09:45 +04:00
"GlobalSign Root CA",
"GlobalSign Root CA - R2",
"GlobalSign Root CA - R3",
Bug 1387853 - Update Google roots in PreloadedHPKPins.json to fix periodic Static HPKP updates. r=keeler Some entries in the existing list referred to roots that were removed from in upstream NSS in Bug 1380941 (the equivalent change landed in Firefox's copy of NSS in Bug 1370890). This broke the periodic HPKP script because it would still try to find the roots within our built-in roots. Running dumpGoogleRoots.js and pasting the output into the appropriate section of PreloadedHPKPins.json fixes this. MozReview-Commit-ID: Ck6WobCk9gl --HG-- extra : rebase_source : 676e39c7e447f8e2db2cdb52bacaa57d20088a46
2017-08-08 02:38:23 +03:00
// "GlobalSign Root CA - R8",
Bug 1014344: Use Google's root pems in addition to their intermediate certs (r=keeler)
2014-05-23 02:09:45 +04:00
"Go Daddy Class 2 CA",
"Go Daddy Root Certificate Authority - G2",
Bug 1387853 - Update Google roots in PreloadedHPKPins.json to fix periodic Static HPKP updates. r=keeler Some entries in the existing list referred to roots that were removed from in upstream NSS in Bug 1380941 (the equivalent change landed in Firefox's copy of NSS in Bug 1370890). This broke the periodic HPKP script because it would still try to find the roots within our built-in roots. Running dumpGoogleRoots.js and pasting the output into the appropriate section of PreloadedHPKPins.json fixes this. MozReview-Commit-ID: Ck6WobCk9gl --HG-- extra : rebase_source : 676e39c7e447f8e2db2cdb52bacaa57d20088a46
2017-08-08 02:38:23 +03:00
// "GTS Root R1",
// "GTS Root R2",
// "GTS Root R3",
// "GTS Root R4",
// "Secure Certificate Services",
Bug 1014344: Use Google's root pems in addition to their intermediate certs (r=keeler)
2014-05-23 02:09:45 +04:00
"Starfield Class 2 CA",
"Starfield Root Certificate Authority - G2",
"thawte Primary Root CA",
"thawte Primary Root CA - G2",
"thawte Primary Root CA - G3",
Bug 1387853 - Update Google roots in PreloadedHPKPins.json to fix periodic Static HPKP updates. r=keeler Some entries in the existing list referred to roots that were removed from in upstream NSS in Bug 1380941 (the equivalent change landed in Firefox's copy of NSS in Bug 1370890). This broke the periodic HPKP script because it would still try to find the roots within our built-in roots. Running dumpGoogleRoots.js and pasting the output into the appropriate section of PreloadedHPKPins.json fixes this. MozReview-Commit-ID: Ck6WobCk9gl --HG-- extra : rebase_source : 676e39c7e447f8e2db2cdb52bacaa57d20088a46
2017-08-08 02:38:23 +03:00
// "Trusted Certificate Services",
bug 1232766 - update the preloaded pinset for Google domains r=rbarnes Also includes a script for making this process faster in the future.
2015-12-28 23:30:14 +03:00
"USERTrust ECC Certification Authority",
"USERTrust RSA Certification Authority",
Bug 1387853 - Update Google roots in PreloadedHPKPins.json to fix periodic Static HPKP updates. r=keeler Some entries in the existing list referred to roots that were removed from in upstream NSS in Bug 1380941 (the equivalent change landed in Firefox's copy of NSS in Bug 1370890). This broke the periodic HPKP script because it would still try to find the roots within our built-in roots. Running dumpGoogleRoots.js and pasting the output into the appropriate section of PreloadedHPKPins.json fixes this. MozReview-Commit-ID: Ck6WobCk9gl --HG-- extra : rebase_source : 676e39c7e447f8e2db2cdb52bacaa57d20088a46
2017-08-08 02:38:23 +03:00
// "UTN-USERFirst-Hardware",
Bug 1014344: Use Google's root pems in addition to their intermediate certs (r=keeler)
2014-05-23 02:09:45 +04:00
"Verisign Class 3 Public Primary Certification Authority - G3",
"VeriSign Class 3 Public Primary Certification Authority - G4",
"VeriSign Class 3 Public Primary Certification Authority - G5",
bug 1232766 - update the preloaded pinset for Google domains r=rbarnes Also includes a script for making this process faster in the future.
2015-12-28 23:30:14 +03:00
"VeriSign Universal Root Certification Authority"
Bug 1014344: Use Google's root pems in addition to their intermediate certs (r=keeler)
2014-05-23 02:09:45 +04:00
]
Bug 998057: Add tests for certificate pinning (r=cviecco,dkeeler)
2014-05-01 07:11:35 +04:00
}
Bug 1387853 - Update Google roots in PreloadedHPKPins.json to fix periodic Static HPKP updates. r=keeler Some entries in the existing list referred to roots that were removed from in upstream NSS in Bug 1380941 (the equivalent change landed in Firefox's copy of NSS in Bug 1370890). This broke the periodic HPKP script because it would still try to find the roots within our built-in roots. Running dumpGoogleRoots.js and pasting the output into the appropriate section of PreloadedHPKPins.json fixes this. MozReview-Commit-ID: Ck6WobCk9gl --HG-- extra : rebase_source : 676e39c7e447f8e2db2cdb52bacaa57d20088a46
2017-08-08 02:38:23 +03:00
// The list above should be updated via the dumpGoogleRoots.js script.
Bug 998057: Add tests for certificate pinning (r=cviecco,dkeeler)
2014-05-01 07:11:35 +04:00
],
Bug 744204 - Allow Key pining part 1 - Built-in Pinning Service. r=keeler
2013-06-20 21:35:43 +04:00
"entries": [
Bug 1007844: Implement per-host telemetry for pin violations for AMO and aus4 (r=keeler)
2014-05-16 03:56:51 +04:00
// Only domains that are operationally crucial to Firefox can have per-host
// telemetry reporting (the "id") field
Bug 772756: Implement sha1 support, import Chrome's pinsets wholesale, add test mode (r=cviecco,keeler)
2014-05-09 04:18:50 +04:00
{ "name": "addons.mozilla.org", "include_subdomains": true,
bug 1301956 - add more Mozilla resources to preloaded pins r=keeler,rbarnes DONTBUILD NPOTB Also trims the pinset for said Mozilla resources to just DigiCert and Let's Encrypt (as a backup).
2016-11-30 00:15:32 +03:00
"pins": "mozilla_services", "test_mode": false, "id": 1 },
Bug 772756: Implement sha1 support, import Chrome's pinsets wholesale, add test mode (r=cviecco,keeler)
2014-05-09 04:18:50 +04:00
{ "name": "addons.mozilla.net", "include_subdomains": true,
bug 1301956 - add more Mozilla resources to preloaded pins r=keeler,rbarnes DONTBUILD NPOTB Also trims the pinset for said Mozilla resources to just DigiCert and Let's Encrypt (as a backup).
2016-11-30 00:15:32 +03:00
"pins": "mozilla_services", "test_mode": false, "id": 2 },
// AUS servers MUST remain in test mode
// see: https://bugzilla.mozilla.org/show_bug.cgi?id=1301956#c23
Bug 1007844: Implement per-host telemetry for pin violations for AMO and aus4 (r=keeler)
2014-05-16 03:56:51 +04:00
{ "name": "aus4.mozilla.org", "include_subdomains": true,
bug 1301956 - add more Mozilla resources to preloaded pins r=keeler,rbarnes DONTBUILD NPOTB Also trims the pinset for said Mozilla resources to just DigiCert and Let's Encrypt (as a backup).
2016-11-30 00:15:32 +03:00
"pins": "mozilla_services", "test_mode": true, "id": 3 },
{ "name": "aus5.mozilla.org", "include_subdomains": true,
"pins": "mozilla_services", "test_mode": true, "id": 7 },
Bug 1494431 - Pin *.firefox.com to mozilla services whitelisted roots r=keeler,jcj Put the entire *.firefox.com domain in the list of sites covered by the mozilla services whitelisted roots, which currently include Digicert and Let's Encrypt. Differential Revision: https://phabricator.services.mozilla.com/D7219 --HG-- extra : moz-landing-system : lando
2018-09-29 02:37:51 +03:00
// Catchall for applications hosted under firefox.com
// see https://bugzilla.mozilla.org/show_bug.cgi?id=1494431
{ "name": "firefox.com", "include_subdomains": true,
"pins": "mozilla_services", "test_mode": true, "id": 15 },
bug 1301956 - add more Mozilla resources to preloaded pins r=keeler,rbarnes DONTBUILD NPOTB Also trims the pinset for said Mozilla resources to just DigiCert and Let's Encrypt (as a backup).
2016-11-30 00:15:32 +03:00
// Firefox Accounts & sync
Bug 1494431 - Pin *.firefox.com to mozilla services whitelisted roots r=keeler,jcj Put the entire *.firefox.com domain in the list of sites covered by the mozilla services whitelisted roots, which currently include Digicert and Let's Encrypt. Differential Revision: https://phabricator.services.mozilla.com/D7219 --HG-- extra : moz-landing-system : lando
2018-09-29 02:37:51 +03:00
// superseded by catchall for firefox.com, but leaving for tracking
Bug 1020485: Enable pinning in test mode for accounts.firefox.com (r=keeler)
2014-06-07 00:44:59 +04:00
{ "name": "accounts.firefox.com", "include_subdomains": true,
Bug 1030135: Enable pinning on services.mozilla.com in test mode (r=keeler)
2014-09-05 23:04:26 +04:00
"pins": "mozilla_services", "test_mode": false, "id": 4 },
Bug 1033872: Split off api.accounts.firefox.com into a separate pinset (r=keeler)
2014-07-04 03:41:57 +04:00
{ "name": "api.accounts.firefox.com", "include_subdomains": true,
Bug 1030135: Enable pinning on services.mozilla.com in test mode (r=keeler)
2014-09-05 23:04:26 +04:00
"pins": "mozilla_services", "test_mode": false, "id": 5 },
bug 1301956 - add more Mozilla resources to preloaded pins r=keeler,rbarnes DONTBUILD NPOTB Also trims the pinset for said Mozilla resources to just DigiCert and Let's Encrypt (as a backup).
2016-11-30 00:15:32 +03:00
{ "name": "sync.services.mozilla.com", "include_subdomains": true,
"pins": "mozilla_services", "test_mode": false, "id": 13 },
// Catch-all for all CDN resources, including product delivery
bug 1521983 - remove some unused certificate pinning telemetry probes r=jcj,ulfr Differential Revision: https://phabricator.services.mozilla.com/D19731 --HG-- extra : moz-landing-system : lando
2019-03-04 23:30:47 +03:00
// Telemetry IDs added in bug 1521983.
Bug 772756: Implement sha1 support, import Chrome's pinsets wholesale, add test mode (r=cviecco,keeler)
2014-05-09 04:18:50 +04:00
{ "name": "cdn.mozilla.net", "include_subdomains": true,
bug 1521983 - remove some unused certificate pinning telemetry probes r=jcj,ulfr Differential Revision: https://phabricator.services.mozilla.com/D19731 --HG-- extra : moz-landing-system : lando
2019-03-04 23:30:47 +03:00
"pins": "mozilla_services", "test_mode": false, "id": 16 },
Bug 772756: Implement sha1 support, import Chrome's pinsets wholesale, add test mode (r=cviecco,keeler)
2014-05-09 04:18:50 +04:00
{ "name": "cdn.mozilla.org", "include_subdomains": true,
bug 1521983 - remove some unused certificate pinning telemetry probes r=jcj,ulfr Differential Revision: https://phabricator.services.mozilla.com/D19731 --HG-- extra : moz-landing-system : lando
2019-03-04 23:30:47 +03:00
"pins": "mozilla_services", "test_mode": false, "id": 17 },
bug 1301956 - add more Mozilla resources to preloaded pins r=keeler,rbarnes DONTBUILD NPOTB Also trims the pinset for said Mozilla resources to just DigiCert and Let's Encrypt (as a backup).
2016-11-30 00:15:32 +03:00
{ "name": "download.mozilla.org", "include_subdomains": false,
"pins": "mozilla_services", "test_mode": false, "id": 14 },
// Catch-all for everything hosted under services.mozilla.com
Bug 1030135: Enable pinning on services.mozilla.com in test mode (r=keeler)
2014-09-05 23:04:26 +04:00
{ "name": "services.mozilla.com", "include_subdomains": true,
Bug 1030135: Promote pin for services.mozilla.com to production mode (r=keeler)
2014-11-07 23:00:50 +03:00
"pins": "mozilla_services", "test_mode": false, "id": 6 },
bug 1301956 - add more Mozilla resources to preloaded pins r=keeler,rbarnes DONTBUILD NPOTB Also trims the pinset for said Mozilla resources to just DigiCert and Let's Encrypt (as a backup).
2016-11-30 00:15:32 +03:00
// Catch-all for everything hosted under telemetry.mozilla.org
// MUST remain in test mode in order to receive telemetry on broken pins
{ "name": "telemetry.mozilla.org", "include_subdomains": true,
"pins": "mozilla_services", "test_mode": true, "id": 8 },
// Test Pilot
Bug 1494431 - Pin *.firefox.com to mozilla services whitelisted roots r=keeler,jcj Put the entire *.firefox.com domain in the list of sites covered by the mozilla services whitelisted roots, which currently include Digicert and Let's Encrypt. Differential Revision: https://phabricator.services.mozilla.com/D7219 --HG-- extra : moz-landing-system : lando
2018-09-29 02:37:51 +03:00
// superseded by catchall for firefox.com, but leaving for tracking
bug 1301956 - add more Mozilla resources to preloaded pins r=keeler,rbarnes DONTBUILD NPOTB Also trims the pinset for said Mozilla resources to just DigiCert and Let's Encrypt (as a backup).
2016-11-30 00:15:32 +03:00
{ "name": "testpilot.firefox.com", "include_subdomains": false,
"pins": "mozilla_services", "test_mode": false, "id": 9 },
// Crash report sites
{ "name": "crash-reports.mozilla.com", "include_subdomains": false,
"pins": "mozilla_services", "test_mode": false, "id": 10 },
{ "name": "crash-reports-xpsp2.mozilla.com", "include_subdomains": false,
"pins": "mozilla_services", "test_mode": false, "id": 11 },
Bug 618185 - Switch the default URL for sending crash reports to the *.mozilla.org domain r=ted Differential Revision: https://phabricator.services.mozilla.com/D14003 --HG-- extra : moz-landing-system : lando
2018-12-13 22:17:54 +03:00
{ "name": "crash-stats.mozilla.org", "include_subdomains": false,
bug 1301956 - add more Mozilla resources to preloaded pins r=keeler,rbarnes DONTBUILD NPOTB Also trims the pinset for said Mozilla resources to just DigiCert and Let's Encrypt (as a backup).
2016-11-30 00:15:32 +03:00
"pins": "mozilla_services", "test_mode": false, "id": 12 },
Bug 772756: Implement sha1 support, import Chrome's pinsets wholesale, add test mode (r=cviecco,keeler)
2014-05-09 04:18:50 +04:00
{ "name": "include-subdomains.pinning.example.com",
"include_subdomains": true, "pins": "mozilla_test",
"test_mode": false },
Bug 1007844: Implement per-host telemetry for pin violations for AMO and aus4 (r=keeler)
2014-05-16 03:56:51 +04:00
// Example domain to collect per-host stats for telemetry tests.
Bug 772756: Implement sha1 support, import Chrome's pinsets wholesale, add test mode (r=cviecco,keeler)
2014-05-09 04:18:50 +04:00
{ "name": "exclude-subdomains.pinning.example.com",
"include_subdomains": false, "pins": "mozilla_test",
bug 1521983 - remove some unused certificate pinning telemetry probes r=jcj,ulfr Differential Revision: https://phabricator.services.mozilla.com/D19731 --HG-- extra : moz-landing-system : lando
2019-03-04 23:30:47 +03:00
"test_mode": false },
Bug 772756: Implement sha1 support, import Chrome's pinsets wholesale, add test mode (r=cviecco,keeler)
2014-05-09 04:18:50 +04:00
{ "name": "test-mode.pinning.example.com", "include_subdomains": true,
Bug 1027133: Enable test mode for *.twitter.com (r=keeler)
2014-06-19 00:23:13 +04:00
"pins": "mozilla_test", "test_mode": true },
// Expand twitter's pinset to include all of *.twitter.com and use
// twitterCDN. More specific rules take precedence because we search for
// exact domain name first.
{ "name": "twitter.com", "include_subdomains": true,
bug 1301956 - add more Mozilla resources to preloaded pins r=keeler,rbarnes DONTBUILD NPOTB Also trims the pinset for said Mozilla resources to just DigiCert and Let's Encrypt (as a backup).
2016-11-30 00:15:32 +03:00
"pins": "twitterCDN", "test_mode": false }
bug 1004781 - follow-up to add "DigiCert ECC Secure Server CA" to Facebook's pinset r=mmc
2014-09-08 20:33:03 +04:00
],
bug 1301956 - add more Mozilla resources to preloaded pins r=keeler,rbarnes DONTBUILD NPOTB Also trims the pinset for said Mozilla resources to just DigiCert and Let's Encrypt (as a backup).
2016-11-30 00:15:32 +03:00
// When pinning to non-root certs, like intermediates,
// place the PEM of the pinned certificate in this array
// so Firefox can find the subject DN and public key
"extra_certificates": [
// Subject: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
// Issuer: C=US, O=Internet Security Research Group, CN=ISRG Root X1
"MIIFjTCCA3WgAwIBAgIRANOxciY0IzLc9AUoUSrsnGowDQYJKoZIhvcNAQELBQAwTzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2VhcmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTYxMDA2MTU0MzU1WhcNMjExMDA2MTU0MzU1WjBKMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3MgRW5jcnlwdDEjMCEGA1UEAxMaTGV0J3MgRW5jcnlwdCBBdXRob3JpdHkgWDMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCc0wzwWuUuR7dyXTeDs2hjMOrXNSYZJeG9vjXxcJIvt7hLQQWrqZ41CFjssSrEaIcLo+N15Obzp2JxunmBYB/XkZqf89B4Z3HIaQ6Vkc/+5pnpYDxIzH7KTXcSJJ1HG1rrueweNwAcnKx7pwXqzkrrvUHlNpi5y/1tPJZo3yMqQpAMhnRnyH+lmrhSYRQTP2XpgofL2/oOVvaGifOFP5eGr7DcGu9rDZUWfcQroGWymQQ2dYBrrErzG5BJeC+ilk8qICUpBMZ0wNAxzY8xOJUWuqgzuEPxsR/DMH+ieTETPS02+OP88jNquTkxxa/EjQ0dZBYzqvqEKbbUC8DYfcOTAgMBAAGjggFnMIIBYzAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEBATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQub3JnMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3JsLnJvb3QteDEubGV0c2VuY3J5cHQub3JnMHIGCCsGAQUFBwEBBGYwZDAwBggrBgEFBQcwAYYkaHR0cDovL29jc3Aucm9vdC14MS5sZXRzZW5jcnlwdC5vcmcvMDAGCCsGAQUFBzAChiRodHRwOi8vY2VydC5yb290LXgxLmxldHNlbmNyeXB0Lm9yZy8wHwYDVR0jBBgwFoAUebRZ5nu25eQBc4AIiMgaWPbpm24wDQYJKoZIhvcNAQELBQADggIBABnPdSA0LTqmRf/Q1eaM2jLonG4bQdEnqOJQ8nCqxOeTRrToEKtwT++36gTSlBGxA/5dut82jJQ2jxN8RI8L9QFXrWi4xXnA2EqA10yjHiR6H9cj6MFiOnb5In1eWsRMUM2v3e9tNsCAgBukPHAg1lQh07rvFKm/Bz9BCjaxorALINUfZ9DD64j2igLIxle2DPxW8dI/F2loHMjXZjqG8RkqZUdoxtID5+90FgsGIfkMpqgRS05f4zPbCEHqCXl1eO5HyELTgcVlLXXQDgAWnRzut1hFJeczY1tjQQno6f6s+nMydLN26WuU4s3UYvOuOsUxRlJu7TSRHqDC3lSE5XggVkzdaPkuKGQbGpny+01/47hfXXNB7HntWNZ6N2Vwp7G6OfY+YQrZwIaQmhrIqJZuigsrbe3W+gdn5ykE9+Ky0VgVUsfxo52mwFYs1JKY2PGDuWx8M6DlS6qQkvHaRUo0FMd8TsSlbF0/v965qGFKhSDeQoMpYnwcmQilRh/0ayLThlHLN81gSkJjVrPI0Y8xCVPB4twb1PFUd2fPM3sA1tJ83sZ5v8vgFv2yofKRPB0t6JzUA81mSqM3kxl5e+IZwhYAyO0OTg3/fs8HqGTNKd9BqoUwSRBzp06JMg5brUCGwbCUDI0mxadJ3Bz4WxR6fyNpBK2yAinWEsikxqEt",
// Subject: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X4
// Issuer: C=US, O=Internet Security Research Group, CN=ISRG Root X1
"MIIFjTCCA3WgAwIBAgIRAJObmZ6kjhYNW0JZtD0gE9owDQYJKoZIhvcNAQELBQAwTzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2VhcmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTYxMDA2MTU0NDM0WhcNMjExMDA2MTU0NDM0WjBKMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3MgRW5jcnlwdDEjMCEGA1UEAxMaTGV0J3MgRW5jcnlwdCBBdXRob3JpdHkgWDQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDhJHRCe7eRMdlz/ziq2M5EXLc5CtxErg29RbmXN2evvVBPX9MQVGv3QdqOY+ZtW8DoQKmMQfzRA4n/YmEJYNYHBXiakL0aZD5P3M93L4lry2evQU3FjQDAa/6NhNy18pUxqOj2kKBDSpN0XLM+Q2lLiSJHdFE+mWTDzSQB+YQvKHcXIqfdw2wITGYvN3TFb5OOsEY3FmHRUJjIsA9PWFN8rPbaLZZhUK1D3AqmT561Urmcju9O30azMdwg/GnCoyB1Puw4GzZOZmbS3/VmpJMve6YOlD5gPUpLHG+6tE0cPJFYbi9NxNpw2+0BOXbASefpNbUUBpDB5ZLiEP1rubSFAgMBAAGjggFnMIIBYzAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEBATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQub3JnMB0GA1UdDgQWBBTFsatOTLHNZDCTfsGEmQWr5gPiJTAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3JsLnJvb3QteDEubGV0c2VuY3J5cHQub3JnMHIGCCsGAQUFBwEBBGYwZDAwBggrBgEFBQcwAYYkaHR0cDovL29jc3Aucm9vdC14MS5sZXRzZW5jcnlwdC5vcmcvMDAGCCsGAQUFBzAChiRodHRwOi8vY2VydC5yb290LXgxLmxldHNlbmNyeXB0Lm9yZy8wHwYDVR0jBBgwFoAUebRZ5nu25eQBc4AIiMgaWPbpm24wDQYJKoZIhvcNAQELBQADggIBAF4tI1yGjZgld9lP01+zftU3aSV0un0d2GKUMO7GxvwTLWAKQz/eT+u3J4+GvpD+BMfopIxkJcDCzMChjjZtZZwJpIY7BatVrO6OkEmaRNITtbZ/hCwNkUnbk3C7EG3OGJZlo9b2wzA8v9WBsPzHpTvLfOr+dS57LLPZBhp3ArHaLbdk33lIONRPt9sseDEkmdHnVmGmBRf4+J0Wy67mddOvz5rHH8uzY94raOayf20gzzcmqmot4hPXtDG4Y49MoFMMT2kcWck3EOTAH6QiGWkGJ7cxMfSL3S0niA6wgFJtfETETOZu8AVDgENgCJ3DS0bz/dhVKvs3WRkaKuuR/W0nnC2VDdaFj4+CRF8LGtn/8ERaH48TktH5BDyDVcF9zfJ75Scxcy23jAL2N6w3n/t3nnqoXt9Im4FprDr+mP1g2Z6Lf2YA0jE3kZalgZ6lNHu4CmvJYoOTSJw9X2qlGl1K+B4U327rG1tRxgjM76pN6lIS02PMECoyKJigpOSBu4V8+LVaUMezCJH9Qf4EKeZTHddQ1t96zvNd2s9ewSKx/DblXbKsBDzIdHJ+qi6+F9DIVM5/ICdtDdulOO+dr/BXB+pBZ3uVxjRANvJKKpdxkePyluITSNZHbanWRN07gMvwBWOL060i4VrL9er1sBQrRjU9iNpZQGTnLVAxQVFu"
]
Bug 744204 - Allow Key pining part 1 - Built-in Pinning Service. r=keeler
2013-06-20 21:35:43 +04:00
}