Bug 1906712 - remove Tor sites from pinning preload list at their request r=djackson

Differential Revision: https://phabricator.services.mozilla.com/D215944
2024-07-08 21:20:42 +00:00 · 2024-07-08 21:20:42 +00:00 · 8723b011da
--- a/security/manager/ssl/StaticHPKPins.h
+++ b/security/manager/ssl/StaticHPKPins.h
@ -391,7 +391,7 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = {
  { "appspot.com", true, false, false, -1, &kPinset_google_root_pems },
  { "aus4.mozilla.org", true, true, true, 3, &kPinset_mozilla_services },
  { "aus5.mozilla.org", true, true, true, 7, &kPinset_mozilla_services },
-  { "blog.torproject.org", true, false, false, -1, &kPinset_tor },
+  { "blog.torproject.org", true, true, false, -1, &kPinset_tor },
  { "blogger.com", true, false, false, -1, &kPinset_google_root_pems },
  { "blogspot.com", true, false, false, -1, &kPinset_google_root_pems },
  { "bugs.chromium.org", true, false, false, -1, &kPinset_google_root_pems },
@ -401,7 +401,7 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = {
  { "cdn.ampproject.org", true, false, false, -1, &kPinset_google_root_pems },
  { "cdn.mozilla.net", true, false, true, 16, &kPinset_mozilla_services },
  { "cdn.mozilla.org", true, false, true, 17, &kPinset_mozilla_services },
-  { "check.torproject.org", true, false, false, -1, &kPinset_tor },
+  { "check.torproject.org", true, true, false, -1, &kPinset_tor },
  { "checkout.google.com", true, false, false, -1, &kPinset_google_root_pems },
  { "chrome-devtools-frontend.appspot.com", true, false, false, -1, &kPinset_google_root_pems },
  { "chrome.com", true, false, false, -1, &kPinset_google_root_pems },
@ -426,7 +426,7 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = {
  { "datastudio.google.com", true, false, false, -1, &kPinset_google_root_pems },
  { "developer.android.com", true, false, false, -1, &kPinset_google_root_pems },
  { "developers.facebook.com", true, false, false, -1, &kPinset_facebook },
-  { "dist.torproject.org", true, false, false, -1, &kPinset_tor },
+  { "dist.torproject.org", true, true, false, -1, &kPinset_tor },
  { "dl.google.com", true, false, false, -1, &kPinset_google_root_pems },
  { "dns.google.com", true, false, false, -1, &kPinset_google_root_pems },
  { "docs.google.com", true, false, false, -1, &kPinset_google_root_pems },
@ -736,7 +736,7 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = {
  { "telemetry.mozilla.org", true, true, true, 8, &kPinset_mozilla_services },
  { "test-mode.pinning.example.com", true, true, false, -1, &kPinset_mozilla_test },
  { "testpilot.firefox.com", false, false, true, 9, &kPinset_mozilla_services },
-  { "torproject.org", false, false, false, -1, &kPinset_tor },
+  { "torproject.org", false, true, false, -1, &kPinset_tor },
  { "touch.facebook.com", true, false, false, -1, &kPinset_facebook },
  { "translate.googleapis.com", true, false, false, -1, &kPinset_google_root_pems },
  { "tunnel-staging.googlezip.net", true, false, false, -1, &kPinset_google_root_pems },
@ -767,7 +767,7 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = {
  { "www.googlegroups.com", true, false, false, -1, &kPinset_google_root_pems },
  { "www.googlemail.com", false, false, false, -1, &kPinset_google_root_pems },
  { "www.messenger.com", true, false, false, -1, &kPinset_facebook },
-  { "www.torproject.org", true, false, false, -1, &kPinset_tor },
+  { "www.torproject.org", true, true, false, -1, &kPinset_tor },
  { "xbrlsuccess.appspot.com", true, false, false, -1, &kPinset_google_root_pems },
  { "xn--7xa.google.com", true, false, false, -1, &kPinset_google_root_pems },
  { "youtu.be", true, false, false, -1, &kPinset_google_root_pems },
--- a/security/manager/tools/PreloadedHPKPins.json
+++ b/security/manager/tools/PreloadedHPKPins.json
@ -41,12 +41,6 @@
      // Chrome's test domains.
      "pinningtest.appspot.com",
      "pinning-test.badssl.com",
-      // Tor
-      "torproject.org",
-      "blog.torproject.org",
-      "check.torproject.org",
-      "dist.torproject.org",
-      "www.torproject.org",
      // SpiderOak
      "spideroak.com"
    ],
--- a/taskcluster/docker/periodic-updates/scripts/genHPKPStaticPins.js
+++ b/taskcluster/docker/periodic-updates/scripts/genHPKPStaticPins.js
@ -5,9 +5,9 @@
 // How to run this file:
 // 1. [obtain firefox source code]
 // 2. [build/obtain firefox binaries]
-// 3. run `[path to]/fireffox -xpcshell [path to]/genHPKPStaticpins.js \
-//                                      [absolute path to]/PreloadedHPKPins.json \
-//                                      [absolute path to]/StaticHPKPins.h
+// 3. run `[path to]/firefox -xpcshell [path to]/genHPKPStaticpins.js \
+//                                     [absolute path to]/PreloadedHPKPins.json \
+//                                     [absolute path to]/StaticHPKPins.h
 "use strict";

 if (arguments.length != 2) {
@ -18,6 +18,8 @@ if (arguments.length != 2) {
  );
 }

+Services.prefs.setBoolPref("security.osclientcerts.autoload", false);
+
 var { NetUtil } = ChromeUtils.importESModule(
  "resource://gre/modules/NetUtil.sys.mjs"
 );