diff --git a/security/manager/boot/src/PublicKeyPinningService.cpp b/security/manager/boot/src/PublicKeyPinningService.cpp index db006fb512f0..f05e0cca9fdd 100644 --- a/security/manager/boot/src/PublicKeyPinningService.cpp +++ b/security/manager/boot/src/PublicKeyPinningService.cpp @@ -201,7 +201,17 @@ CheckPinsForHostname(const CERTCertList *certList, const char *hostname, : Telemetry::CERT_PINNING_TEST_RESULTS; retval = true; } - Telemetry::Accumulate(histogram, result ? 1 : 0); + // We can collect per-host pinning violations for this host because it is + // operationally critical to Firefox. + if (foundEntry->mId != kUnknownId) { + int32_t bucket = foundEntry->mId * 2 + (result ? 1 : 0); + histogram = foundEntry->mTestMode + ? Telemetry::CERT_PINNING_MOZ_TEST_RESULTS_BY_HOST + : Telemetry::CERT_PINNING_MOZ_RESULTS_BY_HOST; + Telemetry::Accumulate(histogram, bucket); + } else { + Telemetry::Accumulate(histogram, result ? 1 : 0); + } PR_LOG(gPublicKeyPinningLog, PR_LOG_DEBUG, ("pkpin: Pin check %s for %s host '%s' (mode=%s)\n", result ? "passed" : "failed", diff --git a/security/manager/boot/src/StaticHPKPins.h b/security/manager/boot/src/StaticHPKPins.h index 9b563a9dd439..cdb62b0e900c 100644 --- a/security/manager/boot/src/StaticHPKPins.h +++ b/security/manager/boot/src/StaticHPKPins.h @@ -460,319 +460,323 @@ struct TransportSecurityPreload { const bool mIncludeSubdomains; const bool mTestMode; const bool mIsMoz; + const int32_t mId; const StaticPinset *pinset; }; /* Sort hostnames for binary search. */ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = { - { "accounts.google.com", true, true, false, &kPinset_google }, - { "addons.mozilla.net", true, true, true, &kPinset_mozilla }, - { "addons.mozilla.org", true, true, true, &kPinset_mozilla }, - { "admin.google.com", true, true, false, &kPinset_google }, - { "android.com", true, true, false, &kPinset_google }, - { "api.twitter.com", true, true, false, &kPinset_twitterCDN }, - { "apis.google.com", true, true, false, &kPinset_google }, - { "appengine.google.com", true, true, false, &kPinset_google }, - { "appspot.com", true, true, false, &kPinset_google }, - { "blog.torproject.org", true, true, false, &kPinset_tor }, - { "business.twitter.com", true, true, false, &kPinset_twitterCom }, - { "cdn.mozilla.net", true, true, true, &kPinset_mozilla }, - { "cdn.mozilla.org", true, true, true, &kPinset_mozilla }, - { "chart.apis.google.com", true, true, false, &kPinset_google }, - { "check.torproject.org", true, true, false, &kPinset_tor }, - { "checkout.google.com", true, true, false, &kPinset_google }, - { "chrome-devtools-frontend.appspot.com", true, true, false, &kPinset_google }, - { "chrome.google.com", true, true, false, &kPinset_google }, - { "chromiumcodereview.appspot.com", true, true, false, &kPinset_google }, - { "cloud.google.com", true, true, false, &kPinset_google }, - { "code.google.com", true, true, false, &kPinset_google }, - { "codereview.appspot.com", true, true, false, &kPinset_google }, - { "codereview.chromium.org", true, true, false, &kPinset_google }, - { "crypto.cat", false, true, false, &kPinset_cryptoCat }, - { "dev.twitter.com", true, true, false, &kPinset_twitterCom }, - { "dist.torproject.org", true, true, false, &kPinset_tor }, - { "dl.google.com", true, true, false, &kPinset_google }, - { "docs.google.com", true, true, false, &kPinset_google }, - { "doubleclick.net", true, true, false, &kPinset_google }, - { "drive.google.com", true, true, false, &kPinset_google }, - { "encrypted.google.com", true, true, false, &kPinset_google }, - { "exclude-subdomains.pinning.example.com", false, false, false, &kPinset_mozilla_test }, - { "g.co", true, true, false, &kPinset_google }, - { "glass.google.com", true, true, false, &kPinset_google }, - { "gmail.com", false, true, false, &kPinset_google }, - { "goo.gl", true, true, false, &kPinset_google }, - { "google-analytics.com", true, true, false, &kPinset_google }, - { "google.ac", true, true, false, &kPinset_google }, - { "google.ad", true, true, false, &kPinset_google }, - { "google.ae", true, true, false, &kPinset_google }, - { "google.af", true, true, false, &kPinset_google }, - { "google.ag", true, true, false, &kPinset_google }, - { "google.am", true, true, false, &kPinset_google }, - { "google.as", true, true, false, &kPinset_google }, - { "google.at", true, true, false, &kPinset_google }, - { "google.az", true, true, false, &kPinset_google }, - { "google.ba", true, true, false, &kPinset_google }, - { "google.be", true, true, false, &kPinset_google }, - { "google.bf", true, true, false, &kPinset_google }, - { "google.bg", true, true, false, &kPinset_google }, - { "google.bi", true, true, false, &kPinset_google }, - { "google.bj", true, true, false, &kPinset_google }, - { "google.bs", true, true, false, &kPinset_google }, - { "google.by", true, true, false, &kPinset_google }, - { "google.ca", true, true, false, &kPinset_google }, - { "google.cat", true, true, false, &kPinset_google }, - { "google.cc", true, true, false, &kPinset_google }, - { "google.cd", true, true, false, &kPinset_google }, - { "google.cf", true, true, false, &kPinset_google }, - { "google.cg", true, true, false, &kPinset_google }, - { "google.ch", true, true, false, &kPinset_google }, - { "google.ci", true, true, false, &kPinset_google }, - { "google.cl", true, true, false, &kPinset_google }, - { "google.cm", true, true, false, &kPinset_google }, - { "google.cn", true, true, false, &kPinset_google }, - { "google.co.ao", true, true, false, &kPinset_google }, - { "google.co.bw", true, true, false, &kPinset_google }, - { "google.co.ck", true, true, false, &kPinset_google }, - { "google.co.cr", true, true, false, &kPinset_google }, - { "google.co.hu", true, true, false, &kPinset_google }, - { "google.co.id", true, true, false, &kPinset_google }, - { "google.co.il", true, true, false, &kPinset_google }, - { "google.co.im", true, true, false, &kPinset_google }, - { "google.co.in", true, true, false, &kPinset_google }, - { "google.co.je", true, true, false, &kPinset_google }, - { "google.co.jp", true, true, false, &kPinset_google }, - { "google.co.ke", true, true, false, &kPinset_google }, - { "google.co.kr", true, true, false, &kPinset_google }, - { "google.co.ls", true, true, false, &kPinset_google }, - { "google.co.ma", true, true, false, &kPinset_google }, - { "google.co.mz", true, true, false, &kPinset_google }, - { "google.co.nz", true, true, false, &kPinset_google }, - { "google.co.th", true, true, false, &kPinset_google }, - { "google.co.tz", true, true, false, &kPinset_google }, - { "google.co.ug", true, true, false, &kPinset_google }, - { "google.co.uk", true, true, false, &kPinset_google }, - { "google.co.uz", true, true, false, &kPinset_google }, - { "google.co.ve", true, true, false, &kPinset_google }, - { "google.co.vi", true, true, false, &kPinset_google }, - { "google.co.za", true, true, false, &kPinset_google }, - { "google.co.zm", true, true, false, &kPinset_google }, - { "google.co.zw", true, true, false, &kPinset_google }, - { "google.com", true, true, false, &kPinset_google }, - { "google.com.af", true, true, false, &kPinset_google }, - { "google.com.ag", true, true, false, &kPinset_google }, - { "google.com.ai", true, true, false, &kPinset_google }, - { "google.com.ar", true, true, false, &kPinset_google }, - { "google.com.au", true, true, false, &kPinset_google }, - { "google.com.bd", true, true, false, &kPinset_google }, - { "google.com.bh", true, true, false, &kPinset_google }, - { "google.com.bn", true, true, false, &kPinset_google }, - { "google.com.bo", true, true, false, &kPinset_google }, - { "google.com.br", true, true, false, &kPinset_google }, - { "google.com.by", true, true, false, &kPinset_google }, - { "google.com.bz", true, true, false, &kPinset_google }, - { "google.com.cn", true, true, false, &kPinset_google }, - { "google.com.co", true, true, false, &kPinset_google }, - { "google.com.cu", true, true, false, &kPinset_google }, - { "google.com.cy", true, true, false, &kPinset_google }, - { "google.com.do", true, true, false, &kPinset_google }, - { "google.com.ec", true, true, false, &kPinset_google }, - { "google.com.eg", true, true, false, &kPinset_google }, - { "google.com.et", true, true, false, &kPinset_google }, - { "google.com.fj", true, true, false, &kPinset_google }, - { "google.com.ge", true, true, false, &kPinset_google }, - { "google.com.gh", true, true, false, &kPinset_google }, - { "google.com.gi", true, true, false, &kPinset_google }, - { "google.com.gr", true, true, false, &kPinset_google }, - { "google.com.gt", true, true, false, &kPinset_google }, - { "google.com.hk", true, true, false, &kPinset_google }, - { "google.com.iq", true, true, false, &kPinset_google }, - { "google.com.jm", true, true, false, &kPinset_google }, - { "google.com.jo", true, true, false, &kPinset_google }, - { "google.com.kh", true, true, false, &kPinset_google }, - { "google.com.kw", true, true, false, &kPinset_google }, - { "google.com.lb", true, true, false, &kPinset_google }, - { "google.com.ly", true, true, false, &kPinset_google }, - { "google.com.mt", true, true, false, &kPinset_google }, - { "google.com.mx", true, true, false, &kPinset_google }, - { "google.com.my", true, true, false, &kPinset_google }, - { "google.com.na", true, true, false, &kPinset_google }, - { "google.com.nf", true, true, false, &kPinset_google }, - { "google.com.ng", true, true, false, &kPinset_google }, - { "google.com.ni", true, true, false, &kPinset_google }, - { "google.com.np", true, true, false, &kPinset_google }, - { "google.com.nr", true, true, false, &kPinset_google }, - { "google.com.om", true, true, false, &kPinset_google }, - { "google.com.pa", true, true, false, &kPinset_google }, - { "google.com.pe", true, true, false, &kPinset_google }, - { "google.com.ph", true, true, false, &kPinset_google }, - { "google.com.pk", true, true, false, &kPinset_google }, - { "google.com.pl", true, true, false, &kPinset_google }, - { "google.com.pr", true, true, false, &kPinset_google }, - { "google.com.py", true, true, false, &kPinset_google }, - { "google.com.qa", true, true, false, &kPinset_google }, - { "google.com.ru", true, true, false, &kPinset_google }, - { "google.com.sa", true, true, false, &kPinset_google }, - { "google.com.sb", true, true, false, &kPinset_google }, - { "google.com.sg", true, true, false, &kPinset_google }, - { "google.com.sl", true, true, false, &kPinset_google }, - { "google.com.sv", true, true, false, &kPinset_google }, - { "google.com.tj", true, true, false, &kPinset_google }, - { "google.com.tn", true, true, false, &kPinset_google }, - { "google.com.tr", true, true, false, &kPinset_google }, - { "google.com.tw", true, true, false, &kPinset_google }, - { "google.com.ua", true, true, false, &kPinset_google }, - { "google.com.uy", true, true, false, &kPinset_google }, - { "google.com.vc", true, true, false, &kPinset_google }, - { "google.com.ve", true, true, false, &kPinset_google }, - { "google.com.vn", true, true, false, &kPinset_google }, - { "google.cv", true, true, false, &kPinset_google }, - { "google.cz", true, true, false, &kPinset_google }, - { "google.de", true, true, false, &kPinset_google }, - { "google.dj", true, true, false, &kPinset_google }, - { "google.dk", true, true, false, &kPinset_google }, - { "google.dm", true, true, false, &kPinset_google }, - { "google.dz", true, true, false, &kPinset_google }, - { "google.ee", true, true, false, &kPinset_google }, - { "google.es", true, true, false, &kPinset_google }, - { "google.fi", true, true, false, &kPinset_google }, - { "google.fm", true, true, false, &kPinset_google }, - { "google.fr", true, true, false, &kPinset_google }, - { "google.ga", true, true, false, &kPinset_google }, - { "google.ge", true, true, false, &kPinset_google }, - { "google.gg", true, true, false, &kPinset_google }, - { "google.gl", true, true, false, &kPinset_google }, - { "google.gm", true, true, false, &kPinset_google }, - { "google.gp", true, true, false, &kPinset_google }, - { "google.gr", true, true, false, &kPinset_google }, - { "google.gy", true, true, false, &kPinset_google }, - { "google.hk", true, true, false, &kPinset_google }, - { "google.hn", true, true, false, &kPinset_google }, - { "google.hr", true, true, false, &kPinset_google }, - { "google.ht", true, true, false, &kPinset_google }, - { "google.hu", true, true, false, &kPinset_google }, - { "google.ie", true, true, false, &kPinset_google }, - { "google.im", true, true, false, &kPinset_google }, - { "google.info", true, true, false, &kPinset_google }, - { "google.iq", true, true, false, &kPinset_google }, - { "google.is", true, true, false, &kPinset_google }, - { "google.it", true, true, false, &kPinset_google }, - { "google.it.ao", true, true, false, &kPinset_google }, - { "google.je", true, true, false, &kPinset_google }, - { "google.jo", true, true, false, &kPinset_google }, - { "google.jobs", true, true, false, &kPinset_google }, - { "google.jp", true, true, false, &kPinset_google }, - { "google.kg", true, true, false, &kPinset_google }, - { "google.ki", true, true, false, &kPinset_google }, - { "google.kz", true, true, false, &kPinset_google }, - { "google.la", true, true, false, &kPinset_google }, - { "google.li", true, true, false, &kPinset_google }, - { "google.lk", true, true, false, &kPinset_google }, - { "google.lt", true, true, false, &kPinset_google }, - { "google.lu", true, true, false, &kPinset_google }, - { "google.lv", true, true, false, &kPinset_google }, - { "google.md", true, true, false, &kPinset_google }, - { "google.me", true, true, false, &kPinset_google }, - { "google.mg", true, true, false, &kPinset_google }, - { "google.mk", true, true, false, &kPinset_google }, - { "google.ml", true, true, false, &kPinset_google }, - { "google.mn", true, true, false, &kPinset_google }, - { "google.ms", true, true, false, &kPinset_google }, - { "google.mu", true, true, false, &kPinset_google }, - { "google.mv", true, true, false, &kPinset_google }, - { "google.mw", true, true, false, &kPinset_google }, - { "google.ne", true, true, false, &kPinset_google }, - { "google.ne.jp", true, true, false, &kPinset_google }, - { "google.net", true, true, false, &kPinset_google }, - { "google.nl", true, true, false, &kPinset_google }, - { "google.no", true, true, false, &kPinset_google }, - { "google.nr", true, true, false, &kPinset_google }, - { "google.nu", true, true, false, &kPinset_google }, - { "google.off.ai", true, true, false, &kPinset_google }, - { "google.pk", true, true, false, &kPinset_google }, - { "google.pl", true, true, false, &kPinset_google }, - { "google.pn", true, true, false, &kPinset_google }, - { "google.ps", true, true, false, &kPinset_google }, - { "google.pt", true, true, false, &kPinset_google }, - { "google.ro", true, true, false, &kPinset_google }, - { "google.rs", true, true, false, &kPinset_google }, - { "google.ru", true, true, false, &kPinset_google }, - { "google.rw", true, true, false, &kPinset_google }, - { "google.sc", true, true, false, &kPinset_google }, - { "google.se", true, true, false, &kPinset_google }, - { "google.sh", true, true, false, &kPinset_google }, - { "google.si", true, true, false, &kPinset_google }, - { "google.sk", true, true, false, &kPinset_google }, - { "google.sm", true, true, false, &kPinset_google }, - { "google.sn", true, true, false, &kPinset_google }, - { "google.so", true, true, false, &kPinset_google }, - { "google.st", true, true, false, &kPinset_google }, - { "google.td", true, true, false, &kPinset_google }, - { "google.tg", true, true, false, &kPinset_google }, - { "google.tk", true, true, false, &kPinset_google }, - { "google.tl", true, true, false, &kPinset_google }, - { "google.tm", true, true, false, &kPinset_google }, - { "google.tn", true, true, false, &kPinset_google }, - { "google.to", true, true, false, &kPinset_google }, - { "google.tp", true, true, false, &kPinset_google }, - { "google.tt", true, true, false, &kPinset_google }, - { "google.us", true, true, false, &kPinset_google }, - { "google.uz", true, true, false, &kPinset_google }, - { "google.vg", true, true, false, &kPinset_google }, - { "google.vu", true, true, false, &kPinset_google }, - { "google.ws", true, true, false, &kPinset_google }, - { "googleadservices.com", true, true, false, &kPinset_google }, - { "googleapis.com", true, true, false, &kPinset_google }, - { "googlecode.com", true, true, false, &kPinset_google }, - { "googlecommerce.com", true, true, false, &kPinset_google }, - { "googlegroups.com", true, true, false, &kPinset_google }, - { "googlemail.com", false, true, false, &kPinset_google }, - { "googleplex.com", true, true, false, &kPinset_google }, - { "googlesyndication.com", true, true, false, &kPinset_google }, - { "googletagmanager.com", true, true, false, &kPinset_google }, - { "googletagservices.com", true, true, false, &kPinset_google }, - { "googleusercontent.com", true, true, false, &kPinset_google }, - { "goto.google.com", true, true, false, &kPinset_google }, - { "groups.google.com", true, true, false, &kPinset_google }, - { "gstatic.com", true, true, false, &kPinset_google }, - { "history.google.com", true, true, false, &kPinset_google }, - { "hostedtalkgadget.google.com", true, true, false, &kPinset_google }, - { "include-subdomains.pinning.example.com", true, false, false, &kPinset_mozilla_test }, - { "liberty.lavabit.com", true, true, false, &kPinset_lavabit }, - { "mail.google.com", true, true, false, &kPinset_google }, - { "market.android.com", true, true, false, &kPinset_google }, - { "media.mozilla.com", true, true, true, &kPinset_mozilla }, - { "mobile.twitter.com", true, true, false, &kPinset_twitterCom }, - { "oauth.twitter.com", true, true, false, &kPinset_twitterCom }, - { "pinningtest.appspot.com", true, true, false, &kPinset_test }, - { "platform.twitter.com", true, true, false, &kPinset_twitterCDN }, - { "play.google.com", false, true, false, &kPinset_google }, - { "plus.google.com", true, true, false, &kPinset_google }, - { "plus.sandbox.google.com", true, true, false, &kPinset_google }, - { "profiles.google.com", true, true, false, &kPinset_google }, - { "script.google.com", true, true, false, &kPinset_google }, - { "security.google.com", true, true, false, &kPinset_google }, - { "sites.google.com", true, true, false, &kPinset_google }, - { "spreadsheets.google.com", true, true, false, &kPinset_google }, - { "ssl.google-analytics.com", true, true, false, &kPinset_google }, - { "talk.google.com", true, true, false, &kPinset_google }, - { "talkgadget.google.com", true, true, false, &kPinset_google }, - { "test-mode.pinning.example.com", true, true, false, &kPinset_mozilla_test }, - { "tor2web.org", true, true, false, &kPinset_tor2web }, - { "torproject.org", false, true, false, &kPinset_tor }, - { "translate.googleapis.com", true, true, false, &kPinset_google }, - { "twimg.com", true, true, false, &kPinset_twitterCDN }, - { "twitter.com", false, true, false, &kPinset_twitterCom }, - { "urchin.com", true, true, false, &kPinset_google }, - { "wallet.google.com", true, true, false, &kPinset_google }, - { "www.gmail.com", false, true, false, &kPinset_google }, - { "www.googlemail.com", false, true, false, &kPinset_google }, - { "www.torproject.org", true, true, false, &kPinset_tor }, - { "www.twitter.com", true, true, false, &kPinset_twitterCom }, - { "youtu.be", true, true, false, &kPinset_google }, - { "youtube.com", true, true, false, &kPinset_google }, - { "ytimg.com", true, true, false, &kPinset_google }, + { "accounts.google.com", true, true, false, -1, &kPinset_google }, + { "addons.mozilla.net", true, true, true, 2, &kPinset_mozilla }, + { "addons.mozilla.org", true, true, true, 1, &kPinset_mozilla }, + { "admin.google.com", true, true, false, -1, &kPinset_google }, + { "android.com", true, true, false, -1, &kPinset_google }, + { "api.twitter.com", true, true, false, -1, &kPinset_twitterCDN }, + { "apis.google.com", true, true, false, -1, &kPinset_google }, + { "appengine.google.com", true, true, false, -1, &kPinset_google }, + { "appspot.com", true, true, false, -1, &kPinset_google }, + { "aus4.mozilla.org", true, true, true, 3, &kPinset_mozilla }, + { "blog.torproject.org", true, true, false, -1, &kPinset_tor }, + { "business.twitter.com", true, true, false, -1, &kPinset_twitterCom }, + { "cdn.mozilla.net", true, true, true, -1, &kPinset_mozilla }, + { "cdn.mozilla.org", true, true, true, -1, &kPinset_mozilla }, + { "chart.apis.google.com", true, true, false, -1, &kPinset_google }, + { "check.torproject.org", true, true, false, -1, &kPinset_tor }, + { "checkout.google.com", true, true, false, -1, &kPinset_google }, + { "chrome-devtools-frontend.appspot.com", true, true, false, -1, &kPinset_google }, + { "chrome.google.com", true, true, false, -1, &kPinset_google }, + { "chromiumcodereview.appspot.com", true, true, false, -1, &kPinset_google }, + { "cloud.google.com", true, true, false, -1, &kPinset_google }, + { "code.google.com", true, true, false, -1, &kPinset_google }, + { "codereview.appspot.com", true, true, false, -1, &kPinset_google }, + { "codereview.chromium.org", true, true, false, -1, &kPinset_google }, + { "crypto.cat", false, true, false, -1, &kPinset_cryptoCat }, + { "dev.twitter.com", true, true, false, -1, &kPinset_twitterCom }, + { "dist.torproject.org", true, true, false, -1, &kPinset_tor }, + { "dl.google.com", true, true, false, -1, &kPinset_google }, + { "docs.google.com", true, true, false, -1, &kPinset_google }, + { "doubleclick.net", true, true, false, -1, &kPinset_google }, + { "drive.google.com", true, true, false, -1, &kPinset_google }, + { "encrypted.google.com", true, true, false, -1, &kPinset_google }, + { "exclude-subdomains.pinning.example.com", false, false, false, 0, &kPinset_mozilla_test }, + { "g.co", true, true, false, -1, &kPinset_google }, + { "glass.google.com", true, true, false, -1, &kPinset_google }, + { "gmail.com", false, true, false, -1, &kPinset_google }, + { "goo.gl", true, true, false, -1, &kPinset_google }, + { "google-analytics.com", true, true, false, -1, &kPinset_google }, + { "google.ac", true, true, false, -1, &kPinset_google }, + { "google.ad", true, true, false, -1, &kPinset_google }, + { "google.ae", true, true, false, -1, &kPinset_google }, + { "google.af", true, true, false, -1, &kPinset_google }, + { "google.ag", true, true, false, -1, &kPinset_google }, + { "google.am", true, true, false, -1, &kPinset_google }, + { "google.as", true, true, false, -1, &kPinset_google }, + { "google.at", true, true, false, -1, &kPinset_google }, + { "google.az", true, true, false, -1, &kPinset_google }, + { "google.ba", true, true, false, -1, &kPinset_google }, + { "google.be", true, true, false, -1, &kPinset_google }, + { "google.bf", true, true, false, -1, &kPinset_google }, + { "google.bg", true, true, false, -1, &kPinset_google }, + { "google.bi", true, true, false, -1, &kPinset_google }, + { "google.bj", true, true, false, -1, &kPinset_google }, + { "google.bs", true, true, false, -1, &kPinset_google }, + { "google.by", true, true, false, -1, &kPinset_google }, + { "google.ca", true, true, false, -1, &kPinset_google }, + { "google.cat", true, true, false, -1, &kPinset_google }, + { "google.cc", true, true, false, -1, &kPinset_google }, + { "google.cd", true, true, false, -1, &kPinset_google }, + { "google.cf", true, true, false, -1, &kPinset_google }, + { "google.cg", true, true, false, -1, &kPinset_google }, + { "google.ch", true, true, false, -1, &kPinset_google }, + { "google.ci", true, true, false, -1, &kPinset_google }, + { "google.cl", true, true, false, -1, &kPinset_google }, + { "google.cm", true, true, false, -1, &kPinset_google }, + { "google.cn", true, true, false, -1, &kPinset_google }, + { "google.co.ao", true, true, false, -1, &kPinset_google }, + { "google.co.bw", true, true, false, -1, &kPinset_google }, + { "google.co.ck", true, true, false, -1, &kPinset_google }, + { "google.co.cr", true, true, false, -1, &kPinset_google }, + { "google.co.hu", true, true, false, -1, &kPinset_google }, + { "google.co.id", true, true, false, -1, &kPinset_google }, + { "google.co.il", true, true, false, -1, &kPinset_google }, + { "google.co.im", true, true, false, -1, &kPinset_google }, + { "google.co.in", true, true, false, -1, &kPinset_google }, + { "google.co.je", true, true, false, -1, &kPinset_google }, + { "google.co.jp", true, true, false, -1, &kPinset_google }, + { "google.co.ke", true, true, false, -1, &kPinset_google }, + { "google.co.kr", true, true, false, -1, &kPinset_google }, + { "google.co.ls", true, true, false, -1, &kPinset_google }, + { "google.co.ma", true, true, false, -1, &kPinset_google }, + { "google.co.mz", true, true, false, -1, &kPinset_google }, + { "google.co.nz", true, true, false, -1, &kPinset_google }, + { "google.co.th", true, true, false, -1, &kPinset_google }, + { "google.co.tz", true, true, false, -1, &kPinset_google }, + { "google.co.ug", true, true, false, -1, &kPinset_google }, + { "google.co.uk", true, true, false, -1, &kPinset_google }, + { "google.co.uz", true, true, false, -1, &kPinset_google }, + { "google.co.ve", true, true, false, -1, &kPinset_google }, + { "google.co.vi", true, true, false, -1, &kPinset_google }, + { "google.co.za", true, true, false, -1, &kPinset_google }, + { "google.co.zm", true, true, false, -1, &kPinset_google }, + { "google.co.zw", true, true, false, -1, &kPinset_google }, + { "google.com", true, true, false, -1, &kPinset_google }, + { "google.com.af", true, true, false, -1, &kPinset_google }, + { "google.com.ag", true, true, false, -1, &kPinset_google }, + { "google.com.ai", true, true, false, -1, &kPinset_google }, + { "google.com.ar", true, true, false, -1, &kPinset_google }, + { "google.com.au", true, true, false, -1, &kPinset_google }, + { "google.com.bd", true, true, false, -1, &kPinset_google }, + { "google.com.bh", true, true, false, -1, &kPinset_google }, + { "google.com.bn", true, true, false, -1, &kPinset_google }, + { "google.com.bo", true, true, false, -1, &kPinset_google }, + { "google.com.br", true, true, false, -1, &kPinset_google }, + { "google.com.by", true, true, false, -1, &kPinset_google }, + { "google.com.bz", true, true, false, -1, &kPinset_google }, + { "google.com.cn", true, true, false, -1, &kPinset_google }, + { "google.com.co", true, true, false, -1, &kPinset_google }, + { "google.com.cu", true, true, false, -1, &kPinset_google }, + { "google.com.cy", true, true, false, -1, &kPinset_google }, + { "google.com.do", true, true, false, -1, &kPinset_google }, + { "google.com.ec", true, true, false, -1, &kPinset_google }, + { "google.com.eg", true, true, false, -1, &kPinset_google }, + { "google.com.et", true, true, false, -1, &kPinset_google }, + { "google.com.fj", true, true, false, -1, &kPinset_google }, + { "google.com.ge", true, true, false, -1, &kPinset_google }, + { "google.com.gh", true, true, false, -1, &kPinset_google }, + { "google.com.gi", true, true, false, -1, &kPinset_google }, + { "google.com.gr", true, true, false, -1, &kPinset_google }, + { "google.com.gt", true, true, false, -1, &kPinset_google }, + { "google.com.hk", true, true, false, -1, &kPinset_google }, + { "google.com.iq", true, true, false, -1, &kPinset_google }, + { "google.com.jm", true, true, false, -1, &kPinset_google }, + { "google.com.jo", true, true, false, -1, &kPinset_google }, + { "google.com.kh", true, true, false, -1, &kPinset_google }, + { "google.com.kw", true, true, false, -1, &kPinset_google }, + { "google.com.lb", true, true, false, -1, &kPinset_google }, + { "google.com.ly", true, true, false, -1, &kPinset_google }, + { "google.com.mt", true, true, false, -1, &kPinset_google }, + { "google.com.mx", true, true, false, -1, &kPinset_google }, + { "google.com.my", true, true, false, -1, &kPinset_google }, + { "google.com.na", true, true, false, -1, &kPinset_google }, + { "google.com.nf", true, true, false, -1, &kPinset_google }, + { "google.com.ng", true, true, false, -1, &kPinset_google }, + { "google.com.ni", true, true, false, -1, &kPinset_google }, + { "google.com.np", true, true, false, -1, &kPinset_google }, + { "google.com.nr", true, true, false, -1, &kPinset_google }, + { "google.com.om", true, true, false, -1, &kPinset_google }, + { "google.com.pa", true, true, false, -1, &kPinset_google }, + { "google.com.pe", true, true, false, -1, &kPinset_google }, + { "google.com.ph", true, true, false, -1, &kPinset_google }, + { "google.com.pk", true, true, false, -1, &kPinset_google }, + { "google.com.pl", true, true, false, -1, &kPinset_google }, + { "google.com.pr", true, true, false, -1, &kPinset_google }, + { "google.com.py", true, true, false, -1, &kPinset_google }, + { "google.com.qa", true, true, false, -1, &kPinset_google }, + { "google.com.ru", true, true, false, -1, &kPinset_google }, + { "google.com.sa", true, true, false, -1, &kPinset_google }, + { "google.com.sb", true, true, false, -1, &kPinset_google }, + { "google.com.sg", true, true, false, -1, &kPinset_google }, + { "google.com.sl", true, true, false, -1, &kPinset_google }, + { "google.com.sv", true, true, false, -1, &kPinset_google }, + { "google.com.tj", true, true, false, -1, &kPinset_google }, + { "google.com.tn", true, true, false, -1, &kPinset_google }, + { "google.com.tr", true, true, false, -1, &kPinset_google }, + { "google.com.tw", true, true, false, -1, &kPinset_google }, + { "google.com.ua", true, true, false, -1, &kPinset_google }, + { "google.com.uy", true, true, false, -1, &kPinset_google }, + { "google.com.vc", true, true, false, -1, &kPinset_google }, + { "google.com.ve", true, true, false, -1, &kPinset_google }, + { "google.com.vn", true, true, false, -1, &kPinset_google }, + { "google.cv", true, true, false, -1, &kPinset_google }, + { "google.cz", true, true, false, -1, &kPinset_google }, + { "google.de", true, true, false, -1, &kPinset_google }, + { "google.dj", true, true, false, -1, &kPinset_google }, + { "google.dk", true, true, false, -1, &kPinset_google }, + { "google.dm", true, true, false, -1, &kPinset_google }, + { "google.dz", true, true, false, -1, &kPinset_google }, + { "google.ee", true, true, false, -1, &kPinset_google }, + { "google.es", true, true, false, -1, &kPinset_google }, + { "google.fi", true, true, false, -1, &kPinset_google }, + { "google.fm", true, true, false, -1, &kPinset_google }, + { "google.fr", true, true, false, -1, &kPinset_google }, + { "google.ga", true, true, false, -1, &kPinset_google }, + { "google.ge", true, true, false, -1, &kPinset_google }, + { "google.gg", true, true, false, -1, &kPinset_google }, + { "google.gl", true, true, false, -1, &kPinset_google }, + { "google.gm", true, true, false, -1, &kPinset_google }, + { "google.gp", true, true, false, -1, &kPinset_google }, + { "google.gr", true, true, false, -1, &kPinset_google }, + { "google.gy", true, true, false, -1, &kPinset_google }, + { "google.hk", true, true, false, -1, &kPinset_google }, + { "google.hn", true, true, false, -1, &kPinset_google }, + { "google.hr", true, true, false, -1, &kPinset_google }, + { "google.ht", true, true, false, -1, &kPinset_google }, + { "google.hu", true, true, false, -1, &kPinset_google }, + { "google.ie", true, true, false, -1, &kPinset_google }, + { "google.im", true, true, false, -1, &kPinset_google }, + { "google.info", true, true, false, -1, &kPinset_google }, + { "google.iq", true, true, false, -1, &kPinset_google }, + { "google.is", true, true, false, -1, &kPinset_google }, + { "google.it", true, true, false, -1, &kPinset_google }, + { "google.it.ao", true, true, false, -1, &kPinset_google }, + { "google.je", true, true, false, -1, &kPinset_google }, + { "google.jo", true, true, false, -1, &kPinset_google }, + { "google.jobs", true, true, false, -1, &kPinset_google }, + { "google.jp", true, true, false, -1, &kPinset_google }, + { "google.kg", true, true, false, -1, &kPinset_google }, + { "google.ki", true, true, false, -1, &kPinset_google }, + { "google.kz", true, true, false, -1, &kPinset_google }, + { "google.la", true, true, false, -1, &kPinset_google }, + { "google.li", true, true, false, -1, &kPinset_google }, + { "google.lk", true, true, false, -1, &kPinset_google }, + { "google.lt", true, true, false, -1, &kPinset_google }, + { "google.lu", true, true, false, -1, &kPinset_google }, + { "google.lv", true, true, false, -1, &kPinset_google }, + { "google.md", true, true, false, -1, &kPinset_google }, + { "google.me", true, true, false, -1, &kPinset_google }, + { "google.mg", true, true, false, -1, &kPinset_google }, + { "google.mk", true, true, false, -1, &kPinset_google }, + { "google.ml", true, true, false, -1, &kPinset_google }, + { "google.mn", true, true, false, -1, &kPinset_google }, + { "google.ms", true, true, false, -1, &kPinset_google }, + { "google.mu", true, true, false, -1, &kPinset_google }, + { "google.mv", true, true, false, -1, &kPinset_google }, + { "google.mw", true, true, false, -1, &kPinset_google }, + { "google.ne", true, true, false, -1, &kPinset_google }, + { "google.ne.jp", true, true, false, -1, &kPinset_google }, + { "google.net", true, true, false, -1, &kPinset_google }, + { "google.nl", true, true, false, -1, &kPinset_google }, + { "google.no", true, true, false, -1, &kPinset_google }, + { "google.nr", true, true, false, -1, &kPinset_google }, + { "google.nu", true, true, false, -1, &kPinset_google }, + { "google.off.ai", true, true, false, -1, &kPinset_google }, + { "google.pk", true, true, false, -1, &kPinset_google }, + { "google.pl", true, true, false, -1, &kPinset_google }, + { "google.pn", true, true, false, -1, &kPinset_google }, + { "google.ps", true, true, false, -1, &kPinset_google }, + { "google.pt", true, true, false, -1, &kPinset_google }, + { "google.ro", true, true, false, -1, &kPinset_google }, + { "google.rs", true, true, false, -1, &kPinset_google }, + { "google.ru", true, true, false, -1, &kPinset_google }, + { "google.rw", true, true, false, -1, &kPinset_google }, + { "google.sc", true, true, false, -1, &kPinset_google }, + { "google.se", true, true, false, -1, &kPinset_google }, + { "google.sh", true, true, false, -1, &kPinset_google }, + { "google.si", true, true, false, -1, &kPinset_google }, + { "google.sk", true, true, false, -1, &kPinset_google }, + { "google.sm", true, true, false, -1, &kPinset_google }, + { "google.sn", true, true, false, -1, &kPinset_google }, + { "google.so", true, true, false, -1, &kPinset_google }, + { "google.st", true, true, false, -1, &kPinset_google }, + { "google.td", true, true, false, -1, &kPinset_google }, + { "google.tg", true, true, false, -1, &kPinset_google }, + { "google.tk", true, true, false, -1, &kPinset_google }, + { "google.tl", true, true, false, -1, &kPinset_google }, + { "google.tm", true, true, false, -1, &kPinset_google }, + { "google.tn", true, true, false, -1, &kPinset_google }, + { "google.to", true, true, false, -1, &kPinset_google }, + { "google.tp", true, true, false, -1, &kPinset_google }, + { "google.tt", true, true, false, -1, &kPinset_google }, + { "google.us", true, true, false, -1, &kPinset_google }, + { "google.uz", true, true, false, -1, &kPinset_google }, + { "google.vg", true, true, false, -1, &kPinset_google }, + { "google.vu", true, true, false, -1, &kPinset_google }, + { "google.ws", true, true, false, -1, &kPinset_google }, + { "googleadservices.com", true, true, false, -1, &kPinset_google }, + { "googleapis.com", true, true, false, -1, &kPinset_google }, + { "googlecode.com", true, true, false, -1, &kPinset_google }, + { "googlecommerce.com", true, true, false, -1, &kPinset_google }, + { "googlegroups.com", true, true, false, -1, &kPinset_google }, + { "googlemail.com", false, true, false, -1, &kPinset_google }, + { "googleplex.com", true, true, false, -1, &kPinset_google }, + { "googlesyndication.com", true, true, false, -1, &kPinset_google }, + { "googletagmanager.com", true, true, false, -1, &kPinset_google }, + { "googletagservices.com", true, true, false, -1, &kPinset_google }, + { "googleusercontent.com", true, true, false, -1, &kPinset_google }, + { "goto.google.com", true, true, false, -1, &kPinset_google }, + { "groups.google.com", true, true, false, -1, &kPinset_google }, + { "gstatic.com", true, true, false, -1, &kPinset_google }, + { "history.google.com", true, true, false, -1, &kPinset_google }, + { "hostedtalkgadget.google.com", true, true, false, -1, &kPinset_google }, + { "include-subdomains.pinning.example.com", true, false, false, -1, &kPinset_mozilla_test }, + { "liberty.lavabit.com", true, true, false, -1, &kPinset_lavabit }, + { "mail.google.com", true, true, false, -1, &kPinset_google }, + { "market.android.com", true, true, false, -1, &kPinset_google }, + { "media.mozilla.com", true, true, true, -1, &kPinset_mozilla }, + { "mobile.twitter.com", true, true, false, -1, &kPinset_twitterCom }, + { "oauth.twitter.com", true, true, false, -1, &kPinset_twitterCom }, + { "pinningtest.appspot.com", true, true, false, -1, &kPinset_test }, + { "platform.twitter.com", true, true, false, -1, &kPinset_twitterCDN }, + { "play.google.com", false, true, false, -1, &kPinset_google }, + { "plus.google.com", true, true, false, -1, &kPinset_google }, + { "plus.sandbox.google.com", true, true, false, -1, &kPinset_google }, + { "profiles.google.com", true, true, false, -1, &kPinset_google }, + { "script.google.com", true, true, false, -1, &kPinset_google }, + { "security.google.com", true, true, false, -1, &kPinset_google }, + { "sites.google.com", true, true, false, -1, &kPinset_google }, + { "spreadsheets.google.com", true, true, false, -1, &kPinset_google }, + { "ssl.google-analytics.com", true, true, false, -1, &kPinset_google }, + { "talk.google.com", true, true, false, -1, &kPinset_google }, + { "talkgadget.google.com", true, true, false, -1, &kPinset_google }, + { "test-mode.pinning.example.com", true, true, false, -1, &kPinset_mozilla_test }, + { "tor2web.org", true, true, false, -1, &kPinset_tor2web }, + { "torproject.org", false, true, false, -1, &kPinset_tor }, + { "translate.googleapis.com", true, true, false, -1, &kPinset_google }, + { "twimg.com", true, true, false, -1, &kPinset_twitterCDN }, + { "twitter.com", false, true, false, -1, &kPinset_twitterCom }, + { "urchin.com", true, true, false, -1, &kPinset_google }, + { "wallet.google.com", true, true, false, -1, &kPinset_google }, + { "www.gmail.com", false, true, false, -1, &kPinset_google }, + { "www.googlemail.com", false, true, false, -1, &kPinset_google }, + { "www.torproject.org", true, true, false, -1, &kPinset_tor }, + { "www.twitter.com", true, true, false, -1, &kPinset_twitterCom }, + { "youtu.be", true, true, false, -1, &kPinset_google }, + { "youtube.com", true, true, false, -1, &kPinset_google }, + { "ytimg.com", true, true, false, -1, &kPinset_google }, }; -static const int kPublicKeyPinningPreloadListLength = 306; +static const int kPublicKeyPinningPreloadListLength = 307; -static const PRTime kPreloadPKPinsExpirationTime = INT64_C(1410996539113000); +static const int32_t kUnknownId = -1; + +static const PRTime kPreloadPKPinsExpirationTime = INT64_C(1411084309384000); diff --git a/security/manager/ssl/tests/unit/test_pinning.js b/security/manager/ssl/tests/unit/test_pinning.js index 0f1b95dd49c7..3a4aa029b869 100644 --- a/security/manager/ssl/tests/unit/test_pinning.js +++ b/security/manager/ssl/tests/unit/test_pinning.js @@ -100,7 +100,7 @@ function check_pinning_telemetry() { // Because all of our test domains are pinned to user-specified trust // anchors, effectively only strict mode gets evaluated do_check_eq(prod_histogram.counts[0], 1); // Failure count - do_check_eq(prod_histogram.counts[1], 3); // Success count + do_check_eq(prod_histogram.counts[1], 2); // Success count do_check_eq(test_histogram.counts[0], 1); // Failure count do_check_eq(test_histogram.counts[1], 0); // Success count @@ -113,6 +113,10 @@ function check_pinning_telemetry() { do_check_eq(moz_test_histogram.counts[0], 0); // Failure count do_check_eq(moz_test_histogram.counts[1], 0); // Success count + let per_host_histogram = + service.getHistogramById("CERT_PINNING_MOZ_RESULTS_BY_HOST").snapshot(); + do_check_eq(per_host_histogram.counts[0], 0); // Failure count + do_check_eq(per_host_histogram.counts[1], 1); // Success count run_next_test(); } diff --git a/security/manager/tools/PreloadedHPKPins.json b/security/manager/tools/PreloadedHPKPins.json index 737bc75704a4..d3690bc1ba8d 100644 --- a/security/manager/tools/PreloadedHPKPins.json +++ b/security/manager/tools/PreloadedHPKPins.json @@ -67,10 +67,14 @@ ], "entries": [ + // Only domains that are operationally crucial to Firefox can have per-host + // telemetry reporting (the "id") field { "name": "addons.mozilla.org", "include_subdomains": true, - "pins": "mozilla", "test_mode": true }, + "pins": "mozilla", "test_mode": true, "id": 1 }, { "name": "addons.mozilla.net", "include_subdomains": true, - "pins": "mozilla", "test_mode": true }, + "pins": "mozilla", "test_mode": true, "id": 2 }, + { "name": "aus4.mozilla.org", "include_subdomains": true, + "pins": "mozilla", "test_mode": true, "id": 3 }, { "name": "cdn.mozilla.net", "include_subdomains": true, "pins": "mozilla", "test_mode": true}, { "name": "cdn.mozilla.org", "include_subdomains": true, @@ -80,9 +84,10 @@ { "name": "include-subdomains.pinning.example.com", "include_subdomains": true, "pins": "mozilla_test", "test_mode": false }, + // Example domain to collect per-host stats for telemetry tests. { "name": "exclude-subdomains.pinning.example.com", "include_subdomains": false, "pins": "mozilla_test", - "test_mode": false }, + "test_mode": false, "id": 0 }, { "name": "test-mode.pinning.example.com", "include_subdomains": true, "pins": "mozilla_test", "test_mode": true } ] diff --git a/security/manager/tools/genHPKPStaticPins.js b/security/manager/tools/genHPKPStaticPins.js index c7c7e45ac8c4..47eb22560323 100644 --- a/security/manager/tools/genHPKPStaticPins.js +++ b/security/manager/tools/genHPKPStaticPins.js @@ -55,6 +55,7 @@ const DOMAINHEADER = "/* Domainlist */\n" + " const bool mIncludeSubdomains;\n" + " const bool mTestMode;\n" + " const bool mIsMoz;\n" + + " const int32_t mId;\n" + " const StaticPinset *pinset;\n" + "};\n\n"; @@ -444,6 +445,14 @@ function writeEntry(entry) { } else { printVal += "false, "; } + if (entry.id >= 256) { + throw("Not enough buckets in histogram"); + } + if (entry.id >= 0) { + printVal += entry.id + ", "; + } else { + printVal += "-1, "; + } printVal += "&kPinset_" + entry.pins; printVal += " },\n"; writeString(printVal); @@ -464,6 +473,7 @@ function writeDomainList(chromeImportedEntries) { writeString("\nstatic const int kPublicKeyPinningPreloadListLength = " + count + ";\n"); + writeString("\nstatic const int32_t kUnknownId = -1;\n"); } function writeFile(certNameToSKD, certSKDToName, diff --git a/toolkit/components/telemetry/Histograms.json b/toolkit/components/telemetry/Histograms.json index c6efa6671160..428672bfd426 100644 --- a/toolkit/components/telemetry/Histograms.json +++ b/toolkit/components/telemetry/Histograms.json @@ -5941,21 +5941,33 @@ "CERT_PINNING_RESULTS": { "expires_in_version": "never", "kind": "boolean", - "description": "Certificate pinning evalutation results (0 = failure, 1 = success)" + "description": "Certificate pinning results (0 = failure, 1 = success)" }, "CERT_PINNING_TEST_RESULTS": { "expires_in_version": "never", "kind": "boolean", - "description": "Certificate pinning evalutation results (0 = failure, 1 = success)" + "description": "Certificate pinning test results (0 = failure, 1 = success)" }, "CERT_PINNING_MOZ_RESULTS": { "expires_in_version": "never", "kind": "boolean", - "description": "Certificate pinning evalutation results (0 = failure, 1 = success)" + "description": "Certificate pinning results for Mozilla sites (0 = failure, 1 = success)" }, "CERT_PINNING_MOZ_TEST_RESULTS": { "expires_in_version": "never", "kind": "boolean", - "description": "Certificate pinning evalutation results (0 = failure, 1 = success)" + "description": "Certificate pinning test results for Mozilla sites (0 = failure, 1 = success)" + }, + "CERT_PINNING_MOZ_RESULTS_BY_HOST": { + "expires_in_version": "never", + "kind": "enumerated", + "n_values": 512, + "description": "Certificate pinning results by host for Mozilla operational sites" + }, + "CERT_PINNING_MOZ_TEST_RESULTS_BY_HOST": { + "expires_in_version": "never", + "kind": "enumerated", + "n_values": 512, + "description": "Certificate pinning test results by host for Mozilla operational sites" } }