Bug 1821359: Disable TLS Key Pinning for Twitter Domains. r=keeler, a…

…=dmeehan This patch removes Twitter domains from the list of sites we statically pin in Firefox and regenerates the associated headers. Note that the Twitter domains are still imported from Chrome's list of pins, but now have the test flag set, making them inert. Differential Revision: https://phabricator.services.mozilla.com/D172161
i3roly · Mar 9, 2023 · 72a088d · 72a088d
1 parent 2beddcb
commit 72a088d
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 29 deletions.
diff --git a/security/manager/ssl/StaticHPKPins.h b/security/manager/ssl/StaticHPKPins.h
@@ -613,7 +613,7 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = {
   { "admin.google.com", true, false, false, -1, &kPinset_google_root_pems },
   { "android.com", true, false, false, -1, &kPinset_google_root_pems },
   { "api.accounts.firefox.com", true, false, true, 5, &kPinset_mozilla_services },
-  { "api.twitter.com", true, false, false, -1, &kPinset_twitterCDN },
+  { "api.twitter.com", true, true, false, -1, &kPinset_twitterCDN },
   { "apis.google.com", true, false, false, -1, &kPinset_google_root_pems },
   { "appengine.google.com", true, false, false, -1, &kPinset_google_root_pems },
   { "apps.facebook.com", true, false, false, -1, &kPinset_facebook },
@@ -632,7 +632,7 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = {
   { "bugs.chromium.org", true, false, false, -1, &kPinset_google_root_pems },
   { "build.chromium.org", true, false, false, -1, &kPinset_google_root_pems },
   { "business.facebook.com", true, false, false, -1, &kPinset_facebook },
-  { "business.twitter.com", true, false, false, -1, &kPinset_twitterCom },
+  { "business.twitter.com", true, true, false, -1, &kPinset_twitterCom },
   { "ca.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
   { "calendar.google.com", true, false, false, -1, &kPinset_google_root_pems },
   { "cd.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
@@ -672,7 +672,7 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = {
   { "ct.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
   { "datastudio.google.com", true, false, false, -1, &kPinset_google_root_pems },
   { "de.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
-  { "dev.twitter.com", true, false, false, -1, &kPinset_twitterCom },
+  { "dev.twitter.com", true, true, false, -1, &kPinset_twitterCom },
   { "developer.android.com", true, false, false, -1, &kPinset_google_root_pems },
   { "developers.facebook.com", true, false, false, -1, &kPinset_facebook },
   { "dist.torproject.org", true, false, false, -1, &kPinset_tor },
@@ -984,7 +984,7 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = {
   { "mbasic.facebook.com", true, false, false, -1, &kPinset_facebook },
   { "meet.google.com", true, false, false, -1, &kPinset_google_root_pems },
   { "messenger.com", true, false, false, -1, &kPinset_facebook },
-  { "mobile.twitter.com", true, false, false, -1, &kPinset_twitterCom },
+  { "mobile.twitter.com", true, true, false, -1, &kPinset_twitterCom },
   { "mt.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
   { "mtouch.facebook.com", true, false, false, -1, &kPinset_facebook },
   { "mu.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
@@ -997,7 +997,7 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = {
   { "no.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
   { "np.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
   { "nz.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
-  { "oauth.twitter.com", true, false, false, -1, &kPinset_twitterCom },
+  { "oauth.twitter.com", true, true, false, -1, &kPinset_twitterCom },
   { "oauthaccountmanager.googleapis.com", true, false, false, -1, &kPinset_google_root_pems },
   { "pa.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
   { "passwords.google.com", true, false, false, -1, &kPinset_google_root_pems },
@@ -1011,7 +1011,7 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = {
   { "pixel.google.com", true, false, false, -1, &kPinset_google_root_pems },
   { "pk.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
   { "pl.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
-  { "platform.twitter.com", true, false, false, -1, &kPinset_twitterCDN },
+  { "platform.twitter.com", true, true, false, -1, &kPinset_twitterCDN },
   { "play.google.com", true, false, false, -1, &kPinset_google_root_pems },
   { "plus.google.com", true, false, false, -1, &kPinset_google_root_pems },
   { "plus.sandbox.google.com", true, false, false, -1, &kPinset_google_root_pems },
@@ -1054,8 +1054,8 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = {
   { "tunnel.googlezip.net", true, false, false, -1, &kPinset_google_root_pems },
   { "tv.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
   { "tw.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
-  { "twimg.com", true, false, false, -1, &kPinset_twitterCDN },
-  { "twitter.com", true, false, false, -1, &kPinset_twitterCDN },
+  { "twimg.com", true, true, false, -1, &kPinset_twitterCDN },
+  { "twitter.com", false, true, false, -1, &kPinset_twitterCom },
   { "ua.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
   { "ua5v.com", true, false, false, -1, &kPinset_google_root_pems },
   { "uk.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
@@ -1090,7 +1090,7 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = {
   { "www.googlemail.com", false, false, false, -1, &kPinset_google_root_pems },
   { "www.messenger.com", true, false, false, -1, &kPinset_facebook },
   { "www.torproject.org", true, false, false, -1, &kPinset_tor },
-  { "www.twitter.com", true, false, false, -1, &kPinset_twitterCom },
+  { "www.twitter.com", true, true, false, -1, &kPinset_twitterCom },
   { "xa.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
   { "xbrlsuccess.appspot.com", true, false, false, -1, &kPinset_google_root_pems },
   { "xn--7xa.google.com", true, false, false, -1, &kPinset_google_root_pems },

diff --git a/security/manager/tools/PreloadedHPKPins.json b/security/manager/tools/PreloadedHPKPins.json
@@ -44,15 +44,6 @@
       // Dropbox
       "dropbox.com",
       "www.dropbox.com",
-      // Twitter
-      "api.twitter.com",
-      "business.twitter.com",
-      "dev.twitter.com",
-      "mobile.twitter.com",
-      "oauth.twitter.com",
-      "platform.twitter.com",
-      "twimg.com",
-      "www.twitter.com",
       // Tor
       "torproject.org",
       "blog.torproject.org",
@@ -62,11 +53,7 @@
       // SpiderOak
       "spideroak.com"
     ],
-    "exclude_domains" : [
-      // Chrome's entry for twitter.com doesn't include subdomains, so replace
-      // it with our own entry below which also uses an expanded pinset.
-      "twitter.com"
-    ]
+    "exclude_domains" : []
    },
   "pinsets": [
     {
@@ -207,12 +194,7 @@
       "include_subdomains": false, "pins": "mozilla_test",
       "test_mode": false },
     { "name": "test-mode.pinning.example.com", "include_subdomains": true,
-      "pins": "mozilla_test", "test_mode": true },
-    // Expand twitter's pinset to include all of *.twitter.com and use
-    // twitterCDN. More specific rules take precedence because we search for
-    // exact domain name first.
-    { "name": "twitter.com", "include_subdomains": true,
-      "pins": "twitterCDN", "test_mode": false }
+      "pins": "mozilla_test", "test_mode": true }
   ],
   // When pinning to non-root certs, like intermediates,
   // place the PEM of the pinned certificate in this array