SecurityEngineering/Public Key Pinning/SiteOperators
Contents
Help, I need to change my pinset!
File a bug under the Core::Security:PSM component with changes to your pinset: https://bugzilla.mozilla.org/enter_bug.cgi?product=Core&component=Security%3A%20PSM&short_desc=%28pinset%20change%20request%29
In case of emergency, email pinning@mozilla.org or security@mozilla.org if that fails. Please file a bug in any case.
How much notice do I need to give for pinset changes?
To determine how long it will take for a change in Nightly to be released, see the release calendar: RapidRelease/Calendar. We prefer not to make pinset changes once Firefox is in Beta.
I have an emergency!
In emergency circumstances, we can release an emergency update to the stable channel to change your pinset in 24 hours. No one wants to do this. We will consider removing you from the pinning program altogether in this event.
How can you test your pins?
- Install desktop Firefox 32 or later.
- Go to about:config and make sure that security.cert_pinning.enforcement_level = 1 (allow user-specified trust anchors to override pinning checks) or 2 (strict mode). There is an additional enforcement level, 3, for enforcing test pins if you'd like to enable that instead. Normally test pins are used only for counting pin violations, but not actually enforcing them. You will have to coordinate with the pinning team in order to verify which of your pins are in test mode, and which are in production mode.
- Visit https://pinning-test.badssl.com/ to make sure you see a warning.
- Visit all your sites!
What platforms does this affect?
Pinning has been enabled on Firefox for Desktop and Firefox for Android. By default, pinning checks are skipped for user-specified trust anchors.