Public key pinning released in Firefox

Sid Stamm

4

Firefox now supports built-in public key pins, which means that a shortened list of acceptable certificate authorities (CAs) for participating sites is built into Firefox. In this first stage of pinning roll-out, protected domains include addons.mozilla.org and Twitter, to be followed by Google and other sites in upcoming versions of Firefox. That means that Firefox users will be even safer when visiting Mozilla and Twitter (and soon, Google). For the full list of pinned domains and rollout status, please see the Public Key Pinning wiki. Additionally, sites may advertise their support for pinning with the Public Key Pinning Extension for HTTP, which we plan to implement soon.

Public Key Pinning helps ensure that people are connecting to the sites they intend. It allows site operators to specify which CAs issue valid certificates for them, rather than accepting any one of the hundreds of built-in root certificates that ship with Firefox. If any certificate in the verified certificate chain corresponds to one of the known good (pinned) certificates, Firefox displays the lock icon as normal. When the root cert for a pinned site does not match one of the known good CAs, Firefox will reject the connection with a pinning error. This type of error can also occur if a CA mis-issues a certificate. In this way, key pinning can be used by sites to add another layer of trust to their servers’ deployment of TLS.

For more details on how Pinning works, check out Monica’s blog post

4 responses

  1. Mark Andrews wrote on :

    When will this be integrated with DANE (RFC 6698) which allows any site to securely publish in the DNS that one of a set of CERT records needs to be present in the validation chain?

    1. Suvi-Tuuli Allan wrote on ::

      What? Firefox doesn’t have full DNSSEC support? Outrageous! ;)

    2. dkeeler wrote on :

      DANE has some attractive qualities, but there are a number of technical hurdles to overcome in order to implement it. For example, many network devices still prevent DNSSEC from working correctly.

      1. Mark Andrews wrote on :

        None of which prevent the logic being added to Firefox. This can be done on required (validation of the response has to succeed), best effort (trust if response validates as secure) basis or could be disabled by
        the user.

        This page is secured by DANE which you can see if you have the appropriate add on.

        Tell people when you can’t get the answers and list solutions. Broken equipment is not fixed / replaced unless people are told about it.