wine/gecko
0
0
Fork 0
mirror of https://gitlab.winehq.org/wine/wine-gecko.git synced 2024-09-13 09:24:08 -07:00
Code Issues Packages Projects Releases Wiki Activity

Bug 1007844: Implement per-host telemetry for pin violations for AMO and aus4 (r=keeler)

Browse Source
This commit is contained in:
Monica Chew 2014-05-15 16:56:51 -07:00
parent ba2c0b1abe
commit 7dfd0bdbe7
6 changed files with 362 additions and 317 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
security/manager/boot/src/PublicKeyPinningService.cpp
View File

@ -201,7 +201,17 @@ CheckPinsForHostname(const CERTCertList *certList, const char *hostname,
: Telemetry::CERT_PINNING_TEST_RESULTS;
retval = true;
}
// We can collect per-host pinning violations for this host because it is
// operationally critical to Firefox.
if (foundEntry->mId != kUnknownId) {
int32_t bucket = foundEntry->mId * 2 + (result ? 1 : 0);
histogram = foundEntry->mTestMode
? Telemetry::CERT_PINNING_MOZ_TEST_RESULTS_BY_HOST
: Telemetry::CERT_PINNING_MOZ_RESULTS_BY_HOST;
Telemetry::Accumulate(histogram, bucket);
} else {
Telemetry::Accumulate(histogram, result ? 1 : 0);
}
PR_LOG(gPublicKeyPinningLog, PR_LOG_DEBUG,
("pkpin: Pin check %s for %s host '%s' (mode=%s)\n",
result ? "passed" : "failed",

620
security/manager/boot/src/StaticHPKPins.h
View File

@ -460,319 +460,323 @@ struct TransportSecurityPreload {
const bool mIncludeSubdomains;
const bool mTestMode;
const bool mIsMoz;
const int32_t mId;
const StaticPinset *pinset;
};
/* Sort hostnames for binary search. */
static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = {
{ "accounts.google.com", true, true, false, &kPinset_google },
{ "addons.mozilla.net", true, true, true, &kPinset_mozilla },
{ "addons.mozilla.org", true, true, true, &kPinset_mozilla },
{ "admin.google.com", true, true, false, &kPinset_google },
{ "android.com", true, true, false, &kPinset_google },
{ "api.twitter.com", true, true, false, &kPinset_twitterCDN },
{ "apis.google.com", true, true, false, &kPinset_google },
{ "appengine.google.com", true, true, false, &kPinset_google },
{ "appspot.com", true, true, false, &kPinset_google },
{ "blog.torproject.org", true, true, false, &kPinset_tor },
{ "business.twitter.com", true, true, false, &kPinset_twitterCom },
{ "cdn.mozilla.net", true, true, true, &kPinset_mozilla },
{ "cdn.mozilla.org", true, true, true, &kPinset_mozilla },
{ "chart.apis.google.com", true, true, false, &kPinset_google },
{ "check.torproject.org", true, true, false, &kPinset_tor },
{ "checkout.google.com", true, true, false, &kPinset_google },
{ "chrome-devtools-frontend.appspot.com", true, true, false, &kPinset_google },
{ "chrome.google.com", true, true, false, &kPinset_google },
{ "chromiumcodereview.appspot.com", true, true, false, &kPinset_google },
{ "cloud.google.com", true, true, false, &kPinset_google },
{ "code.google.com", true, true, false, &kPinset_google },
{ "codereview.appspot.com", true, true, false, &kPinset_google },
{ "codereview.chromium.org", true, true, false, &kPinset_google },
{ "crypto.cat", false, true, false, &kPinset_cryptoCat },
{ "dev.twitter.com", true, true, false, &kPinset_twitterCom },
{ "dist.torproject.org", true, true, false, &kPinset_tor },
{ "dl.google.com", true, true, false, &kPinset_google },
{ "docs.google.com", true, true, false, &kPinset_google },
{ "doubleclick.net", true, true, false, &kPinset_google },
{ "drive.google.com", true, true, false, &kPinset_google },
{ "encrypted.google.com", true, true, false, &kPinset_google },
{ "exclude-subdomains.pinning.example.com", false, false, false, &kPinset_mozilla_test },
{ "g.co", true, true, false, &kPinset_google },
{ "glass.google.com", true, true, false, &kPinset_google },
{ "gmail.com", false, true, false, &kPinset_google },
{ "goo.gl", true, true, false, &kPinset_google },
{ "google-analytics.com", true, true, false, &kPinset_google },
{ "google.ac", true, true, false, &kPinset_google },
{ "google.ad", true, true, false, &kPinset_google },
{ "google.ae", true, true, false, &kPinset_google },
{ "google.af", true, true, false, &kPinset_google },
{ "google.ag", true, true, false, &kPinset_google },
{ "google.am", true, true, false, &kPinset_google },
{ "google.as", true, true, false, &kPinset_google },
{ "google.at", true, true, false, &kPinset_google },
{ "google.az", true, true, false, &kPinset_google },
{ "google.ba", true, true, false, &kPinset_google },
{ "google.be", true, true, false, &kPinset_google },
{ "google.bf", true, true, false, &kPinset_google },
{ "google.bg", true, true, false, &kPinset_google },
{ "google.bi", true, true, false, &kPinset_google },
{ "google.bj", true, true, false, &kPinset_google },
{ "google.bs", true, true, false, &kPinset_google },
{ "google.by", true, true, false, &kPinset_google },
{ "google.ca", true, true, false, &kPinset_google },
{ "google.cat", true, true, false, &kPinset_google },
{ "google.cc", true, true, false, &kPinset_google },
{ "google.cd", true, true, false, &kPinset_google },
{ "google.cf", true, true, false, &kPinset_google },
{ "google.cg", true, true, false, &kPinset_google },
{ "google.ch", true, true, false, &kPinset_google },
{ "google.ci", true, true, false, &kPinset_google },
{ "google.cl", true, true, false, &kPinset_google },
{ "google.cm", true, true, false, &kPinset_google },
{ "google.cn", true, true, false, &kPinset_google },
{ "google.co.ao", true, true, false, &kPinset_google },
{ "google.co.bw", true, true, false, &kPinset_google },
{ "google.co.ck", true, true, false, &kPinset_google },
{ "google.co.cr", true, true, false, &kPinset_google },
{ "google.co.hu", true, true, false, &kPinset_google },
{ "google.co.id", true, true, false, &kPinset_google },
{ "google.co.il", true, true, false, &kPinset_google },
{ "google.co.im", true, true, false, &kPinset_google },
{ "google.co.in", true, true, false, &kPinset_google },
{ "google.co.je", true, true, false, &kPinset_google },
{ "google.co.jp", true, true, false, &kPinset_google },
{ "google.co.ke", true, true, false, &kPinset_google },
{ "google.co.kr", true, true, false, &kPinset_google },
{ "google.co.ls", true, true, false, &kPinset_google },
{ "google.co.ma", true, true, false, &kPinset_google },
{ "google.co.mz", true, true, false, &kPinset_google },
{ "google.co.nz", true, true, false, &kPinset_google },
{ "google.co.th", true, true, false, &kPinset_google },
{ "google.co.tz", true, true, false, &kPinset_google },
{ "google.co.ug", true, true, false, &kPinset_google },
{ "google.co.uk", true, true, false, &kPinset_google },
{ "google.co.uz", true, true, false, &kPinset_google },
{ "google.co.ve", true, true, false, &kPinset_google },
{ "google.co.vi", true, true, false, &kPinset_google },
{ "google.co.za", true, true, false, &kPinset_google },
{ "google.co.zm", true, true, false, &kPinset_google },
{ "google.co.zw", true, true, false, &kPinset_google },
{ "google.com", true, true, false, &kPinset_google },
{ "google.com.af", true, true, false, &kPinset_google },
{ "google.com.ag", true, true, false, &kPinset_google },
{ "google.com.ai", true, true, false, &kPinset_google },
{ "google.com.ar", true, true, false, &kPinset_google },
{ "google.com.au", true, true, false, &kPinset_google },
{ "google.com.bd", true, true, false, &kPinset_google },
{ "google.com.bh", true, true, false, &kPinset_google },
{ "google.com.bn", true, true, false, &kPinset_google },
{ "google.com.bo", true, true, false, &kPinset_google },
{ "google.com.br", true, true, false, &kPinset_google },
{ "google.com.by", true, true, false, &kPinset_google },
{ "google.com.bz", true, true, false, &kPinset_google },
{ "google.com.cn", true, true, false, &kPinset_google },
{ "google.com.co", true, true, false, &kPinset_google },
{ "google.com.cu", true, true, false, &kPinset_google },
{ "google.com.cy", true, true, false, &kPinset_google },
{ "google.com.do", true, true, false, &kPinset_google },
{ "google.com.ec", true, true, false, &kPinset_google },
{ "google.com.eg", true, true, false, &kPinset_google },
{ "google.com.et", true, true, false, &kPinset_google },
{ "google.com.fj", true, true, false, &kPinset_google },
{ "google.com.ge", true, true, false, &kPinset_google },
{ "google.com.gh", true, true, false, &kPinset_google },
{ "google.com.gi", true, true, false, &kPinset_google },
{ "google.com.gr", true, true, false, &kPinset_google },
{ "google.com.gt", true, true, false, &kPinset_google },
{ "google.com.hk", true, true, false, &kPinset_google },
{ "google.com.iq", true, true, false, &kPinset_google },
{ "google.com.jm", true, true, false, &kPinset_google },
{ "google.com.jo", true, true, false, &kPinset_google },
{ "google.com.kh", true, true, false, &kPinset_google },
{ "google.com.kw", true, true, false, &kPinset_google },
{ "google.com.lb", true, true, false, &kPinset_google },
{ "google.com.ly", true, true, false, &kPinset_google },
{ "google.com.mt", true, true, false, &kPinset_google },
{ "google.com.mx", true, true, false, &kPinset_google },
{ "google.com.my", true, true, false, &kPinset_google },
{ "google.com.na", true, true, false, &kPinset_google },
{ "google.com.nf", true, true, false, &kPinset_google },
{ "google.com.ng", true, true, false, &kPinset_google },
{ "google.com.ni", true, true, false, &kPinset_google },
{ "google.com.np", true, true, false, &kPinset_google },
{ "google.com.nr", true, true, false, &kPinset_google },
{ "google.com.om", true, true, false, &kPinset_google },
{ "google.com.pa", true, true, false, &kPinset_google },
{ "google.com.pe", true, true, false, &kPinset_google },
{ "google.com.ph", true, true, false, &kPinset_google },
{ "google.com.pk", true, true, false, &kPinset_google },
{ "google.com.pl", true, true, false, &kPinset_google },
{ "google.com.pr", true, true, false, &kPinset_google },
{ "google.com.py", true, true, false, &kPinset_google },
{ "google.com.qa", true, true, false, &kPinset_google },
{ "google.com.ru", true, true, false, &kPinset_google },
{ "google.com.sa", true, true, false, &kPinset_google },
{ "google.com.sb", true, true, false, &kPinset_google },
{ "google.com.sg", true, true, false, &kPinset_google },
{ "google.com.sl", true, true, false, &kPinset_google },
{ "google.com.sv", true, true, false, &kPinset_google },
{ "google.com.tj", true, true, false, &kPinset_google },
{ "google.com.tn", true, true, false, &kPinset_google },
{ "google.com.tr", true, true, false, &kPinset_google },
{ "google.com.tw", true, true, false, &kPinset_google },
{ "google.com.ua", true, true, false, &kPinset_google },
{ "google.com.uy", true, true, false, &kPinset_google },
{ "google.com.vc", true, true, false, &kPinset_google },
{ "google.com.ve", true, true, false, &kPinset_google },
{ "google.com.vn", true, true, false, &kPinset_google },
{ "google.cv", true, true, false, &kPinset_google },
{ "google.cz", true, true, false, &kPinset_google },
{ "google.de", true, true, false, &kPinset_google },
{ "google.dj", true, true, false, &kPinset_google },
{ "google.dk", true, true, false, &kPinset_google },
{ "google.dm", true, true, false, &kPinset_google },
{ "google.dz", true, true, false, &kPinset_google },
{ "google.ee", true, true, false, &kPinset_google },
{ "google.es", true, true, false, &kPinset_google },
{ "google.fi", true, true, false, &kPinset_google },
{ "google.fm", true, true, false, &kPinset_google },
{ "google.fr", true, true, false, &kPinset_google },
{ "google.ga", true, true, false, &kPinset_google },
{ "google.ge", true, true, false, &kPinset_google },
{ "google.gg", true, true, false, &kPinset_google },
{ "google.gl", true, true, false, &kPinset_google },
{ "google.gm", true, true, false, &kPinset_google },
{ "google.gp", true, true, false, &kPinset_google },
{ "google.gr", true, true, false, &kPinset_google },
{ "google.gy", true, true, false, &kPinset_google },
{ "google.hk", true, true, false, &kPinset_google },
{ "google.hn", true, true, false, &kPinset_google },
{ "google.hr", true, true, false, &kPinset_google },
{ "google.ht", true, true, false, &kPinset_google },
{ "google.hu", true, true, false, &kPinset_google },
{ "google.ie", true, true, false, &kPinset_google },
{ "google.im", true, true, false, &kPinset_google },
{ "google.info", true, true, false, &kPinset_google },
{ "google.iq", true, true, false, &kPinset_google },
{ "google.is", true, true, false, &kPinset_google },
{ "google.it", true, true, false, &kPinset_google },
{ "google.it.ao", true, true, false, &kPinset_google },
{ "google.je", true, true, false, &kPinset_google },
{ "google.jo", true, true, false, &kPinset_google },
{ "google.jobs", true, true, false, &kPinset_google },
{ "google.jp", true, true, false, &kPinset_google },
{ "google.kg", true, true, false, &kPinset_google },
{ "google.ki", true, true, false, &kPinset_google },
{ "google.kz", true, true, false, &kPinset_google },
{ "google.la", true, true, false, &kPinset_google },
{ "google.li", true, true, false, &kPinset_google },
{ "google.lk", true, true, false, &kPinset_google },
{ "google.lt", true, true, false, &kPinset_google },
{ "google.lu", true, true, false, &kPinset_google },
{ "google.lv", true, true, false, &kPinset_google },
{ "google.md", true, true, false, &kPinset_google },
{ "google.me", true, true, false, &kPinset_google },
{ "google.mg", true, true, false, &kPinset_google },
{ "google.mk", true, true, false, &kPinset_google },
{ "google.ml", true, true, false, &kPinset_google },
{ "google.mn", true, true, false, &kPinset_google },
{ "google.ms", true, true, false, &kPinset_google },
{ "google.mu", true, true, false, &kPinset_google },
{ "google.mv", true, true, false, &kPinset_google },
{ "google.mw", true, true, false, &kPinset_google },
{ "google.ne", true, true, false, &kPinset_google },
{ "google.ne.jp", true, true, false, &kPinset_google },
{ "google.net", true, true, false, &kPinset_google },
{ "google.nl", true, true, false, &kPinset_google },
{ "google.no", true, true, false, &kPinset_google },
{ "google.nr", true, true, false, &kPinset_google },
{ "google.nu", true, true, false, &kPinset_google },
{ "google.off.ai", true, true, false, &kPinset_google },
{ "google.pk", true, true, false, &kPinset_google },
{ "google.pl", true, true, false, &kPinset_google },
{ "google.pn", true, true, false, &kPinset_google },
{ "google.ps", true, true, false, &kPinset_google },
{ "google.pt", true, true, false, &kPinset_google },
{ "google.ro", true, true, false, &kPinset_google },
{ "google.rs", true, true, false, &kPinset_google },
{ "google.ru", true, true, false, &kPinset_google },
{ "google.rw", true, true, false, &kPinset_google },
{ "google.sc", true, true, false, &kPinset_google },
{ "google.se", true, true, false, &kPinset_google },
{ "google.sh", true, true, false, &kPinset_google },
{ "google.si", true, true, false, &kPinset_google },
{ "google.sk", true, true, false, &kPinset_google },
{ "google.sm", true, true, false, &kPinset_google },
{ "google.sn", true, true, false, &kPinset_google },
{ "google.so", true, true, false, &kPinset_google },
{ "google.st", true, true, false, &kPinset_google },
{ "google.td", true, true, false, &kPinset_google },
{ "google.tg", true, true, false, &kPinset_google },
{ "google.tk", true, true, false, &kPinset_google },
{ "google.tl", true, true, false, &kPinset_google },
{ "google.tm", true, true, false, &kPinset_google },
{ "google.tn", true, true, false, &kPinset_google },
{ "google.to", true, true, false, &kPinset_google },
{ "google.tp", true, true, false, &kPinset_google },
{ "google.tt", true, true, false, &kPinset_google },
{ "google.us", true, true, false, &kPinset_google },
{ "google.uz", true, true, false, &kPinset_google },
{ "google.vg", true, true, false, &kPinset_google },
{ "google.vu", true, true, false, &kPinset_google },
{ "google.ws", true, true, false, &kPinset_google },
{ "googleadservices.com", true, true, false, &kPinset_google },
{ "googleapis.com", true, true, false, &kPinset_google },
{ "googlecode.com", true, true, false, &kPinset_google },
{ "googlecommerce.com", true, true, false, &kPinset_google },
{ "googlegroups.com", true, true, false, &kPinset_google },
{ "googlemail.com", false, true, false, &kPinset_google },
{ "googleplex.com", true, true, false, &kPinset_google },
{ "googlesyndication.com", true, true, false, &kPinset_google },
{ "googletagmanager.com", true, true, false, &kPinset_google },
{ "googletagservices.com", true, true, false, &kPinset_google },
{ "googleusercontent.com", true, true, false, &kPinset_google },
{ "goto.google.com", true, true, false, &kPinset_google },
{ "groups.google.com", true, true, false, &kPinset_google },
{ "gstatic.com", true, true, false, &kPinset_google },
{ "history.google.com", true, true, false, &kPinset_google },
{ "hostedtalkgadget.google.com", true, true, false, &kPinset_google },
{ "include-subdomains.pinning.example.com", true, false, false, &kPinset_mozilla_test },
{ "liberty.lavabit.com", true, true, false, &kPinset_lavabit },
{ "mail.google.com", true, true, false, &kPinset_google },
{ "market.android.com", true, true, false, &kPinset_google },
{ "media.mozilla.com", true, true, true, &kPinset_mozilla },
{ "mobile.twitter.com", true, true, false, &kPinset_twitterCom },
{ "oauth.twitter.com", true, true, false, &kPinset_twitterCom },
{ "pinningtest.appspot.com", true, true, false, &kPinset_test },
{ "platform.twitter.com", true, true, false, &kPinset_twitterCDN },
{ "play.google.com", false, true, false, &kPinset_google },
{ "plus.google.com", true, true, false, &kPinset_google },
{ "plus.sandbox.google.com", true, true, false, &kPinset_google },
{ "profiles.google.com", true, true, false, &kPinset_google },
{ "script.google.com", true, true, false, &kPinset_google },
{ "security.google.com", true, true, false, &kPinset_google },
{ "sites.google.com", true, true, false, &kPinset_google },
{ "spreadsheets.google.com", true, true, false, &kPinset_google },
{ "ssl.google-analytics.com", true, true, false, &kPinset_google },
{ "talk.google.com", true, true, false, &kPinset_google },
{ "talkgadget.google.com", true, true, false, &kPinset_google },
{ "test-mode.pinning.example.com", true, true, false, &kPinset_mozilla_test },
{ "tor2web.org", true, true, false, &kPinset_tor2web },
{ "torproject.org", false, true, false, &kPinset_tor },
{ "translate.googleapis.com", true, true, false, &kPinset_google },
{ "twimg.com", true, true, false, &kPinset_twitterCDN },
{ "twitter.com", false, true, false, &kPinset_twitterCom },
{ "urchin.com", true, true, false, &kPinset_google },
{ "wallet.google.com", true, true, false, &kPinset_google },
{ "www.gmail.com", false, true, false, &kPinset_google },
{ "www.googlemail.com", false, true, false, &kPinset_google },
{ "www.torproject.org", true, true, false, &kPinset_tor },
{ "www.twitter.com", true, true, false, &kPinset_twitterCom },
{ "youtu.be", true, true, false, &kPinset_google },
{ "youtube.com", true, true, false, &kPinset_google },
{ "ytimg.com", true, true, false, &kPinset_google },
{ "accounts.google.com", true, true, false, -1, &kPinset_google },
{ "addons.mozilla.net", true, true, true, 2, &kPinset_mozilla },
{ "addons.mozilla.org", true, true, true, 1, &kPinset_mozilla },
{ "admin.google.com", true, true, false, -1, &kPinset_google },
{ "android.com", true, true, false, -1, &kPinset_google },
{ "api.twitter.com", true, true, false, -1, &kPinset_twitterCDN },
{ "apis.google.com", true, true, false, -1, &kPinset_google },
{ "appengine.google.com", true, true, false, -1, &kPinset_google },
{ "appspot.com", true, true, false, -1, &kPinset_google },
{ "aus4.mozilla.org", true, true, true, 3, &kPinset_mozilla },
{ "blog.torproject.org", true, true, false, -1, &kPinset_tor },
{ "business.twitter.com", true, true, false, -1, &kPinset_twitterCom },
{ "cdn.mozilla.net", true, true, true, -1, &kPinset_mozilla },
{ "cdn.mozilla.org", true, true, true, -1, &kPinset_mozilla },
{ "chart.apis.google.com", true, true, false, -1, &kPinset_google },
{ "check.torproject.org", true, true, false, -1, &kPinset_tor },
{ "checkout.google.com", true, true, false, -1, &kPinset_google },
{ "chrome-devtools-frontend.appspot.com", true, true, false, -1, &kPinset_google },
{ "chrome.google.com", true, true, false, -1, &kPinset_google },
{ "chromiumcodereview.appspot.com", true, true, false, -1, &kPinset_google },
{ "cloud.google.com", true, true, false, -1, &kPinset_google },
{ "code.google.com", true, true, false, -1, &kPinset_google },
{ "codereview.appspot.com", true, true, false, -1, &kPinset_google },
{ "codereview.chromium.org", true, true, false, -1, &kPinset_google },
{ "crypto.cat", false, true, false, -1, &kPinset_cryptoCat },
{ "dev.twitter.com", true, true, false, -1, &kPinset_twitterCom },
{ "dist.torproject.org", true, true, false, -1, &kPinset_tor },
{ "dl.google.com", true, true, false, -1, &kPinset_google },
{ "docs.google.com", true, true, false, -1, &kPinset_google },
{ "doubleclick.net", true, true, false, -1, &kPinset_google },
{ "drive.google.com", true, true, false, -1, &kPinset_google },
{ "encrypted.google.com", true, true, false, -1, &kPinset_google },
{ "exclude-subdomains.pinning.example.com", false, false, false, 0, &kPinset_mozilla_test },
{ "g.co", true, true, false, -1, &kPinset_google },
{ "glass.google.com", true, true, false, -1, &kPinset_google },
{ "gmail.com", false, true, false, -1, &kPinset_google },
{ "goo.gl", true, true, false, -1, &kPinset_google },
{ "google-analytics.com", true, true, false, -1, &kPinset_google },
{ "google.ac", true, true, false, -1, &kPinset_google },
{ "google.ad", true, true, false, -1, &kPinset_google },
{ "google.ae", true, true, false, -1, &kPinset_google },
{ "google.af", true, true, false, -1, &kPinset_google },
{ "google.ag", true, true, false, -1, &kPinset_google },
{ "google.am", true, true, false, -1, &kPinset_google },
{ "google.as", true, true, false, -1, &kPinset_google },
{ "google.at", true, true, false, -1, &kPinset_google },
{ "google.az", true, true, false, -1, &kPinset_google },
{ "google.ba", true, true, false, -1, &kPinset_google },
{ "google.be", true, true, false, -1, &kPinset_google },
{ "google.bf", true, true, false, -1, &kPinset_google },
{ "google.bg", true, true, false, -1, &kPinset_google },
{ "google.bi", true, true, false, -1, &kPinset_google },
{ "google.bj", true, true, false, -1, &kPinset_google },
{ "google.bs", true, true, false, -1, &kPinset_google },
{ "google.by", true, true, false, -1, &kPinset_google },
{ "google.ca", true, true, false, -1, &kPinset_google },
{ "google.cat", true, true, false, -1, &kPinset_google },
{ "google.cc", true, true, false, -1, &kPinset_google },
{ "google.cd", true, true, false, -1, &kPinset_google },
{ "google.cf", true, true, false, -1, &kPinset_google },
{ "google.cg", true, true, false, -1, &kPinset_google },
{ "google.ch", true, true, false, -1, &kPinset_google },
{ "google.ci", true, true, false, -1, &kPinset_google },
{ "google.cl", true, true, false, -1, &kPinset_google },
{ "google.cm", true, true, false, -1, &kPinset_google },
{ "google.cn", true, true, false, -1, &kPinset_google },
{ "google.co.ao", true, true, false, -1, &kPinset_google },
{ "google.co.bw", true, true, false, -1, &kPinset_google },
{ "google.co.ck", true, true, false, -1, &kPinset_google },
{ "google.co.cr", true, true, false, -1, &kPinset_google },
{ "google.co.hu", true, true, false, -1, &kPinset_google },
{ "google.co.id", true, true, false, -1, &kPinset_google },
{ "google.co.il", true, true, false, -1, &kPinset_google },
{ "google.co.im", true, true, false, -1, &kPinset_google },
{ "google.co.in", true, true, false, -1, &kPinset_google },
{ "google.co.je", true, true, false, -1, &kPinset_google },
{ "google.co.jp", true, true, false, -1, &kPinset_google },
{ "google.co.ke", true, true, false, -1, &kPinset_google },
{ "google.co.kr", true, true, false, -1, &kPinset_google },
{ "google.co.ls", true, true, false, -1, &kPinset_google },
{ "google.co.ma", true, true, false, -1, &kPinset_google },
{ "google.co.mz", true, true, false, -1, &kPinset_google },
{ "google.co.nz", true, true, false, -1, &kPinset_google },
{ "google.co.th", true, true, false, -1, &kPinset_google },
{ "google.co.tz", true, true, false, -1, &kPinset_google },
{ "google.co.ug", true, true, false, -1, &kPinset_google },
{ "google.co.uk", true, true, false, -1, &kPinset_google },
{ "google.co.uz", true, true, false, -1, &kPinset_google },
{ "google.co.ve", true, true, false, -1, &kPinset_google },
{ "google.co.vi", true, true, false, -1, &kPinset_google },
{ "google.co.za", true, true, false, -1, &kPinset_google },
{ "google.co.zm", true, true, false, -1, &kPinset_google },
{ "google.co.zw", true, true, false, -1, &kPinset_google },
{ "google.com", true, true, false, -1, &kPinset_google },
{ "google.com.af", true, true, false, -1, &kPinset_google },
{ "google.com.ag", true, true, false, -1, &kPinset_google },
{ "google.com.ai", true, true, false, -1, &kPinset_google },
{ "google.com.ar", true, true, false, -1, &kPinset_google },
{ "google.com.au", true, true, false, -1, &kPinset_google },
{ "google.com.bd", true, true, false, -1, &kPinset_google },
{ "google.com.bh", true, true, false, -1, &kPinset_google },
{ "google.com.bn", true, true, false, -1, &kPinset_google },
{ "google.com.bo", true, true, false, -1, &kPinset_google },
{ "google.com.br", true, true, false, -1, &kPinset_google },
{ "google.com.by", true, true, false, -1, &kPinset_google },
{ "google.com.bz", true, true, false, -1, &kPinset_google },
{ "google.com.cn", true, true, false, -1, &kPinset_google },
{ "google.com.co", true, true, false, -1, &kPinset_google },
{ "google.com.cu", true, true, false, -1, &kPinset_google },
{ "google.com.cy", true, true, false, -1, &kPinset_google },
{ "google.com.do", true, true, false, -1, &kPinset_google },
{ "google.com.ec", true, true, false, -1, &kPinset_google },
{ "google.com.eg", true, true, false, -1, &kPinset_google },
{ "google.com.et", true, true, false, -1, &kPinset_google },
{ "google.com.fj", true, true, false, -1, &kPinset_google },
{ "google.com.ge", true, true, false, -1, &kPinset_google },
{ "google.com.gh", true, true, false, -1, &kPinset_google },
{ "google.com.gi", true, true, false, -1, &kPinset_google },
{ "google.com.gr", true, true, false, -1, &kPinset_google },
{ "google.com.gt", true, true, false, -1, &kPinset_google },
{ "google.com.hk", true, true, false, -1, &kPinset_google },
{ "google.com.iq", true, true, false, -1, &kPinset_google },
{ "google.com.jm", true, true, false, -1, &kPinset_google },
{ "google.com.jo", true, true, false, -1, &kPinset_google },
{ "google.com.kh", true, true, false, -1, &kPinset_google },
{ "google.com.kw", true, true, false, -1, &kPinset_google },
{ "google.com.lb", true, true, false, -1, &kPinset_google },
{ "google.com.ly", true, true, false, -1, &kPinset_google },
{ "google.com.mt", true, true, false, -1, &kPinset_google },
{ "google.com.mx", true, true, false, -1, &kPinset_google },
{ "google.com.my", true, true, false, -1, &kPinset_google },
{ "google.com.na", true, true, false, -1, &kPinset_google },
{ "google.com.nf", true, true, false, -1, &kPinset_google },
{ "google.com.ng", true, true, false, -1, &kPinset_google },
{ "google.com.ni", true, true, false, -1, &kPinset_google },
{ "google.com.np", true, true, false, -1, &kPinset_google },
{ "google.com.nr", true, true, false, -1, &kPinset_google },
{ "google.com.om", true, true, false, -1, &kPinset_google },
{ "google.com.pa", true, true, false, -1, &kPinset_google },
{ "google.com.pe", true, true, false, -1, &kPinset_google },
{ "google.com.ph", true, true, false, -1, &kPinset_google },
{ "google.com.pk", true, true, false, -1, &kPinset_google },
{ "google.com.pl", true, true, false, -1, &kPinset_google },
{ "google.com.pr", true, true, false, -1, &kPinset_google },
{ "google.com.py", true, true, false, -1, &kPinset_google },
{ "google.com.qa", true, true, false, -1, &kPinset_google },
{ "google.com.ru", true, true, false, -1, &kPinset_google },
{ "google.com.sa", true, true, false, -1, &kPinset_google },
{ "google.com.sb", true, true, false, -1, &kPinset_google },
{ "google.com.sg", true, true, false, -1, &kPinset_google },
{ "google.com.sl", true, true, false, -1, &kPinset_google },
{ "google.com.sv", true, true, false, -1, &kPinset_google },
{ "google.com.tj", true, true, false, -1, &kPinset_google },
{ "google.com.tn", true, true, false, -1, &kPinset_google },
{ "google.com.tr", true, true, false, -1, &kPinset_google },
{ "google.com.tw", true, true, false, -1, &kPinset_google },
{ "google.com.ua", true, true, false, -1, &kPinset_google },
{ "google.com.uy", true, true, false, -1, &kPinset_google },
{ "google.com.vc", true, true, false, -1, &kPinset_google },
{ "google.com.ve", true, true, false, -1, &kPinset_google },
{ "google.com.vn", true, true, false, -1, &kPinset_google },
{ "google.cv", true, true, false, -1, &kPinset_google },
{ "google.cz", true, true, false, -1, &kPinset_google },
{ "google.de", true, true, false, -1, &kPinset_google },
{ "google.dj", true, true, false, -1, &kPinset_google },
{ "google.dk", true, true, false, -1, &kPinset_google },
{ "google.dm", true, true, false, -1, &kPinset_google },
{ "google.dz", true, true, false, -1, &kPinset_google },
{ "google.ee", true, true, false, -1, &kPinset_google },
{ "google.es", true, true, false, -1, &kPinset_google },
{ "google.fi", true, true, false, -1, &kPinset_google },
{ "google.fm", true, true, false, -1, &kPinset_google },
{ "google.fr", true, true, false, -1, &kPinset_google },
{ "google.ga", true, true, false, -1, &kPinset_google },
{ "google.ge", true, true, false, -1, &kPinset_google },
{ "google.gg", true, true, false, -1, &kPinset_google },
{ "google.gl", true, true, false, -1, &kPinset_google },
{ "google.gm", true, true, false, -1, &kPinset_google },
{ "google.gp", true, true, false, -1, &kPinset_google },
{ "google.gr", true, true, false, -1, &kPinset_google },
{ "google.gy", true, true, false, -1, &kPinset_google },
{ "google.hk", true, true, false, -1, &kPinset_google },
{ "google.hn", true, true, false, -1, &kPinset_google },
{ "google.hr", true, true, false, -1, &kPinset_google },
{ "google.ht", true, true, false, -1, &kPinset_google },
{ "google.hu", true, true, false, -1, &kPinset_google },
{ "google.ie", true, true, false, -1, &kPinset_google },
{ "google.im", true, true, false, -1, &kPinset_google },
{ "google.info", true, true, false, -1, &kPinset_google },
{ "google.iq", true, true, false, -1, &kPinset_google },
{ "google.is", true, true, false, -1, &kPinset_google },
{ "google.it", true, true, false, -1, &kPinset_google },
{ "google.it.ao", true, true, false, -1, &kPinset_google },
{ "google.je", true, true, false, -1, &kPinset_google },
{ "google.jo", true, true, false, -1, &kPinset_google },
{ "google.jobs", true, true, false, -1, &kPinset_google },
{ "google.jp", true, true, false, -1, &kPinset_google },
{ "google.kg", true, true, false, -1, &kPinset_google },
{ "google.ki", true, true, false, -1, &kPinset_google },
{ "google.kz", true, true, false, -1, &kPinset_google },
{ "google.la", true, true, false, -1, &kPinset_google },
{ "google.li", true, true, false, -1, &kPinset_google },
{ "google.lk", true, true, false, -1, &kPinset_google },
{ "google.lt", true, true, false, -1, &kPinset_google },
{ "google.lu", true, true, false, -1, &kPinset_google },
{ "google.lv", true, true, false, -1, &kPinset_google },
{ "google.md", true, true, false, -1, &kPinset_google },
{ "google.me", true, true, false, -1, &kPinset_google },
{ "google.mg", true, true, false, -1, &kPinset_google },
{ "google.mk", true, true, false, -1, &kPinset_google },
{ "google.ml", true, true, false, -1, &kPinset_google },
{ "google.mn", true, true, false, -1, &kPinset_google },
{ "google.ms", true, true, false, -1, &kPinset_google },
{ "google.mu", true, true, false, -1, &kPinset_google },
{ "google.mv", true, true, false, -1, &kPinset_google },
{ "google.mw", true, true, false, -1, &kPinset_google },
{ "google.ne", true, true, false, -1, &kPinset_google },
{ "google.ne.jp", true, true, false, -1, &kPinset_google },
{ "google.net", true, true, false, -1, &kPinset_google },
{ "google.nl", true, true, false, -1, &kPinset_google },
{ "google.no", true, true, false, -1, &kPinset_google },
{ "google.nr", true, true, false, -1, &kPinset_google },
{ "google.nu", true, true, false, -1, &kPinset_google },
{ "google.off.ai", true, true, false, -1, &kPinset_google },
{ "google.pk", true, true, false, -1, &kPinset_google },
{ "google.pl", true, true, false, -1, &kPinset_google },
{ "google.pn", true, true, false, -1, &kPinset_google },
{ "google.ps", true, true, false, -1, &kPinset_google },
{ "google.pt", true, true, false, -1, &kPinset_google },
{ "google.ro", true, true, false, -1, &kPinset_google },
{ "google.rs", true, true, false, -1, &kPinset_google },
{ "google.ru", true, true, false, -1, &kPinset_google },
{ "google.rw", true, true, false, -1, &kPinset_google },
{ "google.sc", true, true, false, -1, &kPinset_google },
{ "google.se", true, true, false, -1, &kPinset_google },
{ "google.sh", true, true, false, -1, &kPinset_google },
{ "google.si", true, true, false, -1, &kPinset_google },
{ "google.sk", true, true, false, -1, &kPinset_google },
{ "google.sm", true, true, false, -1, &kPinset_google },
{ "google.sn", true, true, false, -1, &kPinset_google },
{ "google.so", true, true, false, -1, &kPinset_google },
{ "google.st", true, true, false, -1, &kPinset_google },
{ "google.td", true, true, false, -1, &kPinset_google },
{ "google.tg", true, true, false, -1, &kPinset_google },
{ "google.tk", true, true, false, -1, &kPinset_google },
{ "google.tl", true, true, false, -1, &kPinset_google },
{ "google.tm", true, true, false, -1, &kPinset_google },
{ "google.tn", true, true, false, -1, &kPinset_google },
{ "google.to", true, true, false, -1, &kPinset_google },
{ "google.tp", true, true, false, -1, &kPinset_google },
{ "google.tt", true, true, false, -1, &kPinset_google },
{ "google.us", true, true, false, -1, &kPinset_google },
{ "google.uz", true, true, false, -1, &kPinset_google },
{ "google.vg", true, true, false, -1, &kPinset_google },
{ "google.vu", true, true, false, -1, &kPinset_google },
{ "google.ws", true, true, false, -1, &kPinset_google },
{ "googleadservices.com", true, true, false, -1, &kPinset_google },
{ "googleapis.com", true, true, false, -1, &kPinset_google },
{ "googlecode.com", true, true, false, -1, &kPinset_google },
{ "googlecommerce.com", true, true, false, -1, &kPinset_google },
{ "googlegroups.com", true, true, false, -1, &kPinset_google },
{ "googlemail.com", false, true, false, -1, &kPinset_google },
{ "googleplex.com", true, true, false, -1, &kPinset_google },
{ "googlesyndication.com", true, true, false, -1, &kPinset_google },
{ "googletagmanager.com", true, true, false, -1, &kPinset_google },
{ "googletagservices.com", true, true, false, -1, &kPinset_google },
{ "googleusercontent.com", true, true, false, -1, &kPinset_google },
{ "goto.google.com", true, true, false, -1, &kPinset_google },
{ "groups.google.com", true, true, false, -1, &kPinset_google },
{ "gstatic.com", true, true, false, -1, &kPinset_google },
{ "history.google.com", true, true, false, -1, &kPinset_google },
{ "hostedtalkgadget.google.com", true, true, false, -1, &kPinset_google },
{ "include-subdomains.pinning.example.com", true, false, false, -1, &kPinset_mozilla_test },
{ "liberty.lavabit.com", true, true, false, -1, &kPinset_lavabit },
{ "mail.google.com", true, true, false, -1, &kPinset_google },
{ "market.android.com", true, true, false, -1, &kPinset_google },
{ "media.mozilla.com", true, true, true, -1, &kPinset_mozilla },
{ "mobile.twitter.com", true, true, false, -1, &kPinset_twitterCom },
{ "oauth.twitter.com", true, true, false, -1, &kPinset_twitterCom },
{ "pinningtest.appspot.com", true, true, false, -1, &kPinset_test },
{ "platform.twitter.com", true, true, false, -1, &kPinset_twitterCDN },
{ "play.google.com", false, true, false, -1, &kPinset_google },
{ "plus.google.com", true, true, false, -1, &kPinset_google },
{ "plus.sandbox.google.com", true, true, false, -1, &kPinset_google },
{ "profiles.google.com", true, true, false, -1, &kPinset_google },
{ "script.google.com", true, true, false, -1, &kPinset_google },
{ "security.google.com", true, true, false, -1, &kPinset_google },
{ "sites.google.com", true, true, false, -1, &kPinset_google },
{ "spreadsheets.google.com", true, true, false, -1, &kPinset_google },
{ "ssl.google-analytics.com", true, true, false, -1, &kPinset_google },
{ "talk.google.com", true, true, false, -1, &kPinset_google },
{ "talkgadget.google.com", true, true, false, -1, &kPinset_google },
{ "test-mode.pinning.example.com", true, true, false, -1, &kPinset_mozilla_test },
{ "tor2web.org", true, true, false, -1, &kPinset_tor2web },
{ "torproject.org", false, true, false, -1, &kPinset_tor },
{ "translate.googleapis.com", true, true, false, -1, &kPinset_google },
{ "twimg.com", true, true, false, -1, &kPinset_twitterCDN },
{ "twitter.com", false, true, false, -1, &kPinset_twitterCom },
{ "urchin.com", true, true, false, -1, &kPinset_google },
{ "wallet.google.com", true, true, false, -1, &kPinset_google },
{ "www.gmail.com", false, true, false, -1, &kPinset_google },
{ "www.googlemail.com", false, true, false, -1, &kPinset_google },
{ "www.torproject.org", true, true, false, -1, &kPinset_tor },
{ "www.twitter.com", true, true, false, -1, &kPinset_twitterCom },
{ "youtu.be", true, true, false, -1, &kPinset_google },
{ "youtube.com", true, true, false, -1, &kPinset_google },
{ "ytimg.com", true, true, false, -1, &kPinset_google },
};
static const int kPublicKeyPinningPreloadListLength = 306;
static const int kPublicKeyPinningPreloadListLength = 307;
static const PRTime kPreloadPKPinsExpirationTime = INT64_C(1410996539113000);
static const int32_t kUnknownId = -1;
static const PRTime kPreloadPKPinsExpirationTime = INT64_C(1411084309384000);

6
security/manager/ssl/tests/unit/test_pinning.js
View File

@ -100,7 +100,7 @@ function check_pinning_telemetry() {
// Because all of our test domains are pinned to user-specified trust
// anchors, effectively only strict mode gets evaluated
do_check_eq(prod_histogram.counts[0], 1); // Failure count
do_check_eq(prod_histogram.counts[1], 3); // Success count
do_check_eq(prod_histogram.counts[1], 2); // Success count
do_check_eq(test_histogram.counts[0], 1); // Failure count
do_check_eq(test_histogram.counts[1], 0); // Success count
@ -113,6 +113,10 @@ function check_pinning_telemetry() {
do_check_eq(moz_test_histogram.counts[0], 0); // Failure count
do_check_eq(moz_test_histogram.counts[1], 0); // Success count
let per_host_histogram =
service.getHistogramById("CERT_PINNING_MOZ_RESULTS_BY_HOST").snapshot();
do_check_eq(per_host_histogram.counts[0], 0); // Failure count
do_check_eq(per_host_histogram.counts[1], 1); // Success count
run_next_test();
}

11
security/manager/tools/PreloadedHPKPins.json
View File

@ -67,10 +67,14 @@
],
"entries": [
// Only domains that are operationally crucial to Firefox can have per-host
// telemetry reporting (the "id") field
{ "name": "addons.mozilla.org", "include_subdomains": true,
"pins": "mozilla", "test_mode": true },
"pins": "mozilla", "test_mode": true, "id": 1 },
{ "name": "addons.mozilla.net", "include_subdomains": true,
"pins": "mozilla", "test_mode": true },
"pins": "mozilla", "test_mode": true, "id": 2 },
{ "name": "aus4.mozilla.org", "include_subdomains": true,
"pins": "mozilla", "test_mode": true, "id": 3 },
{ "name": "cdn.mozilla.net", "include_subdomains": true,
"pins": "mozilla", "test_mode": true},
{ "name": "cdn.mozilla.org", "include_subdomains": true,
@ -80,9 +84,10 @@
{ "name": "include-subdomains.pinning.example.com",
"include_subdomains": true, "pins": "mozilla_test",
"test_mode": false },
// Example domain to collect per-host stats for telemetry tests.
{ "name": "exclude-subdomains.pinning.example.com",
"include_subdomains": false, "pins": "mozilla_test",
"test_mode": false },
"test_mode": false, "id": 0 },
{ "name": "test-mode.pinning.example.com", "include_subdomains": true,
"pins": "mozilla_test", "test_mode": true }
]

10
security/manager/tools/genHPKPStaticPins.js
View File

@ -55,6 +55,7 @@ const DOMAINHEADER = "/* Domainlist */\n" +
" const bool mIncludeSubdomains;\n" +
" const bool mTestMode;\n" +
" const bool mIsMoz;\n" +
" const int32_t mId;\n" +
" const StaticPinset *pinset;\n" +
"};\n\n";
@ -444,6 +445,14 @@ function writeEntry(entry) {
} else {
printVal += "false, ";
}
if (entry.id >= 256) {
throw("Not enough buckets in histogram");
}
if (entry.id >= 0) {
printVal += entry.id + ", ";
} else {
printVal += "-1, ";
}
printVal += "&kPinset_" + entry.pins;
printVal += " },\n";
writeString(printVal);
@ -464,6 +473,7 @@ function writeDomainList(chromeImportedEntries) {
writeString("\nstatic const int kPublicKeyPinningPreloadListLength = " +
count + ";\n");
writeString("\nstatic const int32_t kUnknownId = -1;\n");
}
function writeFile(certNameToSKD, certSKDToName,

20
toolkit/components/telemetry/Histograms.json
View File

@ -5941,21 +5941,33 @@
"CERT_PINNING_RESULTS": {
"expires_in_version": "never",
"kind": "boolean",
"description": "Certificate pinning evalutation results (0 = failure, 1 = success)"
"description": "Certificate pinning results (0 = failure, 1 = success)"
},
"CERT_PINNING_TEST_RESULTS": {
"expires_in_version": "never",
"kind": "boolean",
"description": "Certificate pinning evalutation results (0 = failure, 1 = success)"
"description": "Certificate pinning test results (0 = failure, 1 = success)"
},
"CERT_PINNING_MOZ_RESULTS": {
"expires_in_version": "never",
"kind": "boolean",
"description": "Certificate pinning evalutation results (0 = failure, 1 = success)"
"description": "Certificate pinning results for Mozilla sites (0 = failure, 1 = success)"
},
"CERT_PINNING_MOZ_TEST_RESULTS": {
"expires_in_version": "never",
"kind": "boolean",
"description": "Certificate pinning evalutation results (0 = failure, 1 = success)"
"description": "Certificate pinning test results for Mozilla sites (0 = failure, 1 = success)"
},
"CERT_PINNING_MOZ_RESULTS_BY_HOST": {
"expires_in_version": "never",
"kind": "enumerated",
"n_values": 512,
"description": "Certificate pinning results by host for Mozilla operational sites"
},
"CERT_PINNING_MOZ_TEST_RESULTS_BY_HOST": {
"expires_in_version": "never",
"kind": "enumerated",
"n_values": 512,
"description": "Certificate pinning test results by host for Mozilla operational sites"
}
}