From gavin on IRC: ckarlof: re: high rate of pinning violations for fxa, is is possible the DNS cache/AWS infra IP switch issues are to blame?
-chris On Jun 18, 2014, at 11:38 AM, Monica Chew <[email protected]> wrote: > Please take a look at https://pinningtest.appspot.com in FF 32 or higher and > use your best judgment of whether FxA users on Nightly would be able to file > an appropriate bug if they see one of the 10-20 violations per day that we're > getting now. > > This bug is to improve the UI to be more informative: > https://bugzilla.mozilla.org/show_bug.cgi?id=1011638 > > And this bug is to report the entire certificate chain, including the > complete domain, back to us for remediation: > https://bugzilla.mozilla.org/show_bug.cgi?id=846489 > > I don't think it makes sense to block a decision on either one of these, > because they don't have firm end dates. From the violation rate, I doubt that > the pinset is incorrect, most violations are probably from captive portal. > However, this assumption is incorrect if people are hitting a rarely used > subdomain on accounts.firefox.com that is using an unknown cert issuer. > > If this is not the case and the pinset is correct, we could go ahead and > start enforcing pin violations and count on bugzilla reports to find errors. > It's also reasonable to wait a week and see if the numbers improve (telemetry > data lags 4-5 days, dates are by build date, not submission date). > > Thanks, > Monica > > ----- Original Message ----- >> http://people.mozilla.org/~mchew/pinning_dashboard/ >> >> The violation rate is a little higher than mmc would expect to see. (We're >> still in reporting only mode, though.) >> >> We're seeing 10-20 (would be) violations per day. The rate is higher than >> other Moz services, but the sample size is also much smaller. >> >> Any thoughts? >> >> -chris >>
_______________________________________________ Dev-fxacct mailing list [email protected] https://mail.mozilla.org/listinfo/dev-fxacct
