+keeler Still not looking awesome -- but if the DNS cache is borking certs that is a much bigger problem.
----- Original Message ----- > From gavin on IRC: > > ckarlof: re: high rate of pinning violations for fxa, is is possible the DNS > cache/AWS infra IP switch issues are to blame? > > -chris > > On Jun 18, 2014, at 11:38 AM, Monica Chew <[email protected]> wrote: > > > Please take a look at https://pinningtest.appspot.com in FF 32 or higher > > and use your best judgment of whether FxA users on Nightly would be able > > to file an appropriate bug if they see one of the 10-20 violations per day > > that we're getting now. > > > > This bug is to improve the UI to be more informative: > > https://bugzilla.mozilla.org/show_bug.cgi?id=1011638 > > > > And this bug is to report the entire certificate chain, including the > > complete domain, back to us for remediation: > > https://bugzilla.mozilla.org/show_bug.cgi?id=846489 > > > > I don't think it makes sense to block a decision on either one of these, > > because they don't have firm end dates. From the violation rate, I doubt > > that the pinset is incorrect, most violations are probably from captive > > portal. However, this assumption is incorrect if people are hitting a > > rarely used subdomain on accounts.firefox.com that is using an unknown > > cert issuer. > > > > If this is not the case and the pinset is correct, we could go ahead and > > start enforcing pin violations and count on bugzilla reports to find > > errors. It's also reasonable to wait a week and see if the numbers improve > > (telemetry data lags 4-5 days, dates are by build date, not submission > > date). > > > > Thanks, > > Monica > > > > ----- Original Message ----- > >> http://people.mozilla.org/~mchew/pinning_dashboard/ > >> > >> The violation rate is a little higher than mmc would expect to see. (We're > >> still in reporting only mode, though.) > >> > >> We're seeing 10-20 (would be) violations per day. The rate is higher than > >> other Moz services, but the sample size is also much smaller. > >> > >> Any thoughts? > >> > >> -chris > >> > > _______________________________________________ Dev-fxacct mailing list [email protected] https://mail.mozilla.org/listinfo/dev-fxacct
