On 2016-01-04 1:21 PM, Adam Roach wrote:
On 1/4/16 2:19 AM, Daniel Holbert wrote:
I'm not sure what action we should (or can) take about this, but for
now we should be on the lookout for this, and perhaps consider writing a
support article about it if we haven't already.
I propose that we minimally should collect telemetry around this
condition. It should be pretty easy to detect: look for cases where we
reject very young SHA-1 certs that chain back to a CA we don't ship.
Once we know the scope of the problem, we can make informed decisions
about how urgent our subsequent actions should be.
It would also be potentially useful to know the cert issuer in these
cases, since that might allow us to make some guesses about whether the
failures are caused by malware, well-intentioned but kludgy malware
detectors, or enterprise gateways. Working out how to do that in a way
that respects privacy and user agency may be tricky, so I'd propose we
go for the simple count first.
Wouldn't the SSL cert failures also prevent submitting the telemetry
payload to Mozilla's servers?
Cheers,
Josh
_______________________________________________
dev-platform mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-platform
