How to enable HPKP in unofficial builds?

privacysecurity

(rugk) #1

I’ve noticed at the test page at https://projects.dm.id.lv/Public-Key-Pins_test that HTTP Public Key Pinning (HPKP) is (partially) disabled for unofficial builds, as it seems.

What happens?

Basically, the first connection or so may be blocked with a usual known MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE, but when you clcik “retry” it seems to work instantly again.

I’ve tried this in Firefox Developer Edition, which is funny, because it says in the dev tools it would support HPKP:

In contrast to that, in Firefox stable it does show it as “Disabled” in the developer tools, at least:

And here you see that it also randomly works:

So why?

  • In inofficial builds (in my case as for dev edition: flatpak; stable: official Fedora build) it seems to be disabled, because Mozilla thinks Linux distros always serve outdated Firefox versions – a claim, which is not true for many distros. (and especially things like flatpak)
  • However the setting is set correctly:
    security.cert_pinning.enforcement_level;2

How to enable?

That’s why there is my question: Is there any way to enable that even in these builds? Actually, Fedora e.g. keeps their version really up-to-date and only has a few days delay after official Mozilla releases – at most(!).
Also the flatpak version is also up-to-date thanks top the flatpak technology itself, and, I guess, automated builds.

So can it – either as a user – or even better upstream/with patches (or in any other way) be enabled again? Because I do not like to loose this security feature. (and now please don’t come and argue with how other browsers do it, I don’t care.)