Skip to content

Commit 6ba809b

Browse files
pdepde
committed
Re-fetch the cert whitelist every 1-3 days
1 parent cad783c commit 6ba809b

2 files changed

Lines changed: 27 additions & 11 deletions

File tree

src/components/ssl-observatory.js

Lines changed: 25 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -147,9 +147,8 @@ function SSLObservatory() {
147147

148148
this.testProxySettings();
149149

150-
//this.updateCertWhitelist();
151150
this.loadCertWhitelist();
152-
this.saveCertWhitelist();
151+
this.maybeUpdateCertWhitelist();
153152

154153
this.log(DBUG, "Loaded observatory component!");
155154
}
@@ -554,8 +553,22 @@ SSLObservatory.prototype = {
554553
},
555554

556555

557-
updateCertWhitelist: function() {
558-
var req = Cc["@mozilla.org/xmlextras/xmlhttprequest;1"]
556+
maybeUpdateCertWhitelist: function() {
557+
var due_pref = "extensions.https_everywhere._observatory.whitelist_update_due";
558+
var update_due = this.prefs.getIntPref(due_pref);
559+
var now = Date.now() / 1000; // Date.now() is milliseconds, but let's be
560+
// safe with int pref storage on 32 bit
561+
// systems
562+
var next = now + (1 + 2 * Math.random()) * 3600 * 24; // 1-3 days from now
563+
if (last_updated == 0) {
564+
// first run
565+
this.prefs.setIntPref(due_pref,next);
566+
return null;
567+
}
568+
if (now <= update_due) {
569+
return null;
570+
}
571+
var req = Cc["@mozilla.org/xmlextras/xmlhttprequest;1"]
559572
.createInstance(Ci.nsIXMLHttpRequest);
560573

561574
req.open("GET", "https://s.eff.org/files/X509ChainWhitelist.json", true);
@@ -565,28 +578,29 @@ SSLObservatory.prototype = {
565578
req.onreadystatechange = function() {
566579
if (req.status == 200) {
567580
if (typeof req.response != "object") {
568-
that.log(5, "INSUFFICIENT WHITELIST OBJECTIVITY");
581+
that.log(WARN, "INSUFFICIENT WHITELIST OBJECTIVITY");
569582
return false;
570583
}
571584
var whitelist = req.response;
572585
var c = 0;
573586
for (var hash in whitelist) {
574587
c++;
575588
if (typeof hash != "string" || hash.length != 64 ) {
576-
that.log(5, "UNACCEPTABLE WHITELIST HASH " + hash);
589+
that.log(WARN, "UNACCEPTABLE WHITELIST HASH " + hash);
577590
return false;
578591
}
579592
}
580593
if (c < MIN_WHITELIST || c > MAX_WHITELIST) {
581-
that.log(5, "Invalid chain whitelist of size " + c);
594+
that.log(WARN, "Invalid chain whitelist of size " + c);
582595
return false;
583596
}
584-
that.log(4, "Replacing chain whitelist...");
597+
that.log(NOTE, "Replacing chain whitelist...");
585598
that.whitelist = whitelist;
586-
that.log(5, "Got valid whitelist..." + JSON.stringify(whitelist));
587-
that.updateCertWhitelist();
599+
that.log(WARN, "Got valid whitelist..." + JSON.stringify(whitelist));
600+
that.saveCertWhitelist();
601+
that.prefs.setIntPref(due_pref,next);
588602
} else {
589-
that.log(4, "Unexpected response status " + req.status + " fetching chain whitelist");
603+
that.log(NOTE, "Unexpected response status " + req.status + " fetching chain whitelist");
590604
return false;
591605
}
592606
}

src/defaults/preferences/preferences.js

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -42,3 +42,5 @@ pref("extensions.https_everywhere._observatory.priv_dns",false);
4242
pref("extensions.https_everywhere._observatory.send_asn",true);
4343
pref("extensions.https_everywhere._observatory.use_whitelist",true);
4444
pref("extensions.https_everywhere._observatory.clean_config",false);
45+
46+
pref("extensions.https_everywhere._observatory.whitelist_update_due",0);

0 commit comments

Comments
 (0)