(CC-ing DD as I found this bug he reported asking about the same thing: https://bugzilla.mozilla.org/show_bug.cgi?id=908046)
On 17 July 2014 07:33, Patrick McManus <pmcma...@mozilla.com> wrote: > If there would be a reduced risk by scoping the feature to debug builds I > would agree with you that it should be scoped. But Ryan suggests there > isn't. My much less informed opinion tends to agree with him. I agree that the level of access needed to exploit this feature is identical to a level of access that could subvert the system in other ways. My concern is about the level of persistence needed to subvert the system via this method or another. Even if an attacker needs the same level of access, I don't believe that things that make an attacker do more work, or be more noisy about their compromise, are useless. With the feature available, an attacker could ship SSL key information off the system without binary modifications, filesystem modifications, additional running processes, libraries loaded into memory. There's not a lot of indicators of compromise, especially from a disk image scenario - which is the usual forensics situation. > I do want to point out that there is considerable value in the current > arrangement - "developing" turns out to have layers. I'm a core firefox > developer - Nick and I write the http/2 code and indeed we generally do it > with debug builds. So its not relevant to my day to day coding. > > But a huge part of protocol development happens in the next layer - interop > testing between different servers and on networks with different gear than > is covered by the initial tests. That just takes lots of diversity and some > time. The tail of this pretty much goes on forever - its not just new > protocols. > > When a problem shows up on bugzilla a pcap is often the sensible course of > action. These bug reporters are part of development too - hopefully they're > running pre-release channels but sometimes they are not. They "dogfood" the > product day to day and can't be using debug builds for that because its > just too slow. Asking them to download a debug build to file a bug report > will often result in no bug report. So that's the value of the current > setup on the client side - it increases the debugability of the product. > That's a big deal. I understand, and I can certainly appreciate the convenience of this as a debugging tool. A search for Bugzilla for 'SSLKEYLOGFILE' in the comments did not lead me to any results, although I did find the bugs where it was changed[0] - it seems it may have been done more to support Chrome than Firefox. -tom [0] https://bugzilla.mozilla.org/show_bug.cgi?id=536474 and https://bugzilla.mozilla.org/show_bug.cgi?id=762763 -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
