On 27/02/2018 17:20, Wayne Thayer wrote:
I am seeking input on this proposal:
Work is underway to allow Firefox add-ons to read certificate information
via WebExtensions APIs [1]. It has also been proposed [2] that the
WebExtensions APIs in Firefox be enhanced to allow a 3rd party add-on to
change or ignore the normal results of certificate validation.
This capability existed in the legacy Firefox extension system that was
deprecated last year. It was used to implement stricter security mechanisms
(e.g. CertPatrol) and to experiment with new mechanisms such as Certificate
Transparency and DANE.
When used to override a certificate validation failure, this is a dangerous
capability, and it’s not clear that requiring a user to grant permission to
the add-on is adequate protection. One solution that has been proposed [4]
is to allow an add-on to affect the connection but not the certificate UI.
In other words, when a validation failure is overridden, the page will load
but the nav bar will still display it as a failure.
I would appreciate your constructive feedback on this decision. Should this
capability be added to the Firefox WebExtensions APIs?
- Wayne
[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1322748
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=1435951
[3] https://mail.mozilla.org/pipermail/dev-addons/2018-February/003629.html
[4] https://mail.mozilla.org/pipermail/dev-addons/2018-February/003641.html
How about allowing the WebExtensions to only request a worse result
(failure/lower trust) and to forcibly mark the origin (extension name)
of such restriction in the internal state and UI?
For example, an extension could mark lack of CT as non-EV (i.e. not
green). Or it could completely fail certificates found in some CRL
representation.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
