Re: Allowing WebExtensions to Override Certificate Trust Decisions

2018-03-03 Thread Andrew via dev-security-policy
On Wednesday, February 28, 2018 at 7:32:27 PM UTC-6, Ryan Hurst wrote: > On Wednesday, February 28, 2018 at 10:42:25 AM UTC-8, Alex Gaynor wrote: > > If the "fail verification only" option is not viable, I personally think we > > shouldn't expose this to extensions. > > > > I agree, there are

Re: Allowing WebExtensions to Override Certificate Trust Decisions

2018-03-02 Thread Wayne Thayer via dev-security-policy
Thanks everyone for your input on this topic. The consensus seems to be that allowing WebExtensions to muck with certificate validation decisions is a bad idea. The bug [1] has been updated with that sentiment and a link to this discussion. - Wayne [1]

Re: Allowing WebExtensions to Override Certificate Trust Decisions

2018-02-28 Thread Ryan Hurst via dev-security-policy
On Wednesday, February 28, 2018 at 10:42:25 AM UTC-8, Alex Gaynor wrote: > If the "fail verification only" option is not viable, I personally think we > shouldn't expose this to extensions. > I agree, there are far too many ways this will be abused and the cases in which it would be useful are

Re: Allowing WebExtensions to Override Certificate Trust Decisions

2018-02-28 Thread Alex Gaynor via dev-security-policy
If the "fail verification only" option is not viable, I personally think we shouldn't expose this to extensions. I don't think the ability to experiment with new trust models for the web is worth the price we'd be paying in malicious-extension risk, in fracturing the ecosystem risk, or in general

Re: Allowing WebExtensions to Override Certificate Trust Decisions

2018-02-28 Thread Ryan Sleevi via dev-security-policy
On Wed, Feb 28, 2018 at 11:54 AM, Tom Ritter via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > Of the examples I gave (Cert Patrol, Perspectives, Convergence, DANE, > DNSSEC-Stapling) - every single one of them would not actually allow > experimenting with Server

Re: Allowing WebExtensions to Override Certificate Trust Decisions

2018-02-28 Thread Tom Ritter via dev-security-policy
On 27 February 2018 at 10:23, Alex Gaynor via dev-security-policy wrote: > A reasonable compromise that jumps out to me is allowing extensions to make > an otherwise-secure connection fail, but not allow them to rehabilitate an > insecure connection. This

Re: Allowing WebExtensions to Override Certificate Trust Decisions

2018-02-28 Thread Kurt Roeckx via dev-security-policy
On 2018-02-27 17:23, Alex Gaynor wrote: A reasonable compromise that jumps out to me is allowing extensions to make an otherwise-secure connection fail, but not allow them to rehabilitate an insecure connection. This would allow experimenting with stricter controls while avoiding some of the

Re: Allowing WebExtensions to Override Certificate Trust Decisions

2018-02-28 Thread Dimitris Zacharopoulos via dev-security-policy
On 28/2/2018 1:52 πμ, Ryan Sleevi via dev-security-policy wrote: On Tue, Feb 27, 2018 at 6:15 PM, Wayne Thayer via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: In the bug I referenced as [2], people said that they specifically need to be able to override "negative"

Re: Allowing WebExtensions to Override Certificate Trust Decisions

2018-02-27 Thread Jakob Bohm via dev-security-policy
On 27/02/2018 17:20, Wayne Thayer wrote: I am seeking input on this proposal: Work is underway to allow Firefox add-ons to read certificate information via WebExtensions APIs [1]. It has also been proposed [2] that the WebExtensions APIs in Firefox be enhanced to allow a 3rd party add-on to

Re: Allowing WebExtensions to Override Certificate Trust Decisions

2018-02-27 Thread Ryan Sleevi via dev-security-policy
On Tue, Feb 27, 2018 at 6:15 PM, Wayne Thayer via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > In the bug I referenced as [2], people said that they specifically need to > be able to override "negative" certificate validation decisions, so they > may not see this as a

Re: Allowing WebExtensions to Override Certificate Trust Decisions

2018-02-27 Thread Peter Saint-Andre via dev-security-policy
On 2/27/18 4:15 PM, Wayne Thayer wrote: > On Tue, Feb 27, 2018 at 3:40 PM, Peter Saint-Andre via > dev-security-policy > wrote: > > On 2/27/18 3:26 PM, Hanno Böck via dev-security-policy wrote: > > Hi,

Re: Allowing WebExtensions to Override Certificate Trust Decisions

2018-02-27 Thread Wayne Thayer via dev-security-policy
On Tue, Feb 27, 2018 at 3:40 PM, Peter Saint-Andre via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 2/27/18 3:26 PM, Hanno Böck via dev-security-policy wrote: > > Hi, > > > > On Tue, 27 Feb 2018 09:20:33 -0700 > > Wayne Thayer via dev-security-policy > >

Re: Allowing WebExtensions to Override Certificate Trust Decisions

2018-02-27 Thread Peter Saint-Andre via dev-security-policy
On 2/27/18 3:26 PM, Hanno Böck via dev-security-policy wrote: > Hi, > > On Tue, 27 Feb 2018 09:20:33 -0700 > Wayne Thayer via dev-security-policy > wrote: > >> This capability existed in the legacy Firefox extension system that >> was deprecated last year.

Re: Allowing WebExtensions to Override Certificate Trust Decisions

2018-02-27 Thread Hanno Böck via dev-security-policy
Hi, On Tue, 27 Feb 2018 09:20:33 -0700 Wayne Thayer via dev-security-policy wrote: > This capability existed in the legacy Firefox extension system that > was deprecated last year. It was used to implement stricter security > mechanisms (e.g. CertPatrol)

RE: Allowing WebExtensions to Override Certificate Trust Decisions

2018-02-27 Thread Tim Hollebeek via dev-security-policy
mozilla-dev-security-pol...@lists.mozilla.org> > Subject: Allowing WebExtensions to Override Certificate Trust Decisions > > I am seeking input on this proposal: > > Work is underway to allow Firefox add-ons to read certificate information via > WebExtensions APIs [1]. It has also be

Re: Allowing WebExtensions to Override Certificate Trust Decisions

2018-02-27 Thread Matthew Hardeman via dev-security-policy
Altering the security UI based on a third party extension seems risky in either direction. If a broad pinning scheme was unlikely to cause problems, HPKP would still be a thing. Other criteria for stricter than standard validation seem hard to guarantee over the long haul also. Even if a whole

Re: Allowing WebExtensions to Override Certificate Trust Decisions

2018-02-27 Thread Ryan Sleevi via dev-security-policy
Chrome has, to date, intentionally rejected the ability of extensions to modify the connection security attributes in this way. Mozilla will need to make a call based on its trust of the extensions ecosystem, the potential for harm, and the various other impacts. For example, an extension that

Re: Allowing WebExtensions to Override Certificate Trust Decisions

2018-02-27 Thread jomo via dev-security-policy
IMHO it should be possible to affect the connection and the UI. This would allow plug-ins for alternative certificate validation methods, such as Convergence (https://en.wikipedia.org/wiki/Convergence_%28SSL%29) / FreeSpeechMe (https://bit.namecoin.org/freespeechme.html). While I agree that it is

Re: Allowing WebExtensions to Override Certificate Trust Decisions

2018-02-27 Thread Alex Gaynor via dev-security-policy
A reasonable compromise that jumps out to me is allowing extensions to make an otherwise-secure connection fail, but not allow them to rehabilitate an insecure connection. This would allow experimenting with stricter controls while avoiding some of the really scary risks. Alex On Tue, Feb 27,

Allowing WebExtensions to Override Certificate Trust Decisions

2018-02-27 Thread Wayne Thayer via dev-security-policy
I am seeking input on this proposal: Work is underway to allow Firefox add-ons to read certificate information via WebExtensions APIs [1]. It has also been proposed [2] that the WebExtensions APIs in Firefox be enhanced to allow a 3rd party add-on to change or ignore the normal results of