Bug 1134506 Comment 48 Edit History

Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.

Original comment by

Zack Weinberg (:zwol)

on 2015-02-20 07:35:49 PST

(Hidden by Administrator)

Revision 1 by

Dana Keeler (she/her) [:keeler]

on 2025-07-07 11:15:29 PDT

(In reply to Gervase Markham [:gerv] from comment #47)
> Any cert which is being added to root stores by widely-deployed software,
> and for which the private key is known, is a risk. We can examine the
> behaviour of software and installers we can see, but we don't know what
> those installers might have done last week, last month or last year. Without
> extensive research, we also don't know their full function, and under what
> circumstances running software may continue to edit root lists, and which
> root lists.
> 
> Given that, I think we need to block all the Superfish/Komodia root certs we
> can get our hands on. (Bug 1134989 seems to point to several.)

I concur.

> zwol raises the reasonable point that this might leave people who are using
> Superfish/Komodia software unable to access the Internet at all in our
> browser, even to find uninstall instructions. 

Correction: Dana Keeler raised this issue, not me (comment 38).

> This is a problem, and ideally
> we would be able to provide custom error messages of some sort. We don't
> have that capability now, though. I wonder how hard it would be to hack up a
> forced redirect to a URL on SuMO, where we can provide support information
> which can be enhanced as time goes on, even in different languages. This
> minimises the required changes to Firefox and doesn't give us an l10n
> problem.

Isn't there a chicken-and-egg problem with that?  SuMO is HTTPS-only.  I suppose there could be a separate, unencrypted "how to troubleshoot your network" site.

This winds up feeding into the general problem of connectivity diagnostics; I do think we should be trying to do more there.

> In the medium term, I think "never do SSL MITM under any circumstances" is
> not a realistic position to take (although we can argue about which use
> cases are legitimate), and so we need to develop a plan whereby this sort of
> thing can be done with mandatory transparency. More on that later.

I recall you had a proposal for something like that a few years ago.  Unfortunately, I do not see _any_ way of accomplishing it which avoids warning fatigue.  Specifically, if you work in an environment (a law firm, say) that does SSL MITM for data exfiltration monitoring, you will have the "mandatory transparency" notification, whatever form it takes, visible all day at work, and you will learn not to notice it.  Now you take your personal laptop to a coffee shop to write a novel. The bar's not supposed to appear -- but it does, because the coffee shop's WiFi router is compromised -- and you don't notice, because it's become normal.