Closed Bug 452314 Opened 16 years ago Closed 16 years ago

addons.mozilla.org should have an EV Cert

Categories

(mozilla.org Graveyard :: Server Operations: Projects, task)

task
Not set
normal

Tracking

(Not tracked)

VERIFIED FIXED

People

(Reporter: baz, Assigned: mrz)

Details

It was mentioned in passing in bug 450745 but I wanted to make an official request. We should get an EV Cert for addons.mozilla.org. We currently run the site under SSL and so should offer the highest level of confidence for end users. As fligtar says, https://www.papajohnsonline.com has one, why can't we?
already wontfixed 418038 - if this is just a "we want this cause we can", we should do the same here.  johnath commented on why it's not important to us, and there is a significant cost/time investment needed to get an EV cert.  can you outline reasons on why you want this?
johnath also said:

(In reply to comment #6)
> Still though - it's a high outlay, and the trust decisions most of our SSL
> sites (bugzilla, litmus, etc) require are really not about disclosing identity
> information beyond maybe an email address.  If we got it for any sites, it
> would be ones where it was most important that people knew they were getting
> the real deal - maybe AMO, or the store, where people are making a choice about
> taking real risks (downloading software, sending financial details).

AMO seems like an appropriate place for an EV cert not because we can, but because we want users to know they're getting their extensions from Mozilla.
addons come off releases.mozilla.org, so this really wouldn't secure the distribution channel for addons...
The user browses addons.m.o, not releases.m.o., so that's where the extra identity information is useful (i.e. they can check to make sure that they're dealing with Mozilla using the Firefox 3 UI before clicking the "install" button).

Addons also serves hashes for the files on releases.m.o (which are used check the integrity of the file at install time), so this actually does improve the security of the distribution channel for addons (albeit indirectly). 
yup - talked through the hash stuff through with shaver and given that, this makes more sense.  think johnath has some contacts who might be able to set us up - waiting on him for that (should be back of vacation soon).
Just so that we are clear...we want to offer it to end users on addons.mozilla.org since that's the end user facing site that gives the highest level of confidence about the site and its page content.

(Another thing that gives users confidence is having signatures in the add-ons to help users feel safe when they see the add-on install dialog in Firefox - signed by Author X instead of "Author not verified" but that is out of scope for this bug.)
Assignee: server-ops → mrz
Component: Server Operations → Server Operations: Projects
taking this to work with the ev cert vendor.  do we have a csr?
Assignee: mrz → justin
        Subject: C=US, ST=California, L=Mountain View, O=Mozilla Corporation, OU=Mozilla Add-ons, CN=addons.mozilla.org/
emailAddress=hostmaster@mozilla.com


-----BEGIN CERTIFICATE REQUEST-----
MIIDLjCCAhYCAQAwgbYxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh
MRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRwwGgYDVQQKExNNb3ppbGxhIENvcnBv
cmF0aW9uMRgwFgYDVQQLEw9Nb3ppbGxhIEFkZC1vbnMxGzAZBgNVBAMTEmFkZG9u
cy5tb3ppbGxhLm9yZzElMCMGCSqGSIb3DQEJARYWaG9zdG1hc3RlckBtb3ppbGxh
LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN1UO+qK5ZaIcq/e
cXnRaGBedhuCYGYK82akdo073vk8qcTfQojYHkBaPvNSt7yni59bPt4wI942UjzZ
lTSehML9nLmZFD0S+nh23ESvJ1jhpmSzWV0zgdbvUvjvfzFGN/zNsWKcc+UoylGe
kfPlLAf1zoTEYN9llSMKLtjnEDYR/YKq//AyM3nEbgTu2og8V9Qts5vlXVLuGoD1
AOWoBu/qVD+kz4HNf7djFws8p5IVq25hansweSnnn9T/4sARLsvjVrdF74nAq5rt
L6O9TfCd6Figslx494kcRpqky5C/Qkz45Ens+zbdR+5Wdrrtro5GvUYtV8GAlDzX
LUaZdWcCAwEAAaAyMDAGCSqGSIb3DQEJDjEjMCEwEQYJYIZIAYb4QgEBBAQDAgZA
MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEFBQADggEBAIC+AS9ELxEb0MvfAAg1
c/3vgpNeo87x4oTjI9N66g0KK6nnM5Zjc2t8SN6lOzUf5wsOVY76lW7ZeiOMK0x3
1CXD6y2uUOvO0YMkcLi1v7ymdlfekLab/0W+2Sp9leaUu/T6zCzPOL1OnDiMUm/Z
3bI399zl5SZsMiaTFPF4/7HRobOKBgB/4CfYZvmdT28oUASXDqR97aIFrY74K+U2
/6gg3+hIiEFT1g7SUqLxBUtAwCGYdLutwwKQhvzNFg37ExwDjH9k/hOlviFcHcE8
Q5rs8ZvttXTOLmvuu01ogoNy+H7idNngLouxxlfdkc83D8zJBZHVkMgcoW6Nn/tu
bUA=
-----END CERTIFICATE REQUEST-----
In bug 456666 comment 1, dveditz says that he installed a new EV cert on AMO. Can you guys confirm that. I'm hitting addons.mozilla.org with Fx 3 and I'm still seeing the old cert.
(In reply to comment #10)
> In bug 456666 comment 1, dveditz says that he installed a new EV cert on AMO.
> Can you guys confirm that. I'm hitting addons.mozilla.org with Fx 3 and I'm
> still seeing the old cert.

-I- installed the EV cert yesterday - if you're running something less than
Firefox 3.0.2 you won't see the EV part.  johnath said so in an email outside
of this bug.

The new EV cert should have the OU set to "Mozilla Add-ons".  The older
certificate was the *.mozilla.org wild card certificate and has an OU of
"Secure Web Server" so it's easy to tell which you have (I suspect you're not
yet on 3.0.2).

The problem in bug 456666 probably has to do with Firefox (incorrectly?)
treating addons.update.mozilla.org as a *.mozilla.org CN, which, IIRC, should
only be one level deep (so not *.*.mozilla.org).
Assignee: justin → mrz
OK, updated to Fx 3.0.2 and now I'm seeing the EV Cert. Awesome! Thank you all for making this happen. Resolving as fixed.
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Woo
Status: RESOLVED → VERIFIED
> > In bug 456666 comment 1, dveditz says that he installed a new EV cert 
> -I- installed the EV cert yesterday

I did not claim to have installed the cert personally, I said "we" (Mozilla) changed the cert as part of an explanation of why a domain that formerly matched the wildcard cert started getting errors on that day.
Product: mozilla.org → mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.