Closed Bug 1077323 Opened 9 years ago Closed 1 year ago
Domain Authenticated Named Entities against MITM-attacks
(Core :: Security: PSM, defect)
(Reporter: mozilla, Unassigned)
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:32.0) Gecko/20100101 Firefox/32.0 Build ID: 20140924083558 Steps to reproduce: Intelligence agencies and other criminals use TLS-certificates gained from CAs by trickery to run Man-In-The-Middle attacks against Firefox users which rely on TLS-encryption and -authorization. Actual results: MITM-Attack is successful if no other authentication mechanism is used than CAs. Certifcate pinning is only managable for a few well-used domains but not for the mass of existing domains. Expected results: Firefox uses "Domain Authenticated Named Entities" according to IETF RFC 6698 (http://tools.ietf.org/pdf/rfc6698) to validate the TLS-certificate. Two traffic-lights should show the states: DNSSEC: Green: DNSSEC-validation successful Yellow: No DNSSEC-RRs for hostname Red: Validation of DNSSEC-RRs failed DANE: Green: TLSA-validation successful Yellow: No TLSA-RRs for hostname Red: Validation of TLSA-RRs failed In both "Red"-cases Firefox should refuse to load/display data and show an error message. DNSSEC-proxying with DO-/AD-bit is snake-oil as a MITM-attacker can suppress DNSSEC and forge plain DNS resource records. Do not use it!
9 years ago
9 years ago
Have a look at the Firefox-Addon "DNSSEC/TLSA Validator" (https://www.dnssec-validator.cz/) for implementation details.
9 years ago
OS: Linux → All
Hardware: x86_64 → All
5 years ago
Hello, DANE support is still missing from Firefox. Since Firefox 57 any options to implement DANE support via extensions also eliminated. I think Firefox can benefit from DANE implementation because sites with DANE-only certificates will attract additional auditory for Firefox browser (and vice versa).
3 years ago
Component: Security → Security: PSM
See Also: → 672600
This should be invisible to the user and show a security exception if DANE fails or block access if DANE fails with HSTS enabled.
DANE should be more trusted than a CA and enable use of self-signed certificates.
Currently we have no plans to support this.
Status: UNCONFIRMED → RESOLVED
Closed: 1 year ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.