Closed Bug 1077323 Opened 9 years ago Closed 1 year ago

Domain Authenticated Named Entities against MITM-attacks


(Core :: Security: PSM, defect)

Not set





(Reporter: mozilla, Unassigned)



(Keywords: sec-want)


(1 file)

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:32.0) Gecko/20100101 Firefox/32.0
Build ID: 20140924083558

Steps to reproduce:

Intelligence agencies and other criminals use TLS-certificates gained from CAs by trickery to run Man-In-The-Middle attacks against Firefox users which rely on TLS-encryption and -authorization.

Actual results:

MITM-Attack is successful if no other authentication mechanism is used than CAs. Certifcate pinning is only managable for a few well-used domains but not for the mass of existing domains.

Expected results:

Firefox uses "Domain Authenticated Named Entities" according to IETF RFC 6698 ( to validate the TLS-certificate. Two traffic-lights should show the states:

   Green:  DNSSEC-validation successful
   Yellow:  No DNSSEC-RRs for hostname
   Red:     Validation of DNSSEC-RRs failed

   Green:  TLSA-validation successful
   Yellow:  No TLSA-RRs for hostname
   Red:     Validation of TLSA-RRs failed

In both "Red"-cases Firefox should refuse to load/display data and show an error message. DNSSEC-proxying with DO-/AD-bit is snake-oil as a MITM-attacker can suppress DNSSEC and forge plain DNS resource records. Do not use it!
Have a look at the Firefox-Addon "DNSSEC/TLSA Validator" ( for implementation details.
Keywords: sec-want
OS: Linux → All
Hardware: x86_64 → All
Component: Untriaged → Security
Product: Firefox → Core

DANE support is still missing from Firefox. Since Firefox 57 any options to implement DANE support via extensions also eliminated.

I think Firefox can benefit from DANE implementation because sites with DANE-only certificates will attract additional auditory for Firefox browser (and vice versa).
Component: Security → Security: PSM
See Also: → 672600

This should be invisible to the user and show a security exception if DANE fails or block access if DANE fails with HSTS enabled.

DANE should be more trusted than a CA and enable use of self-signed certificates.

Currently we have no plans to support this.

Closed: 1 year ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.