1188660 - Show a prominent infobar/banner when SSLKEYLOGFILE is active

Status: NEW

(Firefox :: Security, enhancement, P3)

Description

[Daniel Veditz [:dveditz]]

+++ This bug was initially created as a clone of Bug #1183318 +++

Should someone set the SSLKEYLOGFILE environment variable then all NSS cryptographic key information will be logged which could be used to compromise encrypted data and communication. This feature is useful (to an extremely small set of people) for debugging, but a much larger risk of snooping for the general public since it happens completely silently. Bug 1188657 is about disabling this functionality entirely in some builds, but in the builds where it is enabled Firefox should display a prominent warning banner that this logging is happening and that any encrypted communication could be compromised.

Rating this somewhat low as a security bug because an attacker does require some local access, but it's pretty trivial access that likely wouldn't be detected as an issue by security software like anti-virus and the consequences for misuse of this data could be huge.

Comment 1

[Samuel Bronson]

This would also help people who turned it on intentionally remember to turn it off.

Comment 3

[Mathew Hodson]

Chrome recently added a similar warning in https://crbug.com/991290

Comment 4

[Martin Thomson [:mt:]]

In bug 1468892, I discovered that Avast use SSLKEYLOGFILE to implement HTTPS interception. That's a very popular product and the default setting in that product. I suspect that this alone will result in this indicator being shown too often to be useful.

Having the notice something that can be dismissed might help, but that has a bunch of risks. I'm sure that we can work through those (like discarding dismissals when the value isn't set), but we need to be careful.