1204261 - Allow certificate exceptions in Certificate Manager with HSTS

Status: RESOLVED INVALID

(Core :: Security: PSM, defect)

Description

[Joe Smith]

Currently, it seems impossible to use certificate exceptions with HSTS. That is a pity, because that disallows with HSTS such useful cases as:

- A simple pinning of server certificates by removing all built-in root CAs and adding exceptions for used servers (useful if only a select few servers are ever connected to, e.g., as with Thunderbird - connects to e-mail, feed and Mozilla (e.g. update) servers only)

- Use of self-signed certificates (e.g. for own web sites)

Please note that this is NOT a request show the "I Understand the Risks" part of the "Untrusted Connection" page for the user to click through and accept an exception with HSTS. Rather, this refers to adding exceptions in the Certificates Manager window. Those exceptions should be respected with HSTS. (Currently, the exceptions can be added in the Certificate Manager, but the connection fails if the server is known to support HSTS, because the certificate issuer cannot be verified.)

Please see https://groups.google.com/forum/#!msg/mozilla.dev.security/Zs70gDSygqc/wwaC5N9xAwAJ for an argument that certificate exceptions wouldn't actually go against the HSTS spec.

Comment 1

[Dana Keeler (she/her) [:keeler]]

I think what you want here is public key pinning: https://tools.ietf.org/html/rfc7469
For the self-signed certificate case, you can create your own CA, use it to issue a web server certificate, and have the server send the appropriate HPKP header.
See also https://timtaubert.de/blog/2014/10/http-public-key-pinning-explained/

Comment 2

[Joe Smith]

I agreed with that.

For the self-signed certificate case, I was going to write that there are cases when using an own CA wouldn't be possible. E.g., if a free web hoster doesn't want to pay for a CA, but to still use HSTS for its configuration site accessed by its users. Right now (without HSTS, and not actually advertised) they can use a self-signed cert, which a user would need to add as exception. But since "Let's Encrypt" is about to get ready (and I think there are other freely available certs out there), they could get a signed cert for free. Which would be better than having to explain on a non-HSTS page how to manually add an exception (or a CA) to be able to access the configuration site. (And getting the user to get accustomed to such guides, making life of MitMs easier when they want to do that too.) So that this example is not really valid.

As for the e-mail server certificate pinning case in Thunderbird: yes, public key pinning is the idea at the core. But additionally to the specified way to do that (and independently of if pinning is used by the e-mail service), I would want, as a user in Thunderbird, to be able to pin one specific certificate (not two or a CA as in the spec). And the way to do that would be an extension like Certificate Patrol (which (currently) works with HTTPS only, not SMTPS, IMAPS or POP3S), which would pin a specific e-mail server certificate. I just hope that Thunderbird architecture allows for such access by an extension, like Firefox does with HTTPS (which is used by Certificate Patrol).

So, I guess in my specific case of wishing to pin e-mail server certificates in Thunderbird, I would need to wait for such a Thunderbird extension to arrive, and to hope that it does before all feed providers I'm interested in start using HSTS. (Feed aggregation services would be an option, too. But I think one shouldn't have to rely on those. While feed usage in Firefox is hardly an option - I find the way Thunderbird, as an e-mail client, presents them much better.)

Thank you for your feed back and feel free to close this bug report.