Handling downgrade attacks

NEW
Unassigned

Status

()

Core
DOM: Security
P3
normal
2 years ago
2 years ago

People

(Reporter: fkiefer, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [domsecurity-backlog3])

An attacker can force Firefox to accept old, signed remote newtab pages.

This is probably not a problem as long as those pages are safe. But in the case a "malicious"/bad newtab page got signed we have to revoke the certificate.
If we want to have a more general solution to this we would probably have to do something similar to bug 1280877.
Whiteboard: [domsecurity-backlog]
Priority: -- → P3
Whiteboard: [domsecurity-backlog] → [domsecurity-backlog3]
You need to log in before you can comment on or make changes to this bug.