Closed Bug 452314 Opened 12 years ago Closed 12 years ago should have an EV Cert


( Graveyard :: Server Operations: Projects, task)

Not set


(Not tracked)



(Reporter: baz, Assigned: mrz)


It was mentioned in passing in bug 450745 but I wanted to make an official request. We should get an EV Cert for We currently run the site under SSL and so should offer the highest level of confidence for end users. As fligtar says, has one, why can't we?
already wontfixed 418038 - if this is just a "we want this cause we can", we should do the same here.  johnath commented on why it's not important to us, and there is a significant cost/time investment needed to get an EV cert.  can you outline reasons on why you want this?
johnath also said:

(In reply to comment #6)
> Still though - it's a high outlay, and the trust decisions most of our SSL
> sites (bugzilla, litmus, etc) require are really not about disclosing identity
> information beyond maybe an email address.  If we got it for any sites, it
> would be ones where it was most important that people knew they were getting
> the real deal - maybe AMO, or the store, where people are making a choice about
> taking real risks (downloading software, sending financial details).

AMO seems like an appropriate place for an EV cert not because we can, but because we want users to know they're getting their extensions from Mozilla.
addons come off, so this really wouldn't secure the distribution channel for addons...
The user browses addons.m.o, not releases.m.o., so that's where the extra identity information is useful (i.e. they can check to make sure that they're dealing with Mozilla using the Firefox 3 UI before clicking the "install" button).

Addons also serves hashes for the files on releases.m.o (which are used check the integrity of the file at install time), so this actually does improve the security of the distribution channel for addons (albeit indirectly). 
yup - talked through the hash stuff through with shaver and given that, this makes more sense.  think johnath has some contacts who might be able to set us up - waiting on him for that (should be back of vacation soon).
Just so that we are clear...we want to offer it to end users on since that's the end user facing site that gives the highest level of confidence about the site and its page content.

(Another thing that gives users confidence is having signatures in the add-ons to help users feel safe when they see the add-on install dialog in Firefox - signed by Author X instead of "Author not verified" but that is out of scope for this bug.)
Assignee: server-ops → mrz
Component: Server Operations → Server Operations: Projects
taking this to work with the ev cert vendor.  do we have a csr?
Assignee: mrz → justin
        Subject: C=US, ST=California, L=Mountain View, O=Mozilla Corporation, OU=Mozilla Add-ons,

In bug 456666 comment 1, dveditz says that he installed a new EV cert on AMO. Can you guys confirm that. I'm hitting with Fx 3 and I'm still seeing the old cert.
(In reply to comment #10)
> In bug 456666 comment 1, dveditz says that he installed a new EV cert on AMO.
> Can you guys confirm that. I'm hitting with Fx 3 and I'm
> still seeing the old cert.

-I- installed the EV cert yesterday - if you're running something less than
Firefox 3.0.2 you won't see the EV part.  johnath said so in an email outside
of this bug.

The new EV cert should have the OU set to "Mozilla Add-ons".  The older
certificate was the * wild card certificate and has an OU of
"Secure Web Server" so it's easy to tell which you have (I suspect you're not
yet on 3.0.2).

The problem in bug 456666 probably has to do with Firefox (incorrectly?)
treating as a * CN, which, IIRC, should
only be one level deep (so not *.*
Assignee: justin → mrz
OK, updated to Fx 3.0.2 and now I'm seeing the EV Cert. Awesome! Thank you all for making this happen. Resolving as fixed.
Closed: 12 years ago
Resolution: --- → FIXED
> > In bug 456666 comment 1, dveditz says that he installed a new EV cert 
> -I- installed the EV cert yesterday

I did not claim to have installed the cert personally, I said "we" (Mozilla) changed the cert as part of an explanation of why a domain that formerly matched the wildcard cert started getting errors on that day.
Product: → Graveyard
You need to log in before you can comment on or make changes to this bug.