Last Comment Bug 645502 - add defense in depth warnings when certificate info looks suspicious
: add defense in depth warnings when certificate info looks suspicious
Status: NEW
Product: Firefox
Classification: Client Software
Component: Page Info Window (show other bugs)
: unspecified
: x86 All
-- normal with 2 votes (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
: Florian Quèze [:florian] [:flo]
Depends on: 489347 642503 645819
  Show dependency treegraph
Reported: 2011-03-27 08:35 PDT by chris hofmann
Modified: 2014-06-29 17:55 PDT (History)
5 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Description User image chris hofmann 2011-03-27 08:35:22 PDT
there are at least a couple of addons and services with ideas about how to surface info to users when they could be under MitM attack.

a few of these were mentioned in

"...There are several ways users can detect MITM attacks, even when the certificate seems to be signed by a trusted CA. There are, for example, Firefox plugins available from Certificate Patrol as well as Perspectives that can help users by alerting on “new” certificates that have not been seen before. "

we should consider adding ways to surface this info for situations like

[Bug 642395] Deal with bogus certs issued by Comodo partner
[Bug 643056] Revocation isn't enough
Recommend Removing RSA Security 1024 V3 root certificate authority
Options --

and others cases where certificate have been compromised or suspect.
Comment 1 User image chris hofmann 2011-03-27 20:50:59 PDT
more on some usability improvements and ideas on Trust on First Use and Persistence of Pseudonym (TOFU/POP) in some slides by Chris Palmer  Ideas developed with Seth Schoen and Peter Eckersley
Comment 2 User image timeless 2011-03-28 13:35:59 PDT
bug 645819 Write an extension which auto-imports CRLs when it finds them

Note You need to log in before you can comment on or make changes to this bug.