Last Comment Bug 645502 - add defense in depth warnings when certificate info looks suspicious
: add defense in depth warnings when certificate info looks suspicious
Status: NEW
:
Product: Firefox
Classification: Client Software
Component: Page Info Window (show other bugs)
: unspecified
: x86 All
: -- normal with 2 votes (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
:
Mentors:
Depends on: 489347 642503 645819
Blocks:
  Show dependency treegraph
 
Reported: 2011-03-27 08:35 PDT by chris hofmann
Modified: 2014-06-29 17:55 PDT (History)
5 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments

Description chris hofmann 2011-03-27 08:35:22 PDT
there are at least a couple of addons and services with ideas about how to surface info to users when they could be under MitM attack.

a few of these were mentioned in

http://www.netresec.com/?page=Blog&month=2011-03&post=Network-Forensic-Analysis-of-SSL-MITM-Attacks

"...There are several ways users can detect MITM attacks, even when the certificate seems to be signed by a trusted CA. There are, for example, Firefox plugins available from Certificate Patrol as well as Perspectives that can help users by alerting on “new” certificates that have not been seen before. "

we should consider adding ways to surface this info for situations like

[Bug 642395] Deal with bogus certs issued by Comodo partner
[Bug 643056] Revocation isn't enough
Recommend Removing RSA Security 1024 V3 root certificate authority
Options -- http://groups.google.com/group/mozilla.dev.security.policy/browse_thread/thread/b6493a285ba79998/26fca75f9aeff1dc

and others cases where certificate have been compromised or suspect.
Comment 1 chris hofmann 2011-03-27 20:50:59 PDT
more on some usability improvements and ideas on Trust on First Use and Persistence of Pseudonym (TOFU/POP) in some slides by Chris Palmer
noncombatant.org  Ideas developed with Seth Schoen and Peter Eckersley eff.org

https://docs.google.com/present/view?id=df9sn445_206ff3kn9gs&pli=1
Comment 2 timeless 2011-03-28 13:35:59 PDT
bug 645819 Write an extension which auto-imports CRLs when it finds them

Note You need to log in before you can comment on or make changes to this bug.