Closed Bug 663671 Opened 13 years ago Closed 8 years ago

Minimize impact of NSS and NSPR environment variables on security of Mozilla products

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: briansmith, Unassigned)

References

(
URL
)

Details

(Keywords: sec-audit, Whiteboard: [sg:audit]) 

NSS has quite a few environment variables [1] that affect its functionality in security-sensitive ways. For example, NSS_ENABLE_PKIX_VERIFY=1 exposes Firefox to bugs 551429 in libpkix, that it wouldn't be exposed to if we ignored the NSS_ENABLE_PKIX_VERIFY variable. Since we do not test with any of these veriables set, it makes sense to minimize the impact they have on Firefox.

We should document to what extent we (MoCo and Mozilla in general) support configurations where these variables are set. Also, we should consider the impact that these variables should have on the Firefox trademark policy (e.g. do we allow Linux distros to distribute "unmodified" binaries whose functionality is being modified through these variables).

My inclination is to make Firefox and Thunderbird insensitive to as many of these variables as possible, to recommend against setting these variables, and to offer limited (perhaps no) support for bugs that occur when these variables are set, beyond recommending that they be unset.

[1] https://developer.mozilla.org/en/nss_reference/nss_environment_variables
(In reply to comment #0)
> 
> My inclination is to make Firefox and Thunderbird insensitive to as many of
> these variables as possible,

Please don't. The whole point of having the variables is to enable testing of NSS with Firefox.


> to recommend against setting these variables,
> and to offer limited (perhaps no) support for bugs that occur when these
> variables are set, beyond recommending that they be unset.

Sounds good to me.
Keywords: sec-audit
This doesn't seem like a huge win. In particular, due to mozilla::pkix Firefox isn't affected by NSS_ENABLE_PKIX_VERIFY. We should probably just address these on a case-by-case basis like we did for SSLKEYLOGFILE.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.