Closed Bug 686095 Opened 14 years ago Closed 14 years ago

Addons can silently disable certificate validation and alter errors that are presented to the user

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED DUPLICATE of bug 686134

People

(Reporter: briansmith, Unassigned)

Details

+++ This bug was initially created as a clone of Bug #644640 +++ Some well-intentioned extensions and plugins are automatically adding certificate error overrides and/or adding their own CA certificates to the users' trust database, so that resources that we would normally refuse to load for security reasons will sometimes or always load. This can be abused by malicious extensions and plugins to attack end-users that install those add-ons, without the end-user being aware or understanding that this is happening. Examples of "good" add-ons that do this: "Perspectives", "Convergence", "Selenium" (I think), "MitM Me (Cert Error Bypass)", the plugin that Mozilla China helped CCB (China Construction Bank) build.
Forgive me if I'm being dense, but I can't tell what this bug is about... designing an API for good uses of this approach so some element of the Firefox UI remains?
Brad, you mentioned to me that you thought one of the reasons for not fixing #644640 was this issue of buggy/malicious extensions "messing up" certificate validation. This line of reasoning doesn't make a lot of sense to me. One overarching point is that because FF extensions run arbitrary code, they can always cause security bugs. That's the tradeoff you get for being an extensible browser. If we wanted an API that implemented allegedly benevolent dictatorship, we'd be coding for Chrome ;). One example of why we're tearing our hair out over this issue is that the <a href="https://trac.torproject.org/projects/tor/wiki/doc/HTTPSEverywhere/SSLObservatorySubmission">Decentralized SSL Observatory</a> can't get copies of invalid TLS certificates that are sent to the user's browser unless the user clicks through the security dialog. What that means is that our extension can't detect/study an attack like this one: https://www.eff.org/deeplinks/2011/05/syrian-man-middle-against-facebook Unless the user has actually fallen victim to the attack!
Agreed, I think this bug is a step backwards. Addons can execute arbitrary code, and the potential for malicious addons is somewhat infinite. Even if malicious addons were not able to intercept SSL traffic, they could simply intercept keystrokes and transmit those home instead. It'd be a lot easier. The truth is that these problems with CAs are going to continue. I believe that right now, browser vendors have a choice. They can either continue with half-measures, issuing harried responses to work around broken revocation mechanisms once compromises become known (months or years after the damage has begun), or they can choose to get out ahead of the problem by developing something that fixes it once and for all. I believe that Mozilla should, for the sake of itself and others, be encouraging the development of new solutions in this space by making it possible for others to innovate and test the waters. The lengths that Convergence has to go through in order to function on Firefox (basically run a MITM proxy in the browser in JS) are pretty prolific, and it requires a lot of work to maintain through the rapid release cycle. The complexity of the code generates corner cases that cause problems for users with specific setups, increasing the amount of time that we have to spend fixing bugs instead of honing the solution to something that could ultimately work for everyone. People want this, and I believe that our experimentation could likely help Mozilla in the long-term. I would hope that Mozilla could help facilitate it, rather than discuss mechanisms to prevent it.
(In reply to Peter Eckersley from comment #2) > One example of why we're tearing our hair out over this issue is that the <a > href="https://trac.torproject.org/projects/tor/wiki/doc/HTTPSEverywhere/ > SSLObservatorySubmission">Decentralized SSL Observatory</a> can't get copies > of invalid TLS certificates that are sent to the user's browser unless the > user clicks through the security dialog. I filed bug 686135 for this.
I do not see the value of tracking this separately from bug 686134. Fully privileged addons can mess with server certificate authentication by design, while any reasonable model for lesser-privileged addons will not support it.
Status: NEW → RESOLVED
Closed: 14 years ago
No longer depends on: 686134
Resolution: --- → DUPLICATE
Whiteboard: [sg:moderate]
You need to log in before you can comment on or make changes to this bug.