Closed Bug 787874 Opened 9 years ago Closed 2 years ago

Warn or work around addon update check issues when security software messes with SSL certs

Categories

(Toolkit :: Add-ons Manager, defect)

defect
Not set
normal

Tracking

()

RESOLVED INACTIVE

People

(Reporter: Unfocused, Unassigned)

References

Details

Some security software inspects SSL traffic - they do this by installing their own certificate and acting as an intercepting proxy (basically, a legitimate MiTM). eg, ESET was doing this and causing bug 785893.

This is a little worrying because it trips our certificate checks for addon update checks (including hotfix updates), causing addon updates to fail - which will include security fixes.

I'm wondering if we can detect the (legitimate) common cases of this, and warn the user. Or just accept the certificate, assuming we are *sure* its ok to do so.
Currently app update checks are even more strict and will get blocked in the same way by this. The security team want this for add-on update checks too (bug 643461) and we already have it implemented for the hotfix add-on.

I'm not sure that working around it is a good idea, but warning seems reasonable. I imagine if you're getting the same CA for multiple websites then that is a bad sign, perhaps.
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → INACTIVE
You need to log in before you can comment on or make changes to this bug.