Closed Bug 787874 Opened 12 years ago Closed 5 years ago

Warn or work around addon update check issues when security software messes with SSL certs

Categories

(Toolkit :: Add-ons Manager, defect)

Product:
Toolkit
Component:
Add-ons Manager
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INACTIVE

People

(Reporter: Unfocused, Unassigned)

References

Details

Some security software inspects SSL traffic - they do this by installing their own certificate and acting as an intercepting proxy (basically, a legitimate MiTM). eg, ESET was doing this and causing bug 785893. This is a little worrying because it trips our certificate checks for addon update checks (including hotfix updates), causing addon updates to fail - which will include security fixes. I'm wondering if we can detect the (legitimate) common cases of this, and warn the user. Or just accept the certificate, assuming we are *sure* its ok to do so.
Currently app update checks are even more strict and will get blocked in the same way by this. The security team want this for add-on update checks too (bug 643461) and we already have it implemented for the hotfix add-on. I'm not sure that working around it is a good idea, but warning seems reasonable. I imagine if you're getting the same CA for multiple websites then that is a bad sign, perhaps.
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → INACTIVE
You need to log in before you can comment on or make changes to this bug.