Warn or work around addon update check issues when security software messes with SSL certs

NEW
Unassigned

Status

()

defect
7 years ago
a year ago

People

(Reporter: Unfocused, Unassigned)

Tracking

Trunk
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

Some security software inspects SSL traffic - they do this by installing their own certificate and acting as an intercepting proxy (basically, a legitimate MiTM). eg, ESET was doing this and causing bug 785893.

This is a little worrying because it trips our certificate checks for addon update checks (including hotfix updates), causing addon updates to fail - which will include security fixes.

I'm wondering if we can detect the (legitimate) common cases of this, and warn the user. Or just accept the certificate, assuming we are *sure* its ok to do so.
Currently app update checks are even more strict and will get blocked in the same way by this. The security team want this for add-on update checks too (bug 643461) and we already have it implemented for the hotfix add-on.

I'm not sure that working around it is a good idea, but warning seems reasonable. I imagine if you're getting the same CA for multiple websites then that is a bad sign, perhaps.
You need to log in before you can comment on or make changes to this bug.