Closed Bug 892288 Opened 11 years ago Closed 10 years ago

Remove ability to trust user-added certificates for code signing

Categories

(Firefox for Android Graveyard :: Web Apps (PWAs), defect)

Product:
Firefox for Android Graveyard
Component:
Web Apps (PWAs)
Type:
defect
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: briansmith, Assigned: briansmith)

References

Details

I just found out that Android implemented the ability to install certificates, for example by clicking this link: http://www.cacert.org/certs/root.der.

The dialog box offers the user to trust the certificate for code signing. With the MOZ_B2G_CERTDATA hack, we aren't supposed to ever trust any certificate for code signing except the Mozilla Marketplace root certificate.

So, we need to change that dialog box so that it doesn't offer the ability to import certs for code signing. And, we need to somehow deal with existing user-added code signing certificates so that we don't trust them for code signing. And, we should probably prevent extensions from adding new code signing certificates.
This will be RESOLVED INVALID after bug 972201 is fixed.
Assignee: nobody → brian
Depends on: 972201
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → INVALID
Product: Firefox for Android → Firefox for Android Graveyard
You need to log in before you can comment on or make changes to this bug.