Giorgio Maone:
> Hello everybody,
Thank you for starting the discussion Giorgio.
> In
https://bugzilla.mozilla.org/show_bug.cgi?id=1322748#c4 David Keeler
> suggested to bring this issue up in a public forum in order to decide
> how and how much to expose of the nsISSLStatus interface and its
> dependencies to WebExtensions, considering that many Firefox add-ons use
> it either to provide enhanced security UIs or to enforce stricter
> security policies tailored on specific use cases.
My add-on "PubKeyPin" works with the raw certificates of the whole chain
for each network connection.
The preparsed values offered by nsISSLStatus and nsIX509Cert are used
and nsIASN1Sequence and nsIASN1Object must be utilized to access the not
directly provided parts of the certificates - for example the subject
public key info.
It would be nice, if the new API gives direct access to all values of
all certificates, that are used in each network connection.
[...]
> The most natural place to provide WebExtensions with this data is, IMHO,
> in webRequest.onBeforeSendHeaders or in an ad-hoc event (onConnect?)
> which needs anyway to be called before any HTTPS payload is actually
> exchanged on the wire.
>From a security point of view, the most important secure connections are
the ones initiated by the browser itself in the background (update
checks, blocklist request, safebrowsing list retrieval, file downloads,
...).
If they can't be controlled or evaluated, stricter security rules
implemented via add-ons for "minor" webrequests are "flawed" from the
beginning.
To be able to warn the user about something suspicious in the "browser
area" or to tighten the used security settings or allowed certificates,
I would like to have at least read access to these connections, too.
That is, if i'm correct, currently not possible with "webRequest".
> Personally (i.e. for the purposes of the Tails Download and Verify
> Extension which I maintain) I would be fine with a thin wrapper over
> nsISSLStatus and nsIX509Cert, but platform developers, security guys and
> other add-ons authors likely have different but hopefully reconcilable
> views on this matter, therefore I'm cross-posting to dev-platform,
> dev-security and dev-addons hoping for the best outcome.
Some things, not directly related to nsISSLStatus, that "PubKeyPin" and
possibly others need something equivalent for before thinking about
porting to WebExtensions are OS.File, nsICryptoHash or the
nsIDOMWindowUtils and nsIWebProgress.
> Cheers
All the best,
pubkeypin
--
OpenPGP Fingerprint
2003 8F71 6157 C7CC 13F6 355E B9AA 110C E8BC D29C