I am seeking input on this proposal: Work is underway to allow Firefox add-ons to read certificate information via WebExtensions APIs [1]. It has also been proposed [2] that the WebExtensions APIs in Firefox be enhanced to allow a 3rd party add-on to change or ignore the normal results of certificate validation.
This capability existed in the legacy Firefox extension system that was deprecated last year. It was used to implement stricter security mechanisms (e.g. CertPatrol) and to experiment with new mechanisms such as Certificate Transparency and DANE. When used to override a certificate validation failure, this is a dangerous capability, and it’s not clear that requiring a user to grant permission to the add-on is adequate protection. One solution that has been proposed [4] is to allow an add-on to affect the connection but not the certificate UI. In other words, when a validation failure is overridden, the page will load but the nav bar will still display it as a failure. I would appreciate your constructive feedback on this decision. Should this capability be added to the Firefox WebExtensions APIs? - Wayne [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1322748 [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1435951 [3] https://mail.mozilla.org/pipermail/dev-addons/2018-February/003629.html [4] https://mail.mozilla.org/pipermail/dev-addons/2018-February/003641.html _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
