IMHO it should be possible to affect the connection and the UI. This would allow plug-ins for alternative certificate validation methods, such as Convergence (https://en.wikipedia.org/wiki/Convergence_%28SSL%29) / FreeSpeechMe (https://bit.namecoin.org/freespeechme.html).
While I agree that it is a potentially dangerous capability, a bad extension can already gain full access to a secure website's content. Possibly the UI could reflect that an extension has changed the normal validation result? - jomo On 27.2.18 17:20, Wayne Thayer via dev-security-policy wrote: > I am seeking input on this proposal: > > Work is underway to allow Firefox add-ons to read certificate information > via WebExtensions APIs [1]. It has also been proposed [2] that the > WebExtensions APIs in Firefox be enhanced to allow a 3rd party add-on to > change or ignore the normal results of certificate validation. > > This capability existed in the legacy Firefox extension system that was > deprecated last year. It was used to implement stricter security mechanisms > (e.g. CertPatrol) and to experiment with new mechanisms such as Certificate > Transparency and DANE. > > When used to override a certificate validation failure, this is a dangerous > capability, and it’s not clear that requiring a user to grant permission to > the add-on is adequate protection. One solution that has been proposed [4] > is to allow an add-on to affect the connection but not the certificate UI. > In other words, when a validation failure is overridden, the page will load > but the nav bar will still display it as a failure. > > I would appreciate your constructive feedback on this decision. Should this > capability be added to the Firefox WebExtensions APIs? > > - Wayne > > [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1322748 > [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1435951 > [3] https://mail.mozilla.org/pipermail/dev-addons/2018-February/003629.html > [4] https://mail.mozilla.org/pipermail/dev-addons/2018-February/003641.html > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy