Re: Hacking Firefox
Ian G wrote, On 2009-05-04 13:26: > On 4/5/09 22:04, Nelson Bolyard wrote: >> A very similar hack has already been done. It's a Firefox extension >> that (IIRC) silently installs some roots and shows the green bar for >> (some of) the certs that chain up to those roots. See it at >> https://addons.mozilla.org/en-US/firefox/addon/4828 > > Nice, I like it can I have one in red? > > I'm not sure why you call it a hack, I called it a hack only because Rick's original question described such a modification as a hack. I was replying using the terms he used. But I quite agree that that extension deserves a kinder word than "hack". It was really quite a feat. It included a DER decoder for certificates written in JavaScript. I was very impressed with that bit of code. > if the entire CA field operated this way, we wouldn't need to muck > around here and waste so much of our precious hacking time ;-) :-) -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Hacking Firefox
On 4/5/09 22:04, Nelson Bolyard wrote: A very similar hack has already been done. It's a Firefox extension that (IIRC) silently installs some roots and shows the green bar for (some of) the certs that chain up to those roots. See it at https://addons.mozilla.org/en-US/firefox/addon/4828 Nice, I like it can I have one in red? I'm not sure why you call it a hack, if the entire CA field operated this way, we wouldn't need to muck around here and waste so much of our precious hacking time ;-) iang -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Hacking Firefox
On 2009-05-04 12:27, Andrews, Rick wrote: A customer asked this question, and I couldn't answer it. Let's say I'm a hacker with access to a public kiosk, and I want users of that kiosk to see the EV green toolbar when they use the kiosk to visit my hacked web site. My web site is configured with an SSL cert signed by my own root. I access the mozilla source code and use it to build my own version of Firefox. In that version, I add my root with the EV metadata. I suppose I'll also need to set up an OCSP responder to respond to Firefox's OCSP requests for my SSL cert, or just disable that check in my custom Firefox. I then install that version of Firefox on the kiosk. Now anyone using the kiosk to visit my web site will see the green toolbar. Are there any safeguards in place to prevent this hack from succeeding? A very similar hack has already been done. It's a Firefox extension that (IIRC) silently installs some roots and shows the green bar for (some of) the certs that chain up to those roots. See it at https://addons.mozilla.org/en-US/firefox/addon/4828 -Rick Andrews /Nelson -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Hacking Firefox
Unfortunately the [potential] problem is much bigger than that! A hacked browser and/or operating system can essentially screw the user in all ways possible for a computer. The green bar may lit all the time for example. I would personally be a bit cautious about opening company mail in a public computer because a hacked browser may steal it it. Anders - Original Message - From: "Andrews, Rick" To: Sent: Monday, May 04, 2009 21:27 Subject: Hacking Firefox A customer asked this question, and I couldn't answer it. Let's say I'm a hacker with access to a public kiosk, and I want users of that kiosk to see the EV green toolbar when they use the kiosk to visit my hacked web site. My web site is configured with an SSL cert signed by my own root. I access the mozilla source code and use it to build my own version of Firefox. In that version, I add my root with the EV metadata. I suppose I'll also need to set up an OCSP responder to respond to Firefox's OCSP requests for my SSL cert, or just disable that check in my custom Firefox. I then install that version of Firefox on the kiosk. Now anyone using the kiosk to visit my web site will see the green toolbar. Are there any safeguards in place to prevent this hack from succeeding? -Rick Andrews -- Rick Andrews __oPhone: 650-426-3401 VeriSign, Inc. _ \>,_ Fax: 650-426-5195 487 E. Middlefield Rd. ...(_)/ (_) URL: www.verisign.com Mountain View, CA 94043email: randr...@verisign.com -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Hacking Firefox
A customer asked this question, and I couldn't answer it. Let's say I'm a hacker with access to a public kiosk, and I want users of that kiosk to see the EV green toolbar when they use the kiosk to visit my hacked web site. My web site is configured with an SSL cert signed by my own root. I access the mozilla source code and use it to build my own version of Firefox. In that version, I add my root with the EV metadata. I suppose I'll also need to set up an OCSP responder to respond to Firefox's OCSP requests for my SSL cert, or just disable that check in my custom Firefox. I then install that version of Firefox on the kiosk. Now anyone using the kiosk to visit my web site will see the green toolbar. Are there any safeguards in place to prevent this hack from succeeding? -Rick Andrews -- Rick Andrews __oPhone: 650-426-3401 VeriSign, Inc. _ \>,_ Fax: 650-426-5195 487 E. Middlefield Rd. ...(_)/ (_) URL: www.verisign.com Mountain View, CA 94043email: randr...@verisign.com -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Fwd: Has any public CA ever had their certificate revoked?
On 05/04/2009 09:12 AM, Ian G: On 3/5/09 15:43, Eddy Nigg wrote: That's not entirely correct, legacy CAs which requested EV enabled had to go through the process as if they were new roots. See also the current thread of Verizon/Cybertrust. Ah! Well corrected. I did not know that. Are you serious? Is the stated CA undergoing a full review by Mozo? All at the same time? Errr...yes. I've asked Frank concerning this review and he confirmed it (as it appeared to me that those roots were taken over from Netscape). It's now to raise any concerns, complaining later will not help. -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: start...@startcom.org Blog: https://blog.startcom.org -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
