Follow


Well, I fixed the Addon-Problem with the
hotfix-update-xpi-intermediate%40mozilla.com-1.0.2-signed.xpi
...and I had a look inside what it does... (adding an intermediate cert to certdb and reverify all addons)

So, does this mean every Addon can add any cert if it thinks this is funny? Isn't this another big security hole?

@robelix i imagine that’s one of the things the AMO extension verification process checking does

@Wolf480pl @vinnl
Well, if you do not trust Mozilla at all you should not run their software.

"Honest Achmed's Used Cars and Certificates" cannot simply add theirs to the certdb with an addon that pretends to do something completely diffrent.

@robelix @vinnl
In practice you're right, hence /s

Still, it feels weird...
Before, I thought it's a 3 party model:
1. distro provides Firefox in a distro-signed package, which contains AMO CA cert
2. AMO publishes addons
3. user gets Ffox from distro and addons from AMO, verifying signatures attached to the addons

But now there 4th party:
4. Mozilla delivers a special kind of addon that bypasses checks in (3), is signed with different key, and provides cert for verifying (3).

@robelix @vinnl
If the intermediate cert is really intermediate, i.e. not a root of trust, then it should be bundled with every addon on AMO (like you bundle LetsEncrypt intermediate cert with your website's cert if you run your own webserver), and verified by some long-lasting root cert hardcoded in Firefox.

And if it's not an intermediate cert, but a root of trust, then updating it should be done either by distro, or by the user.

Sign in to participate in the conversation
chaos.social

chaos.social - because anarchy is much more fun with friends.
chaos.social is a small Mastodon instance for and by the Chaos community surrounding the Chaos Computer Club. We provide a small community space - Be excellent to each other, and have a look at what that means around here.
Follow @ordnung for low-traffic instance-related updates.
The primary instance languages are German and English.