Well, I fixed the Addon-Problem with the
...and I had a look inside what it does... (adding an intermediate cert to certdb and reverify all addons)

So, does this mean every Addon can add any cert if it thinks this is funny? Isn't this another big security hole?

@robelix i imagine that’s one of the things the AMO extension verification process checking does

@Wolf480pl @vinnl
Well, if you do not trust Mozilla at all you should not run their software.

"Honest Achmed's Used Cars and Certificates" cannot simply add theirs to the certdb with an addon that pretends to do something completely diffrent.

@robelix @vinnl
In practice you're right, hence /s

Still, it feels weird...
Before, I thought it's a 3 party model:
1. distro provides Firefox in a distro-signed package, which contains AMO CA cert
2. AMO publishes addons
3. user gets Ffox from distro and addons from AMO, verifying signatures attached to the addons

But now there 4th party:
4. Mozilla delivers a special kind of addon that bypasses checks in (3), is signed with different key, and provides cert for verifying (3).

@robelix @vinnl
If the intermediate cert is really intermediate, i.e. not a root of trust, then it should be bundled with every addon on AMO (like you bundle LetsEncrypt intermediate cert with your website's cert if you run your own webserver), and verified by some long-lasting root cert hardcoded in Firefox.

And if it's not an intermediate cert, but a root of trust, then updating it should be done either by distro, or by the user.

Sign in to participate in the conversation – a Fediverse instance for & by the Chaos community