Closed Bug 1344888 Opened 7 years ago Closed 7 years ago

Certificate management functionality

Categories

(WebExtensions :: General, defect)

Product:
WebExtensions
Component:
General
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: fdsc, Unassigned)

References

Details

(Whiteboard: [advisory-group]) 

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0
Build ID: 20170125094131

Steps to reproduce:

Now extensions can manage certificates (root certificates and other certificates).


Actual results:

I don't see functions for managing certificates in WE


Expected results:

WE must contain the certificate management functionality: reading certificate (full info) from database, reading their default state, read and modify their current trust.
Summary: add to WE the certificate management functionality → Certificate management functionality
Whiteboard: [advisory-group]
Blocks: webextensions-additional-apis
Dan, we've marked this is as advisory group, but I can guess that is something we'd like just say no to. I think there's been other bugs on this that we've won't fixed, but I can't find them. Any feedback appreciated.
Flags: needinfo?(dveditz)
Certificate management can be done in different ways, for example at the OS level. Whilst the UI for this in Firefox isn't great, adding in an API into Firefox has a large security surface. The risk here seems too great and the value too small.

It seems something like bug 1322748 would allow extensions to examine the certificates on request would seem useful.

If there's any disagreement on that dveditz, please let me know.
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → WONTFIX
(In reply to Andy McKay [:andym] from comment #3)
> Certificate management can be done in different ways, for example at the OS level.

Firefox doesn't use the OS certificate store, all certificate management needs to be done through Firefox/NSS.

> Whilst the UI for this in Firefox isn't great, adding in an API into
> Firefox has a large security surface. The risk here seems too great and the
> value too small.

The existing add-ons related to this functionality have very small audiences so it's hard to argue with that (even though I use some of them).

> It seems something like bug 1322748 would allow extensions to examine the
> certificates on request would seem useful.

Certificate Patrol, one of the most popular at 11,000 users, could probably be implemented using something like that.
Flags: needinfo?(dveditz)
(In reply to Daniel Veditz [:dveditz] from comment #4)
> (In reply to Andy McKay [:andym] from comment #3)
> > Certificate management can be done in different ways, for example at the OS level.
> 
> Firefox doesn't use the OS certificate store, all certificate management
> needs to be done through Firefox/NSS.

My mistake, I thought on Windows though you had access to the Windows Certificate store. I probably mis-remembered this blog post: https://mike.kaply.com/2016/09/01/upcoming-changes-to-root-certificates-in-firefox-on-windows/
Product: Toolkit → WebExtensions
You need to log in before you can comment on or make changes to this bug.