Empathy List Archives

maildev@lists.thunderbird.net

Thunderbird email developers

Thunderbird AMO cert pinning

Andrei Hajdukewycz

Tue, Sep 26, 2017 1:35 AM

So today it was brought to my attention that Thunderbird might pin a
cert for addons.mozilla.org which would mean that TB won't install
add-ons from any other domain, even if there's a rewrite to some other
domain from addons.mozilla.org, or even if we change the prefs.

However, after some effort to build a test setup, I was able to, on TB
56.0b3, cleanly install an add-on from a thunderbird.net domain with no
prompts or errors via the in-client Add-ons panel, after just changing
the prefs to point to thunderbird.net instead of addons.mozilla.org.

I don't know if this is a bug, whether we never enabled the feature, or
whether changing the prefs automatically bypasses it.

If anyone knows anything about this, that would be helpful!

So today it was brought to my attention that Thunderbird *might* pin a cert for addons.mozilla.org which would mean that TB won't install add-ons from any other domain, even if there's a rewrite to some other domain from addons.mozilla.org, or even if we change the prefs. However, after some effort to build a test setup, I was able to, on TB 56.0b3, cleanly install an add-on from a thunderbird.net domain with no prompts or errors via the in-client Add-ons panel, after just changing the prefs to point to thunderbird.net instead of addons.mozilla.org. I don't know if this is a bug, whether we never enabled the feature, or whether changing the prefs automatically bypasses it. If anyone knows anything about this, that would be helpful!

Ben Bucksch

Tue, Sep 26, 2017 2:12 AM

Andrei Hajdukewycz wrote on 26.09.17 03:35:

However, after some effort to build a test setup, I was able to, on TB
56.0b3, cleanly install an add-on from a thunderbird.net domain with
no prompts or errors via the in-client Add-ons panel, after just
changing the prefs to point to thunderbird.net instead of
addons.mozilla.org.

I don't know if this is a bug, whether we never enabled the feature,
or whether changing the prefs automatically bypasses it.

If anyone knows anything about this, that would be helpful!

IIRC, the cert pinning as implemented by Firefox was pinning only the
CA, not the individual cert. So, if you're using the same CA for
thunderbird.net as AMO uses, it would work.

Search for "cert" in FF about:config and TB Prefs | Advanced | Config
Editor. When I do that, I only find cert pinning for updates, for
extension "hotfixes", and for media plugins. So, it appears to me that
there is no cert pinning for AMO.

But I don't know the extension client implementation. The source code
would be your information source.

Andrei Hajdukewycz wrote on 26.09.17 03:35: > So today it was brought to my attention that Thunderbird *might* pin a > cert for addons.mozilla.org which would mean that TB won't install > add-ons from any other domain, even if there's a rewrite to some other > domain from addons.mozilla.org, or even if we change the prefs. > > However, after some effort to build a test setup, I was able to, on TB > 56.0b3, cleanly install an add-on from a thunderbird.net domain with > no prompts or errors via the in-client Add-ons panel, after just > changing the prefs to point to thunderbird.net instead of > addons.mozilla.org. > > I don't know if this is a bug, whether we never enabled the feature, > or whether changing the prefs automatically bypasses it. > > If anyone knows anything about this, that would be helpful! IIRC, the cert pinning as implemented by Firefox was pinning only the CA, not the individual cert. So, if you're using the same CA for thunderbird.net as AMO uses, it would work. Search for "cert" in FF about:config and TB Prefs | Advanced | Config Editor. When I do that, I only find cert pinning for updates, for extension "hotfixes", and for media plugins. So, it appears to me that there is no cert pinning for AMO. But I don't know the extension client implementation. The source code would be your information source.